2016’s biggest privacy threat: Your phone
When it comes to handing malicious hackers’ intimate details about our lives, right now Yahoo is leading the pack as one of the worst threats to privacy in recent history.
Yet there’s one thing that has Yahoo beat in both the amount and sensitivity of the data being leaked, as well as the frequency. And like IoT appliances, it’s a well-known and massive problem among security professionals, but it doesn’t garner a lot of attention from the public.
I’m talking about your smartphone.
Every step you take, every place with WiFi that you visit, and even friends who end up in your physical proximity can be revealed to anyone with a couple of bucks, the ability to program a Raspberry Pi and the will to violate your life.
Like Internet of Things products, smartphones leak your information and leave a trail of your habits to bystanders by design. Similarly, hackers and developers have been trying to raise the alarm and have gone practically ignored.
Just last week, a hacker in Bordeaux named Mehdi decided to see what he could learn about the people around him with a couple of off-the-shelf hacking gadgets. What he found is unsettling and creepy.
Over the course of six months, he observed information just leaking from people’s devices while on his daily train commute, merely through the WiFi and Bluetooth data coming from their phones.
Mehdi found all this out without hacking into anyone’s phone, planting hardware on them, without a warrant, and with zero help from Apple or Google. Using a Raspberry Pi armed with a GPS, WiFi and a Bluetooth sniffer, he created a poor man’s NSA-style tracking operation.
Whenever someone’s WiFi sent out probe requests for its home access points or their Bluetooth devices leaked information about what they were, he recorded it. HackADay wrote: “In the end, he got nearly 30,000 WiFis logged, including 120,000 probes. Each reading is time-stamped and geolocated, and [Mehdi] presents a few of the results from querying the resulting database.”
With this information, Mehdi tracked the entire commutes of strangers, saw when someone’s phone sent out probes for a Domino’s pizza WiFi the device recognized and figured out “which riders knew each other because they often connect to devices with unique IDs, which could be used to correlate them.”
You can bet that every app you have installed is also slurping up this information, bundling it and selling it to advertisers. We didn’t sign up for this. We’ve been boxed into this privacy nightmare by our smartphones, which literally don’t allow us to have a functional phone unless we formally agree to its legally binding Terms of Service.
Just like with the FBI director’s revelation about taping over webcams, for many hackers, this is old news. In fact, infosec researchers have been raising the alarm and exploiting the ease with which they can play Mehdi’s game of “capture the probe” for years. For malicious hackers and companies like Facebook alike, it’s considered a feature, not a flaw (though, of course, if it makes Facebook look bad, it’ll trot out the usual “it’s a bug” excuse).
At DEF CON 21 in 2013, hacker Brendan O’Connor presented Stalking a City for Fun and Frivolity. His talk was bracketed by some heavy emphasis on the fact that everything we use is leaking way too much data about us.
With tools O’Connor made, he recorded data and combined it to create a visualization “to show people with real faces and identities and histories moving around a map in 3D,” he told press. “Even if you don’t connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money.”
The experiment, O’Connor explained, was to see how much data they could collect from local network traffic. “This means names, photos, services used, etc.” It wasn’t terribly difficult for him to make filters for grabbing data from specific apps, including “DropBox, Twitter, Facebook, and dating websites.” He noted, “Now, many of these services encrypt their traffic, which is admirable.” However, he added that in most instances “we can still get useful data that they provide in, e.g., their User Agent. And there’s no reason for them to do this.”
“This isn’t even hard—and it should be hard. And that is pretty disturbing to me,” O’Connor said. “People fix vulnerabilities when the kid on the street corner can abuse it. Maybe it’s time to fix this now.”
That talk was covered by a fair number of mainstream news outlets. Still, it seems like most people don’t realize what kind of data is being broadcast from their devices. Despite what appears to be consumers’ growing concerns about privacy, 90 percent of people keep the location services function on their smartphones switched on at all times.
O’Connor soberly cautioned, “If every person on the planet can use this surveillance technology, I think we should start to design things not to leak information at every level. You leave behind a trail that can be tracked not just by the NSA or a law-enforcement agency, but by any kid in a basement with less than $500.”
I have to wonder if this was on anyone’s radar when Obama’s big cybersecurity plan was proposed by the White House’s Commission on Enhancing National Cybersecurity this month. It was released as a hopeful gift to the next administration, like when you give your brother soap for Christmas in hopes that he’ll take a shower once in a while.
That plan, a bespoke tapestry of long-term recommendations for beefing up America’s cybersecurity, calls for a “nutritional label” to help us assess the risks of products — like apps and, hopefully, phones. In a perfect world, we’d get some kind of warning before installing apps that leak our data, and before buying phones that broadcast pretty much everything about us.
Last September, disgraced FBI Director James Comey recommended we all cover our webcams with tape in an effort to help us fend for ourselves against shoddy tech and creeps who exploit it. Of course, many of us had been covering our cams for years as routine defense against malicious hacker-creeps.
Just wait until people like Comey find out how egregiously their phones leak private details of their daily lives to strangers, such as their commute, favorite hangouts, and who their friends are from their data-leaky apps and phones. No access to government resources needed.
As someone who’s been covering her webcam for years, I’m not holding my breath for anyone in any kind of power to do the right thing here. I’m refusing to let phone and app makers’ blatant disregard for the sanctity of our private lives make me give up the fight for privacy, or accept that it’s “too late.”
And you shouldn’t, either.
Images: iMrSquid/Getty (Smartphone friends illustration)