IoT
10/16/2018
10:30 AM
Amit Sethi
Amit Sethi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spies Among Us: Tracking, IoT & the Truly Inside Threat

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

It's probably no surprise to anyone working in tech that web and mobile ads somehow seem to know what your interests are. Same can be said about the gadgets in your home or office. Do you ever wonder if they are spying on you too? You're not alone.

We've come to rely on technology in both our personal and professional lives. We quickly take to the Internet to find answers and don't hesitate to download a mobile app because it promises to make our lives easier. However, this carefree attitude often means that security is overlooked, leaving users exposed. In today's ultra-connected world, it's important to understand how to safeguard our security while browsing the web and using mobile devices. Here are four key areas of exposure:

Web Searching
Website tracking originated as a fairly harmless concept and something meant to help users, not harm them. Its purpose is to show you ads for products or services that you might be interested in. Ad networks inject content into web pages; by tracking pages you've visited, they can show ads related to content you've viewed. Websites have many ways of tracking users. In addition to cookies, websites can also track users through mechanisms such as unique identifiers in cached content and web storage.

There are also sneakier means, inclujding browser fingerprinting. Browser fingerprinting doesn't rely on a website storing data on your device. It involves collecting information from a browser that can be used for unique identification. Browsers allow websites to access information like the browser type and version, screen size, color depth, installed plugins, installed fonts, time zone, language, and so on. This information can often uniquely identify browsers.

What if you don't want sites to track your activity? The only foolproof answer is to stop using the Internet. But a more practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome and Private window in Firefox). Conduct browsing that you don't want tracked in such windows. Never sign into any websites in private windows and close them periodically to wipe data that can still be used to track you from websites visited in a private window.

Mobile App Tracking
When it comes to mobile apps tracking users, many browser-based tracking techniques don't work unless you're using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.

To avoid this tracking, change your device's settings to generate a different identifier for each application. The setting varies by device and platform. Google recently introduced a global setting on its website to disable ad personalization for websites and mobile apps that use Google's ad network. This setting does the trick for Android devices. While each application can still track your activities within the application, they can't collude to track your activities across applications.

Let's also consider mobile device location tracking. If given permission to do so by end users, mobile applications can retrieve the current location of the device they're installed on. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, and IP geolocation. The best way to prevent this is to deny applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to specific location information. (Note that preventing IP geolocation requires more than a simple setting change.)

Voice Activated, On-Device Keyword Spotting
Many consumer devices use on-device keyword spotting that triggers devices with microphones to record and upload audio to the Internet. Smart assistants, for instance, listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or phrase, they start recording and send the recording to server-side components. These devices don't normally record and upload all your conversations. But, sometimes things do go wrong, such as when an Amazon Echo device recorded a family's conversation and emailed it to a seemingly random person on their contact list.

To protect your privacy, do some research before purchasing an Internet-connected device to understand the information it collects. If you decide to make the purchase, check your device settings to see which applications can access the microphone and when.

Videos and Photo Sharing
Access to cameras, as well as video and photo libraries, on mobile devices is controlled using application permissions. Once a user gives an application access to the device's camera or photos, it can use the device's camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them or to back them up. Be careful which applications you allow to access your camera and photos.

Of course, malicious actors don't play by the rules. Some ways in which user videos or photos can be accessed by malicious actors include:

  • A malicious app pretending to be legitimate so that the user doesn't mind providing permissions
  • A malicious app exploiting a root/jailbreak vulnerability to gain full control over the device
  • Stealing photos from backups (e.g. from iCloud backups, Google Photos, etc.)
  • Stealing photos from a stolen device that doesn't have a passcode set (or one with an easily guessable passcode)

To protect yourself, follow the usual guidance for protecting your mobile device and online accounts. Always protect your device using a passcode and don't install apps from anywhere other than the official app store for the platform. Additionally, protect your online accounts (including iCloud and Google accounts) using long complex passwords and enable multifactor authentication whenever possible.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit's work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19326
PUBLISHED: 2018-11-17
Zyxel VMG1312-B10D devices before 5.13(AAXA.8)C0 allow ../ Directory Traversal, as demonstrated by reading /etc/passwd.
CVE-2018-19274
PUBLISHED: 2018-11-17
Passing an absolute path to a file_exists check in phpBB before 3.2.4 allows Remote Code Execution through Object Injection by employing Phar deserialization when an attacker has access to the Admin Control Panel with founder permissions.
CVE-2018-19324
PUBLISHED: 2018-11-17
kimsQ Rb 2.3.0 allows XSS via the second input field to the /?r=home&mod=mypage&page=info URI.
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...