No Click Excitement: Interaction-Less Vulnerabilities in Messaging Apps

October 20, 2021

Google researcher Natalie Silvanovich has made it her mission to investigate one particular type of vulnerability—one that allows attackers to access video and/or audio without the victim so much as clicking a link. Wired discusses her unnerving findings in, “Messaging Apps Have an Eavesdropping Problem.” Writer Lily Hay Newman tells us:

“Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.”

The resolute researcher presented her findings at the recent Black Hat security conference in Las Vegas. Her search turned up bugs in apps domestic and foreign, from Facebook Messenger, Google Duo, and Signal to JioChat and Viettel Mocha. The vulnerabilities she found were eagerly patched by the respective developers once she notified them, but her discoveries reveal a problem more widespread than had been suspected. It seems that some of the vulnerabilities resulted from honest mistakes by developers using the open source communication tool WebRTC. Other times, though, it had to do with how an app connects calls. We learn:

“When someone calls you on an internet-based communication app, the system can start setting up the connection between your devices right away, a process known as ‘establishment,’ so the call can start instantly when you hit accept. Another option is for the app to hang back a bit, wait to see if you accept the call, and then take a couple of seconds to establish the communication channel once it knows your preference. … Most mainstream services take the other route, though, setting up the communication channel and even starting to send data like audio and video streams in advance to offer a near-instantaneous connection should the call’s recipient pick up. Doing that prep work doesn’t inherently introduce vulnerabilities, and it can be done in a privacy-preserving way. But it does create more opportunities for mistakes.”

Concerned users may want to favor Telegram—Silvanovich found that app takes the slower but safer route. Though the snippets hackers can capture with these vulnerabilities may or may not be valuable, many find it worth a try—such attacks are difficult to detect and to trace. Careful design and implementation on the part of app developers are the keys to avoiding such breaches, she tells us.

Cynthia Murrell October 20, 2021

Data Slupring Gluttons: Guess Who, Please?

October 19, 2021

Apple’s iOS enjoys a reputation of being more respectful of users’ privacy than Google’s Android. However, announces Tom’s Guide, “New Study Reveals iPhones Aren’t as Private as You Think.” The recent paper was published by Trinity College’s School of Computer Science & Statistics. Unlike the many studies that have covered what kind of data apps collect, this research focusses on data reaped by core operating systems.

The researchers found Android does collect a higher volume of data, but iPhones collect more types of information. This includes data about other devices that could allow Apple to make a relationship graph of all devices in a local network, whether a home, office, or public space like a café. Creepy. Not only that, both operating systems collect telemetry and other data even when users explicitly opt out. Much of this collection happens when the phone is powered up. The rest occurs the whole time the device is on, even when sitting idle. Writer Paul Wegenseil specifies:

“Both the iPhone and Android phone called home to Apple and Google servers every 4 or 5 minutes while the phones were left idle and unused for several days. The phones were powered on and plugged in, but the users had not yet logged into Apple or Google accounts. Even when the iPhone user stayed logged out of their Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple’s analytics servers while the iPhone was idle. It also sent information about nearby devices sharing the same Wi-Fi network. When location services were enabled on the iPhone, its latitude and longitude were transmitted to Apple servers. On Android, data is sent to Google Play servers every 10 to 20 minutes even when the user is not logged in. Certain Google apps also send data, including Chrome, Docs, Messaging, Search and YouTube, although only YouTube sends unique device identifiers. Even when the iPhone user stayed logged out of their Apple account, the iPhone still sent identifying cookies to iCloud, Siri, the iTunes Store and Apple’s analytics servers while the iPhone was idle. It also sent information about nearby devices sharing the same Wi-Fi network.”

Unfortunately, researchers concluded, there is not much one can do to prevent this data from being harvested. The best Android users can do is to start their phone with network connections disabled. The study found disabling Google Play Services and the Google Play and YouTube apps before connecting to a network prevented the vast majority of data sharing. But then, users would have to visit other app stores to download apps, each of which has its own privacy issues. Apple users do not even have that option, as their device must connect to a network to activate.

See the article for a summary of the researchers’ process. They reached out to both companies for comment. Google responded by comparing its data collection to the statistics modern vehicles send back to manufacturers—they just want to make sure everything is working properly. Apple’s spokesperson quibbled with the researchers findings and insisted users’ personal data was safe and could not be traced to individuals. I suppose we will just have to take their word for it.

Cynthia Murrell October 19, 2021

NSO Group and an Alert Former French Diplomat: Observation Is Often Helpful

August 2, 2021

I read “French Ex-Diplomat Saw Potential for Misuse While Working at NSO.” The allegedly accurate write up reports that Gerard Araud [once a French ambassador] took a position at NSO Group. The write up adds:

His one-year mission from September 2019, along with two other external consultants from the United States, was to look at how the company could improve its human rights record after a host of negative news stories. Earlier that year, the group’s technology had been linked publicly to spying or attempted spying on the murdered Saudi journalist Jamal Khashoggi by Saudi Arabian security forces, which it denied. The group was acquired in 2019 by a London-based private equity group, Novalpina, which hired Araud to recommend ways to make the company’s safeguard procedures “more rigorous and a bit more systematic,” he said.

The write up explains how a prospect becomes an NSO Group customer:

Its [the Pegasus software and access credentials] export is regulated “like an arms sale,” said Araud, meaning NSO must seek approval from the Israeli government to sell it, and state clients then sign a lengthy commercial contract stipulating how the product will be used. They are meant to deploy Pegasus only to tackle organised crime or terrorism — the company markets itself this way — but Araud said “you could see all the potential for misuse, even though the company wasn’t always responsible.”

The argute veteran of the French ambassadorial team maybe, possibly, could have discerned the potential for misuse of the Pegasys system.

The write up includes this information, allegedly direct from the former diplomat, who obviously provides information diplomatically:

In a firm that practices “a form of extreme secrecy,” he says he nonetheless became convinced that NSO Group worked with Israel’s Mossad secret services, and possibly with the CIA. He said there were three Americans who sat on the group’s advisory board with links to the US intelligence agency, and the company has said that its technology cannot be used to target US-based numbers.  “There’s a question about the presence of Mossad and the CIA. I thought it was both of them, but I have no proof,” he said. “But I suspect they’re both behind it with what you call a ‘backdoor’.” A “backdoor” is a technical term meaning the security services would be able to monitor the deployment of Pegasus and possibly the intelligence gathered as a result.

Interesting. Several years ago, the BBC published “When Is a Diplomat Really Just a Spy?” In that 2018 write up, the Beeb stated:

So where do you draw the line between official diplomacy and the murky world of espionage? “Every embassy in the world has spies,” says Prof Anthony Glees, director of the Centre for Security and Intelligence Studies at the University of Buckingham. And because every country does it, he says there’s “an unwritten understanding” that governments are prepared to “turn a blind eye” to what goes on within embassies.

Would French diplomats have some exposure to ancillary duties at a French embassy? Potentially.

Stephen E Arnold, August 3, 2021

China: Making Technology into a Friend Magnet in Africa

July 27, 2021

I don’t know much about Africa. I remember studying about Belgium’s wonderful and humane approach, but China has found technology more agreeable than Léopold II’s tactics. “Chinese Tech, Ignored by the West, Is Taking over Africa’s Cyberspace” reports:

While China’s telecom giant Huawei has come under increasing attack in the US and the European Union, it is thriving in Africa…

The drive to lure people comes as Huawei faces mounting attacks from the West. But in Africa, the company has a solid base. Currently, Huawei is active in most African countries. According to an Atlantic Council study – “The Digital Infrastructure Imperative in African Markets,” – around 50 percent of Africa’s 3G networks and 70 percent of its 4G networks are built by Huawei.

What’s Huawei’s secret sauce? The article quotes an expert who asserts:

“Huawei has a big competitive advantage because it’s got access to state capital,” says Eric Olander, managing editor of The China Africa Project, a portal that monitors Chinese business ventures across the continent.

What’s that “state capital” enable? Check out this map. The white line is cable which surrounds the African continent. Sixteen major nodes are planned. The 5G system will connect hundreds of millions of people.

image

Maybe the Google Loon balloons will be given another shot at the Internet connectivity the online ad company deployed in Puerto Rico. Facebook had model airplane-type devices. And Elon Musk has nifty satellite things. But for now, Huawei is having its way with 5G, the Internet connectivity, and capturing a growing market for devices and services.

Stephen E Arnold, July 27, 2021

How about That 5G?

March 26, 2021

Here we have some premium marketing hoo hah from Digital Trends, “8 Exciting Use Cases that Show What 5G Can Really Do.” In our experience, most people find 4G,LTE, and ATT DSS-fake-5G to be faster than 5G. The write-up seems to presage a time when 5G Ultra Wideband networks have expanded much farther than they have. Writer Jacob Kienlen envisions:

“Like any upgrade to our mobile network infrastructure, the most exciting aspect is the speed and consistency it brings. That, combined with latency reductions, is enough to start predicting some of the opportunities 5G will provide in the coming years. Some of the most obvious 5G use cases are related to technologies that can only really be made better by an improved mobile network. These are things like smart cities, autonomous vehicles, and businesses. The difference between 4G and 5G in that regard is the sheer improvement to consistent high-speed internet on the go. That improvement will bring with it a slew of improvements to existing technologies, but also spark entirely new ones that couldn’t exist with 4G or 3G networks. Here are some of the most exciting 5G cases you can look forward to.”

Can we, really? Right now people are turning off the 5G service on their mobile phones because it is too slow and unreliable. Let us play along, though, and picture a world where 5G has engulfed us coast-to-coast. The eight use cases described here include better home internet; better communication, with both voice and video calls; more viable autonomous vehicles; improved video-streaming quality; advanced agriculture technologies; the rise of more smart cities; a refined Internet of Things; and advances in healthcare, from faster and easier remote diagnoses and operations to health-monitoring smart watches for all.

Keinlen does paint an exciting picture, and perhaps it will come to pass someday. For the foreseeable future, though, these visions remain illusory for most of us.

Cynthia Murrell, March 26, 2021

T-Mobile: Privacy Is a Tough Business

March 12, 2021

Just a bit of mobile phone experience this morning. T Mobile (the magenta or pink outfit) notified me I could opt out of its forthcoming “sell your data” initiative. I dutifully clicked on the link to something which appeared in an SMS as t-mo.com/privacy12. Surprise. The page rendered with a notice that it was a new domain. I fiddled around and was able to locate the page via the search box on T-mobile.com. I filled in the data, including a very long Google ad tracker number. I clicked the submit button and nothing happened. I spotted an email address which was “privacy@tmobile.com.” Guess what? The email bounced. I called 611, the number for customer service. I was told that T Mobile would call me back in 30 minutes. Guess what? No call within the time window.

Privacy is a tough business, and it is one which amuses the marketers and thumbtypers who work with developers to create dark patterns for paying customers. Nice work.

Nifty move. Well, the company is magenta or pink. It is dark, however. Very dark and quite sad.

Stephen E Arnold, March 11, 2021, 435 pm US Eastern

Google Allegedly Sucking User Data: Some Factoids from the Taylor Legal Filing

November 16, 2020

I read the legal filing by Taylor et al v. Google. The case is related to Google’s use of personal data for undisclosed reasons without explicit user permission to consume the user’s bandwidth on a mobile network. You can download the 23 page legal document from this link, courtesy of The Register, a UK online information service. Here’s a rundown a few of the factoids  in the document which I found interesting:

  • Google’s suck hundreds of megabytes of data is characterized as a “dirty little secret.” Hundreds of megabytes of data does not seem to me to be “little.”
  • Google allegedly conducts “passive information transfers which are not initiated by any action of the user and are performed without their knowledge.” I think this means taking data surreptitiously.
  • Taking the data uses for fee network connections. I think this means that the user foots the bill for the data sucking.
  • Android has a 54.4 percent of the US smartphone market.
  • The volume of data “transferred” is about nine megabytes per 24 hours when an Android device is stationary and not in active use.

This graphic appears in the filing on page 11:

image

The big bar shows Google’s data sucking compared to Apple’s.

The document states:

Google has concealed its misappropriate of Plaintiffs’ cellular data.

I wonder if Google’s senior executives are aware of what the Android phones are allegedly doing. Google was not aware of a number of employee activities, most recently the leak of ideas for thwarting EU regulators.

Is this another example of entitlement management; that is, acting in a manner of a high school science club confident in its superiority over lesser mortals?

Stephen E Arnold, November 16, 2020

Android: Fragmentation? What Fragmentation

November 9, 2020

Interesting statement in “Older Android Phones Will Be Cut Off From a Large Chunk of the Web in 2021”:

Let’s Encrypt noted that roughly 34% of Android devices are running a version older than 7.1 based on data from Google’s Android development suite.

Android fragmentation? What fragmentation?

Stephen E Arnold, November 9, 2020

Washington Might Crack Down On Mobile Bidstream Data

November 4, 2020

Mobile devices siphon data from users and sell the data to third parties, mostly ad companies, to make a profit. The bidstream is mobile’s dirty secret that everyone knows about and the federal government might finally do something to protect consumers’ privacy says The Drum: “Mobile’s Dirty Little Data Secret Under Washington’s Microscope.”

“Bidstream” is the mobile industry jargon used for data mobile services collect from users then sell. The data is sold to advertisers who bid on ad space in real time exchange for targeted ads. Bidstream data could include demographics, personal hobbies and (even more alarmingly) real time coordinates for consumers’ current location.

The Interactive Advertising Bureau’s (IAB) executive vice president Dave Grimaldi stated that his organization has recently communicated a hundred times more with the federal government about the bidstream than the past two months. There are politicians worried that the bidstream could not only violated privacy, but could lead to deceptive business tactics (and maybe violent actions). There are currently no industry standards or rules from the IAB or the Mobile Marketing Association against bidstreams.

In June 2020, Mobilewalla released demographic information about BLM protestors under the guise of data analysis, while politicians called in surveillance. They want to know if Mobilewalla’s analysis along with the midstream violate the FTC act:

“The FTC won’t say whether it is probing bidstream data gathering, but its chairman did respond to lawmakers. ‘In order to fully address the concerns mentioned in your letter,’ wrote FTC Chairman Joseph Simons in a letter to Wyden obtained by The Drum, ‘we need a new federal privacy law, enforceable by the FTC, that gives us authority to seek civil penalties for first-time violations and jurisdiction over non-profits and common carriers.’… In questions sent separately to Mobilewalla, Senator Elizabeth Warren (D-MA) and other legislators asked the company to provide details of its “disturbing” use of bidstream data.‘Mobilewalla has and will respond to any request received from Congress or the FTC,’ a Mobilewalla spokesperson tells The Drum, declining to provide further detail.”

Those mobile phones are handy dandy gizmos, aren’t they?

Whitney Grace, November 4, 2020

The Purple Yahoo Verizon Mobile Device Innovation

November 2, 2020

I spotted a hard-hitting bit of “real” journalism in “Yahoo’s First Branded Phone Is Here. It’s Purple and Only $50.” One question, “Is the ring tone the Yaaaa-hoooooo yodel? The phone comes from the hard working folks at ZTE. This is a Chinese firm located in Shenzhen with clean, cheerful factories in several locations. The model has been around for a decade. The purple version available from the cheerful Verizon unit managed by Guru Gowrappan. Yep, “guru.” The write up points out that Guru Gowrappan allegedly said:

[You] may have the option to get free access to its Yahoo Finance Premium offering, while a Yahoo Sports fan would get free betting credits or promotions for the company’s sportsbook, assuming they are in a state where sports gambling is legalized.

Yaaaa-hoooooo.

Stephen E Arnold, November 2, 2020

Next Page »

  • Archives

  • Recent Posts

  • Meta