Sherlocked

Why lost phones keep pointing at this Atlanta couple’s home

Elena Scotti/FUSION

Over the last year, more than a dozen people have shown up at Christina Lee and Michael Saba’s door in Atlanta looking for stolen smartphones. The visitors’ find-my-phone apps say their phones are inside the house, but they’re not. It’s been frustrating for Lee and Saba, not just because they fear someone angry and violent might show up one day, but because they didn’t know what was causing it.

Tech experts I consulted when I first wrote about Lee and Saba’s tech mystery were flummoxed. The phones included Androids and iPhones, on all the different carriers from Verizon to Sprint. But now security researcher Dave Maynor thinks he’s figured what’s causing this Bermuda tech triangle.

Maynor visited Lee and Saba’s home last week, accompanied by Reply All who I teamed up with to solve this tech mystery. He brought SDRs (software-defined radios) in order to scan for the signals and wireless access points in the area to see if there was a rogue cell tower that might be causing the issue. During the scans, he discovered something equally bizarre: on the mile-long street, he only detected nine wireless access points.

“In the five blocks around where I live by contrast,” said Maynor by phone, “there are 3000-4000 such devices.” (You can check out the density of devices in your own neighborhood on Wigle, a crowdsourced mapping tool.)

Wigle

Here's a map of networks in my neighborhood in San Francisco, left, vs the network map for Lee and Saba's neighborhood in Atlanta, right

Lee and Saba live in a digital desert. Many of their neighbors are older, and some of the houses are not lived in, so their home is one of the few with a router.

That gave Maynor an idea about the root of their troubles. When phones attempt to geolocate themselves, they’ll usually look first to GPS or the cell towers they most recently connected to, but that won’t work if the phone is in a building without clear sight of satellites or if it’s off the cellular network. Then the phone will look to back-up location databases, first, using its IP address and, second, by looking at the nearest Wifi networks it can detect. Based on the signal strength of each Wifi connection, it can usually figure out within 10 meters where the phone is.

These IP and Wifi mapping databases are maintained by companies like Neustar, Maxmind and Skyhook, which have software embedded in millions of apps and phones, likely yours among them, that are constantly feeding them new, fresh mapping data—pairing the IP or Wifi networks the phone sees with GPS data. “Any time a location request is made on a phone we’re on, that information is used to recalibrate the system,” Skyhook’s chief technology officer Kipp Jones told me by phone.

As Reply All’s PJ Vogt put it in the episode about Lee and Saba’s home, “there’s databases feeding databases feeding databases.”

Maynor suspected the phones leading to Saba and Lee’s house might be deprived of GPS and cell tower triangulation, and so might be relying on IP address to figure out where they were, given that this particular area is low on wifi networks. “But looking at the IP address is not very specific; it’s just supposed to tell you whether the phone is in Atlanta or Zimbabwe,” said Maynor.

So he and a former colleague, Rob Graham, went looking through the public database of Maxmind, a location providing company, which is known to have one of the biggest maps of IP addresses and so is used by lots of different companies—and possibly by whatever geolocation app the visitors to Lee and Saba’s house were using to find their phones.

It turns out that, for the zip code that covers the region next to Lee and Saba’s house, the latitude/longitude result that Maxmind returns is just 1000 feet away from their home.

“If someone turns on a phone miles away in the same zip code in a building without a clear line to GPS and not a lot of Wifi addresses, it’ll look like it’s in the spot Maxmind points to [very near Lee and Saba’s house],” said Maynor. As all of the people who have showed up at the house have been from the Atlanta area, this is plausible.

Maxmind founder and CEO Thomas Mather says his company advises against using IP geolocation data to pinpoint the location of a smartphone because it’s not precise enough.

“The best IP address-based geolocation can do is identify a city or a five-digit zip code, and the latitude/longitude we return is often close to the center of the city or the zip code,” said Mather by email. “If you think a customer of ours is using that data to pinpoint a household, we could reach out to that customer to inform them they should not be using our database in that manner.”

Maynor thinks it’s possible that an app seeking to better locate a phone might take the IP-based location and then look next to a mapping database of wireless devices it knows in the area; with little to choose from there, it may be locking onto Lee and Saba’s router as the closest to the IP-chosen location and then pinpoint them as the exact location of the phone.

But he’s still uncertain. Maynor says he feels like Sherlock Holmes trying to solve this tech mystery.

“These are theories and I am trying to prove them. It’s like that Conan Doyle quote, ‘Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth,'” said Maynor. “But I’m still not satisfied. I want to find more of a smoking gun. We need to know what app people are using to find their phones and then look at what databases they’re relying on for location.”

So if you’re one of the many people who showed up at Lee and Saba’s door looking for your smartphone, please shoot me an email and tell me what app led you there. Without figuring that part of the mystery out, the only solution would be for Maxmind to change the default location for the IP address for that zip code—but that would mean some other house would have strangers seeking smartphones knocking on their door.

PJ Vogt

Dave Maynor, left, with Christina Lee and Michael Saba

Just having a working theory has brought some peace of mind for Lee and Saba.

“We’re pretty excited,” Saba told me by phone. “But we’re remaining cautiously optimistic, because this isn’t going to change overnight.”

The only big change so far? Their Internet provider sent them a new router, just in case that was sending out a bad identifier and causing the problem. “All we had to do was send them a link to your story,” said Saba.