Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/16/2018
10:30 AM
Amit Sethi
Amit Sethi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spies Among Us: Tracking, IoT & the Truly Inside Threat

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

It's probably no surprise to anyone working in tech that web and mobile ads somehow seem to know what your interests are. Same can be said about the gadgets in your home or office. Do you ever wonder if they are spying on you too? You're not alone.

We've come to rely on technology in both our personal and professional lives. We quickly take to the Internet to find answers and don't hesitate to download a mobile app because it promises to make our lives easier. However, this carefree attitude often means that security is overlooked, leaving users exposed. In today's ultra-connected world, it's important to understand how to safeguard our security while browsing the web and using mobile devices. Here are four key areas of exposure:

Web Searching
Website tracking originated as a fairly harmless concept and something meant to help users, not harm them. Its purpose is to show you ads for products or services that you might be interested in. Ad networks inject content into web pages; by tracking pages you've visited, they can show ads related to content you've viewed. Websites have many ways of tracking users. In addition to cookies, websites can also track users through mechanisms such as unique identifiers in cached content and web storage.

There are also sneakier means, inclujding browser fingerprinting. Browser fingerprinting doesn't rely on a website storing data on your device. It involves collecting information from a browser that can be used for unique identification. Browsers allow websites to access information like the browser type and version, screen size, color depth, installed plugins, installed fonts, time zone, language, and so on. This information can often uniquely identify browsers.

What if you don't want sites to track your activity? The only foolproof answer is to stop using the Internet. But a more practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome and Private window in Firefox). Conduct browsing that you don't want tracked in such windows. Never sign into any websites in private windows and close them periodically to wipe data that can still be used to track you from websites visited in a private window.

Mobile App Tracking
When it comes to mobile apps tracking users, many browser-based tracking techniques don't work unless you're using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.

To avoid this tracking, change your device's settings to generate a different identifier for each application. The setting varies by device and platform. Google recently introduced a global setting on its website to disable ad personalization for websites and mobile apps that use Google's ad network. This setting does the trick for Android devices. While each application can still track your activities within the application, they can't collude to track your activities across applications.

Let's also consider mobile device location tracking. If given permission to do so by end users, mobile applications can retrieve the current location of the device they're installed on. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, and IP geolocation. The best way to prevent this is to deny applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to specific location information. (Note that preventing IP geolocation requires more than a simple setting change.)

Voice Activated, On-Device Keyword Spotting
Many consumer devices use on-device keyword spotting that triggers devices with microphones to record and upload audio to the Internet. Smart assistants, for instance, listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or phrase, they start recording and send the recording to server-side components. These devices don't normally record and upload all your conversations. But, sometimes things do go wrong, such as when an Amazon Echo device recorded a family's conversation and emailed it to a seemingly random person on their contact list.

To protect your privacy, do some research before purchasing an Internet-connected device to understand the information it collects. If you decide to make the purchase, check your device settings to see which applications can access the microphone and when.

Videos and Photo Sharing
Access to cameras, as well as video and photo libraries, on mobile devices is controlled using application permissions. Once a user gives an application access to the device's camera or photos, it can use the device's camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them or to back them up. Be careful which applications you allow to access your camera and photos.

Of course, malicious actors don't play by the rules. Some ways in which user videos or photos can be accessed by malicious actors include:

  • A malicious app pretending to be legitimate so that the user doesn't mind providing permissions
  • A malicious app exploiting a root/jailbreak vulnerability to gain full control over the device
  • Stealing photos from backups (e.g. from iCloud backups, Google Photos, etc.)
  • Stealing photos from a stolen device that doesn't have a passcode set (or one with an easily guessable passcode)

To protect yourself, follow the usual guidance for protecting your mobile device and online accounts. Always protect your device using a passcode and don't install apps from anywhere other than the official app store for the platform. Additionally, protect your online accounts (including iCloud and Google accounts) using long complex passwords and enable multifactor authentication whenever possible.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit's work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...