This information was published in December 2010 and had been known even earlier -- but it largely flew under the radar.
In February 2011 Sean Morrissey and Alex Levinson previewed Lantern 2.0, which harvested data from consolidated.db, at the DoD Cyber Crimes Conference in Washington, DC:
Lantern 2.0 has been on the market for months now and performs the same functionality Mr. Warden’s utility does and much more. We correlate geolocational data embedded in images and third party application. We give you a geolocational timeline of events in list view showing much more than baseband logs within consolidated.db.
The problem is that Lantern is a commercial forensics application that sells for $600-$700 so it's out of reach of the average user. If you'd like to see the effects of consolidated.db in action, simply download Warden's open source, proof-of-concept OS X application iPhone Tracker and run it.
All iPhones appear to log your location to a file called "consolidated.db." This contains latitude-longitude coordinates along with a timestamp. The coordinates aren't always exact, but they are pretty detailed. There can be tens of thousands of data points in this file, and it appears the collection started with iOS 4, so there's typically around a year's worth of information at this point.
iPhone Tracker automatically finds the file in your last iPhone backup, and plots your location over time on a map. You can zoom in on specific areas on the map and even watch a time lapse animation of your phone's location on a "heat map." It even includes a dragable slider bar that lets you look at a specific moment in time. (Hint: you need to drag the little bar on the zoom meter, clicking + and - doesn't work)
A screenshot of my iPhone Tracker heat map is posted at the top of the story. Here's one of the duo's demo videos:
Washington DC to New York from Alasdair Allan on Vimeo.
It's amazing that this file is just sitting, unencrypted on your hard drive and available to anyone with access to your Mac (or its backups). What makes it even more nefarious is that this file stores almost a year's worth of data dating back to whenever you installed iOS 4, which was released on June 21, 2010. And the data file is almost impossible to delete and it persist across device upgrades and backups and restores.
So what to do?
A. Don't Panic.
there's no immediate harm that would seem to come from the availability of this data. Nor is there evidence to suggest this data is leaving your custody. But why this data is stored and how Apple intends to use it — or not — are important questions that need to be explored.
B. Protect yourself by encrypting your backups through iTunes (click on your device within iTunes and then check "Encrypt iPhone Backup" under the "Options" area).
Apple needs to respond to the concerns brought up by researchers about consolidated.db immediately. It should start by pushing out a maintenance release that, at minimum, encrypts and hides the file.
More on the topic:
Update: Andy Ihnatko reinforces my Don't Panic advice:
Update 2: The forensic community has known about the consolidated.db file for a while now and has been using it. Alex Levinson notes that he's provided data from pre-iOS 4 iPhones to law-enforcement:
Through my work with various law enforcement agencies, we’ve used h-cells.plist on devices older than iOS 4 to harvest geolocational evidence from iOS devices.