Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/16/2018
10:30 AM
Amit Sethi
Amit Sethi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spies Among Us: Tracking, IoT & the Truly Inside Threat

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

It's probably no surprise to anyone working in tech that web and mobile ads somehow seem to know what your interests are. Same can be said about the gadgets in your home or office. Do you ever wonder if they are spying on you too? You're not alone.

We've come to rely on technology in both our personal and professional lives. We quickly take to the Internet to find answers and don't hesitate to download a mobile app because it promises to make our lives easier. However, this carefree attitude often means that security is overlooked, leaving users exposed. In today's ultra-connected world, it's important to understand how to safeguard our security while browsing the web and using mobile devices. Here are four key areas of exposure:

Web Searching
Website tracking originated as a fairly harmless concept and something meant to help users, not harm them. Its purpose is to show you ads for products or services that you might be interested in. Ad networks inject content into web pages; by tracking pages you've visited, they can show ads related to content you've viewed. Websites have many ways of tracking users. In addition to cookies, websites can also track users through mechanisms such as unique identifiers in cached content and web storage.

There are also sneakier means, inclujding browser fingerprinting. Browser fingerprinting doesn't rely on a website storing data on your device. It involves collecting information from a browser that can be used for unique identification. Browsers allow websites to access information like the browser type and version, screen size, color depth, installed plugins, installed fonts, time zone, language, and so on. This information can often uniquely identify browsers.

What if you don't want sites to track your activity? The only foolproof answer is to stop using the Internet. But a more practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome and Private window in Firefox). Conduct browsing that you don't want tracked in such windows. Never sign into any websites in private windows and close them periodically to wipe data that can still be used to track you from websites visited in a private window.

Mobile App Tracking
When it comes to mobile apps tracking users, many browser-based tracking techniques don't work unless you're using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.

To avoid this tracking, change your device's settings to generate a different identifier for each application. The setting varies by device and platform. Google recently introduced a global setting on its website to disable ad personalization for websites and mobile apps that use Google's ad network. This setting does the trick for Android devices. While each application can still track your activities within the application, they can't collude to track your activities across applications.

Let's also consider mobile device location tracking. If given permission to do so by end users, mobile applications can retrieve the current location of the device they're installed on. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, and IP geolocation. The best way to prevent this is to deny applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to specific location information. (Note that preventing IP geolocation requires more than a simple setting change.)

Voice Activated, On-Device Keyword Spotting
Many consumer devices use on-device keyword spotting that triggers devices with microphones to record and upload audio to the Internet. Smart assistants, for instance, listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or phrase, they start recording and send the recording to server-side components. These devices don't normally record and upload all your conversations. But, sometimes things do go wrong, such as when an Amazon Echo device recorded a family's conversation and emailed it to a seemingly random person on their contact list.

To protect your privacy, do some research before purchasing an Internet-connected device to understand the information it collects. If you decide to make the purchase, check your device settings to see which applications can access the microphone and when.

Videos and Photo Sharing
Access to cameras, as well as video and photo libraries, on mobile devices is controlled using application permissions. Once a user gives an application access to the device's camera or photos, it can use the device's camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them or to back them up. Be careful which applications you allow to access your camera and photos.

Of course, malicious actors don't play by the rules. Some ways in which user videos or photos can be accessed by malicious actors include:

  • A malicious app pretending to be legitimate so that the user doesn't mind providing permissions
  • A malicious app exploiting a root/jailbreak vulnerability to gain full control over the device
  • Stealing photos from backups (e.g. from iCloud backups, Google Photos, etc.)
  • Stealing photos from a stolen device that doesn't have a passcode set (or one with an easily guessable passcode)

To protect yourself, follow the usual guidance for protecting your mobile device and online accounts. Always protect your device using a passcode and don't install apps from anywhere other than the official app store for the platform. Additionally, protect your online accounts (including iCloud and Google accounts) using long complex passwords and enable multifactor authentication whenever possible.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit's work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.