Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
10/16/2018
10:30 AM
Amit Sethi
Amit Sethi
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Spies Among Us: Tracking, IoT & the Truly Inside Threat

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

It's probably no surprise to anyone working in tech that web and mobile ads somehow seem to know what your interests are. Same can be said about the gadgets in your home or office. Do you ever wonder if they are spying on you too? You're not alone.

We've come to rely on technology in both our personal and professional lives. We quickly take to the Internet to find answers and don't hesitate to download a mobile app because it promises to make our lives easier. However, this carefree attitude often means that security is overlooked, leaving users exposed. In today's ultra-connected world, it's important to understand how to safeguard our security while browsing the web and using mobile devices. Here are four key areas of exposure:

Web Searching
Website tracking originated as a fairly harmless concept and something meant to help users, not harm them. Its purpose is to show you ads for products or services that you might be interested in. Ad networks inject content into web pages; by tracking pages you've visited, they can show ads related to content you've viewed. Websites have many ways of tracking users. In addition to cookies, websites can also track users through mechanisms such as unique identifiers in cached content and web storage.

There are also sneakier means, inclujding browser fingerprinting. Browser fingerprinting doesn't rely on a website storing data on your device. It involves collecting information from a browser that can be used for unique identification. Browsers allow websites to access information like the browser type and version, screen size, color depth, installed plugins, installed fonts, time zone, language, and so on. This information can often uniquely identify browsers.

What if you don't want sites to track your activity? The only foolproof answer is to stop using the Internet. But a more practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome and Private window in Firefox). Conduct browsing that you don't want tracked in such windows. Never sign into any websites in private windows and close them periodically to wipe data that can still be used to track you from websites visited in a private window.

Mobile App Tracking
When it comes to mobile apps tracking users, many browser-based tracking techniques don't work unless you're using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that request it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.

To avoid this tracking, change your device's settings to generate a different identifier for each application. The setting varies by device and platform. Google recently introduced a global setting on its website to disable ad personalization for websites and mobile apps that use Google's ad network. This setting does the trick for Android devices. While each application can still track your activities within the application, they can't collude to track your activities across applications.

Let's also consider mobile device location tracking. If given permission to do so by end users, mobile applications can retrieve the current location of the device they're installed on. Devices obtain this information using a variety of methods including GPS, Wi-Fi geolocation, cellular geolocation, and IP geolocation. The best way to prevent this is to deny applications access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed applications access to specific location information. (Note that preventing IP geolocation requires more than a simple setting change.)

Voice Activated, On-Device Keyword Spotting
Many consumer devices use on-device keyword spotting that triggers devices with microphones to record and upload audio to the Internet. Smart assistants, for instance, listen for a keyword (e.g., Alexa) or a key phrase (e.g., Hey Siri) on the device itself. Once they hear the keyword or phrase, they start recording and send the recording to server-side components. These devices don't normally record and upload all your conversations. But, sometimes things do go wrong, such as when an Amazon Echo device recorded a family's conversation and emailed it to a seemingly random person on their contact list.

To protect your privacy, do some research before purchasing an Internet-connected device to understand the information it collects. If you decide to make the purchase, check your device settings to see which applications can access the microphone and when.

Videos and Photo Sharing
Access to cameras, as well as video and photo libraries, on mobile devices is controlled using application permissions. Once a user gives an application access to the device's camera or photos, it can use the device's camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the application is not in the foreground.

Legitimate applications request and use camera and photo access for various purposes, the most common being to share them or to back them up. Be careful which applications you allow to access your camera and photos.

Of course, malicious actors don't play by the rules. Some ways in which user videos or photos can be accessed by malicious actors include:

  • A malicious app pretending to be legitimate so that the user doesn't mind providing permissions
  • A malicious app exploiting a root/jailbreak vulnerability to gain full control over the device
  • Stealing photos from backups (e.g. from iCloud backups, Google Photos, etc.)
  • Stealing photos from a stolen device that doesn't have a passcode set (or one with an easily guessable passcode)

To protect yourself, follow the usual guidance for protecting your mobile device and online accounts. Always protect your device using a passcode and don't install apps from anywhere other than the official app store for the platform. Additionally, protect your online accounts (including iCloud and Google accounts) using long complex passwords and enable multifactor authentication whenever possible.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit's work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.