IoT
10/16/2018
10:30 AM
Amit Sethi
Amit Sethi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spies Among Us: Tracking, IoT & the Truly Inside Threat

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

It's probably no surprise to anyone working in tech that web and mobile ads somehow seem to know what your interests are. Same can be said about the gadgets in your home or office. Do you ever wonder if they are spying on you too? You're not alone.

We've come to rely on technology in both our personal and professional lives. We quickly take to the Internet to find answers and don't hesitate to download a mobile app because it promises to make our lives easier. However, this carefree attitude often means that security is overlooked, leaving users exposed. In today's ultra-connected world, it's important to understand how to safeguard our security while browsing the web and using mobile devices. Here are four key areas of exposure:

Web Searching
Website tracking originated as a fairly harmless concept and something meant to help users, not harm them. Its purpose is to show you ads for products or services that you might be interested in. Ad networks inject content into web pages; by tracking pages you've visited, they can show ads related to content you've viewed. Websites have many ways of tracking users. In addition to cookies, websites can also track users through mechanisms such as unique identifiers in cached content and web storage.

There are also sneakier means, inclujding browser fingerprinting. Browser fingerprinting doesn't rely on a website storing data on your device. It involves collecting information from a browser that can be used for unique identification. Browsers allow websites to access information like the browser type and version, screen size, color depth, installed plugins, installed fonts, time zone, language, and so on. This information can often uniquely identify browsers.

What if you don't want sites to track your activity? The only foolproof answer is to stop using the Internet. But a more practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome and Private window in Firefox). Conduct browsing that you don't want tracked in such windows. Never sign into any websites in private windows and close them periodically to wipe data that can still be used to track you from websites visited in a private window.

Mobile App Tracking
When it comes to mobile apps tracking users, many browser-based tracking techniques don't work unless you're using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.

To avoid this tracking, change your device's settings to generate a different identifier for each application. The setting varies by device and platform. Google recently introduced a global setting on its website to disable ad personalization for websites and mobile apps that use Google's ad network. This setting does the trick for Android devices. While each application can still track your activities within the application, they can't collude to track your activities across applications.

Let's also consider mobile device location tracking. If given permission to do so by end users, mobile applications can retrieve the current location of the device they're installed on. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, and IP geolocation. The best way to prevent this is to deny applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to specific location information. (Note that preventing IP geolocation requires more than a simple setting change.)

Voice Activated, On-Device Keyword Spotting
Many consumer devices use on-device keyword spotting that triggers devices with microphones to record and upload audio to the Internet. Smart assistants, for instance, listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or phrase, they start recording and send the recording to server-side components. These devices don't normally record and upload all your conversations. But, sometimes things do go wrong, such as when an Amazon Echo device recorded a family's conversation and emailed it to a seemingly random person on their contact list.

To protect your privacy, do some research before purchasing an Internet-connected device to understand the information it collects. If you decide to make the purchase, check your device settings to see which applications can access the microphone and when.

Videos and Photo Sharing
Access to cameras, as well as video and photo libraries, on mobile devices is controlled using application permissions. Once a user gives an application access to the device's camera or photos, it can use the device's camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them or to back them up. Be careful which applications you allow to access your camera and photos.

Of course, malicious actors don't play by the rules. Some ways in which user videos or photos can be accessed by malicious actors include:

  • A malicious app pretending to be legitimate so that the user doesn't mind providing permissions
  • A malicious app exploiting a root/jailbreak vulnerability to gain full control over the device
  • Stealing photos from backups (e.g. from iCloud backups, Google Photos, etc.)
  • Stealing photos from a stolen device that doesn't have a passcode set (or one with an easily guessable passcode)

To protect yourself, follow the usual guidance for protecting your mobile device and online accounts. Always protect your device using a passcode and don't install apps from anywhere other than the official app store for the platform. Additionally, protect your online accounts (including iCloud and Google accounts) using long complex passwords and enable multifactor authentication whenever possible.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit's work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.