Archive for Privacy

Seeing As The FBI Has Unlocked An iPhone 11, Why Do They Need Apple’s Help To Unlock An iPhone 5 & 7?

Posted in Commentary with tags , , on January 16, 2020 by itnerd

Following up on the latest Apple v. FBI fight where the FBI wants Apple to unlock an iPhone 5 and 7 that belongs to a suspect in a terror incident, despite they fact that the FBI has the ability to do this on their own without Apple’s involvement, comes news that the FBI has apparently got the capability to unlock an iPhone 11 which has far higher levels of security than the iPhone 5 and 7 that they want Apple to unlock:

Last year, FBI investigators in Ohio used a hacking device called a GrayKey to draw data from the latest Apple model, the iPhone 11 Pro Max. The phone belonged to Baris Ali Koch, who was accused of helping his convicted brother flee the country by providing him with his own ID documents and lying to the police. He has now entered a plea agreement and is awaiting sentencing.

Forbes confirmed with Koch’s lawyer, Ameer Mabjish, that the device was locked. Mabjish also said he was unaware of any way the investigators could’ve acquired the passcode; Koch had not given it to them nor did they force the defendant to use his face to unlock the phone via Face ID, as far as the lawyer was aware. The search warrant document obtained by Forbes, dated October 16 2019, also showed the phone in a locked state, giving the strongest indication yet that the FBI has access to a device that can acquire data from the latest iPhone. 

So given the facts above, why precisely does the FBI need Apple’s help to unlock an iPhone 5 and 7 given that they’ve unlocked something way more sophisticated from a security standpoint?

They don’t need Apple’s help. This is simply a stunt to get Congress to force companies like Apple to weaken the encryption on smartphones, computers, or anything else so that they can have access to them at any time for any reason. Or put another way, the FBI wants a backdoor into your device. As I have mentioned before, this is a bad idea. And as reports like these come out that show that this is an incredibly cynical attempt to push a political agenda, I would hope that the blowback that results makes those who are pushing this political agenda think twice.

Surprise! Many Popular Apps Transmit Lots Of Data About You To Advertisers Without You Knowing About It

Posted in Commentary with tags on January 15, 2020 by itnerd

The Norwegian Consumer Council published an analysis of how popular apps are sharing user data with the behavioral ad industry. TechCrunch reports the findings. You might want to sit down for this:

A majority of the apps that were tested for the report were found to transmit data to “unexpected third parties” — with users not being clearly informed about who was getting their information and what they were doing with it. Most of the apps also did not provide any meaningful options or on-board settings for users to prevent or reduce the sharing of data with third parties.

“The evidence keeps mounting against the commercial surveillance systems at the heart of online advertising,” the Council writes, dubbing the current situation “completely out of control, harming consumers, societies, and businesses,” and calling for curbs to prevalent practices in which app users’ personal data is broadcast and spread “with few restraints.” 

“The multitude of violations of fundamental rights are happening at a rate of billions of times per second, all in the name of profiling and targeting advertising. It is time for a serious debate about whether the surveillance-driven advertising systems that have taken over the internet, and which are economic drivers of misinformation online, is a fair trade-off for the possibility of showing slightly more relevant ads.

“The comprehensive digital surveillance happening across the ad tech industry may lead to harm to both individuals, to trust in the digital economy, and to democratic institutions,” it also warns.

And:

The 10 apps whose data flows were analyzed for the report are the dating apps Grindr, Happn, OkCupid,  and Tinder; fertility/period tracker apps Clue and MyDays; makeup app Perfect365; religious app Muslim: Qibla Finder; children’s app My Talking Tom 2; and the keyboard app Wave Keyboard.

Frankly,  I am not shocked by this because you have to assume that if you install an app on your phone, the possibility of it slurping up your data and sending it to a third party exists. And it is questionable if you could stop these apps from doing that. The one thing that I will note is that this report is heavily slanted towards the Android platform because there are more Android phones out there. The report points out that this is less of a problem on iOS. Though you have to do some work to make sure that info that you don’t want sent to advertisers isn’t sent to them as the relevant settings that limit this sort of thing are not on by default. But having said that, if you run iOS 13, they do seem to be effective.

The take home message is this. Assume that you’re being tracked and your data is being sent to third parties as there is nothing to suggest that this isn’t going on.

The FBI Could Access The iPhones At The Center Of The Latest Apple v. FBI Fight At Any Time….. So Why Don’t They?

Posted in Commentary with tags , on January 15, 2020 by itnerd

Yesterday I posted a story about the latest Apple v. FBI fight in which I called for some sort of middle ground that would stop stuff like this from happening. In the last few hours, this story has evolved.

First US President Donald Trump took to Twitter to push for the unlocking of the iPhones that are at the center of this fight:

And at about the same time, it came to light that the iPhones that are at the center of this are an iPhone 5 variant and an iPhone 7 variant. Why is that important? Well, the FBI already has the ability to unlock them without needing Apple to do it for them. Whether the FBI via a company like Cellebrite who was the company that the FBI used to unlock the San Bernardino shooter’s iPhone 5C a few years ago gets it done, or using a device like the ones sold by Grayshift which allegedly the FBI already owns, or using a vulnerability called “checkm8” that is present in every iPhone up until the iPhone X, the FBI could unlock these phones at any time.

So why are the FBI and Trump demanding Apple unlock these phones? It’s simple:

  • If Apple could somehow do this, it would set a precedent and the FBI would in theory have the ability to access any iPhone. Including current models which are much harder to crack.
  • If Apple refuses then they could push Congress to create legislation to force Apple to give them the ability to access any iPhone they want by painting them as the bad guy.

The fact is that this fight isn’t about these specific iPhones, it’s as I said yesterday about being able to access any iPhone of anybody that is of interest to them. And the FBI and company are just leveraging these iPhones to get to that end goal. This has nuanced my view of this situation a bit. I still feel that there needs to be some sort of middle ground when it comes to situations like this. But this is a pretty brazen and cynical attempt to get more than a compromise when it comes to this issue. It will be interesting to see what happens when this ends up in court. Which it will.

The Latest Apple v. FBI Fight Shows That We Need A Middle Ground For Situations Like This

Posted in Commentary with tags , , on January 14, 2020 by itnerd

Yesterday a story hit news that the FBI via US Attorney General William Barr is demanding the help of Apple to unlock the phone of a Saudi citizen who went on a deadly shooting last month at a naval air station in Pensacola, Fla. that killed three and wounded eight.

“This situation perfectly illustrates why it is critical that the public be able to get access to digital evidence,” Mr. Barr said. He called on technology companies to find a solution and complained that Apple had provided no “substantive assistance,” a charge that the company strongly denied on Monday night, saying it had been working with the F.B.I. since the day of the shooting.

Here’s what Apple said in response:

In a statement Monday night, Apple said the substantive aid it had provided law enforcement agencies included giving investigators access to the gunman’s iCloud account and transaction data for multiple accounts.

The company’s statement did not say whether Apple engineers would help the government get into the phones themselves. It said that “Americans do not have to choose between weakening encryption and solving investigations” because there are now so many ways for the government to obtain data from Apple’s devices — many of which Apple routinely helps the government execute.

So it seems like we are headed towards another FBI v. Apple fight. But let’s be clear. What this is all about is to ensure that the FBI or any other law enforcement agency or government can access any smart phone for any reason any time they want. While I understand that the FBI among others wants to protect people from any threat that exists, I don’t believe that this gives them the right to say that the rights of citizens get over-ridden because of this. I say that because if you look at Attorney General Barr’s statement, he wants technology companies to “find a solution” to allow him and those underneath him to get whatever it is they want at will. And it’s safe to say that they want backdoors into iOS, Android, or whatever OS they see fit that gets them past whatever security or encryption that the device in question has. Giving any government a backdoor into any OS is a bad idea as governments tend to have pretty poor track records of keeping stuff like that out of the wrong hands. Which means when the backdoor leaks out, we’re all screwed. This is on top of the potential privacy issues that could be at play.

Thus here’s my ask of everyone that is involved. Tech companies and governments need to find some sort of middle ground for situations like this. One where the needs of both sides are represented and nobody, especially you and I, loses. Because having each of them at their respective extreme ends of the spectrum isn’t working for either party. And as a result this fight will simply keep going on and on with no real resolution. Or worse yet, a government will simply take some draconian action to get what they want and inadvertently affect their citizens in a negative way. And neither of those are desirable outcomes.

 

Microsoft Shipped Skype And Cortana Recordings To China For Review….. What Could Possibly Go Wrong?

Posted in Commentary with tags , on January 10, 2020 by itnerd

Do you use Skype or Cortana? If so, this might bother you. Apparently Microsoft had a program to transcribe and vet audio from Skype and Cortana, its voice assistant in China. And it apparently ran for years with “no security measures” which is chilling. This is from a former contractor who says he reviewed thousands of potentially sensitive recordings on his personal laptop from his home in Beijing over the two years he worked for the company:

The recordings, both deliberate and accidentally invoked activations of the voice assistant, as well as some Skype phone calls, were simply accessed by Microsoft workers through a web app running in Google’s Chrome browser, on their personal laptops, over the Chinese internet, according to the contractor. Workers had no cybersecurity help to protect the data from criminal or state interference, and were even instructed to do the work using new Microsoft accounts all with the same password, for ease of management, the former contractor said. Employee vetting was practically nonexistent, he added.

“There were no security measures, I don’t even remember them doing proper KYC [know your customer] on me. I think they just took my Chinese bank account details,” he told the Guardian. While the grader began by working in an office, he said the contractor that employed him “after a while allowed me to do it from home in Beijing. I judged British English (because I’m British), so I listened to people who had their Microsoft device set to British English, and I had access to all of this from my home laptop with a simple username and password login.” Both username and password were emailed to new contractors in plaintext, he said, with the former following a simple schema and the latter being the same for every employee who joined in any given year.

This is not just bad. It is horrifically bad. There are so many ways that this could have ended very badly for Microsoft. Especially since we are talking about the fact that these recordings went to China who are basically a surveillance state. Now, the folks in Redmond have deep sixed this program after it became public. But as far as I am concerned, that’s not good enough. Microsoft needs to answer the tough questions about this program in front of congress or the EU because I think we all deserve to know how pervasive this practice is within the company.

Xiaomi Smart Camera Caught Streaming Other People’s Feeds…. Google Takes Action

Posted in Commentary with tags on January 3, 2020 by itnerd

Xiaomi smart cameras have apparently got a bug where they are streaming strangers’ home camera feeds via the Google home hub. That’s not exactly trivial to say the least. Here’s the details:

One Xiaomi Mijia camera owner is getting still images from other random peoples’ homes when trying to stream content from his camera to a Google Nest Hub. The images include stills of people sleeping and even an infant in a cradle. In the meantime, Google has entirely disabled Xiaomi integration for Google Home and the Assistant while it works out the issue with Xiaomi.

This issue was first reported by user /r/Dio-V on Reddit and affects his Xiaomi Mijia 1080p Smart IP Security Camera, which can be linked to a Google account for use with Google/Nest devices through Xiaomi’s Mi Home app/service. It isn’t clear when Dio-V’s feed first began showing these still images into random homes or how long the camera was connected to his account before this started happening. He does state that both the Nest Hub and the camera were purchased new. 

Now it’s good that Google has taken action and nuked access for these cameras to their platform for the time being. But it illustrates that Internet of Things devices can often create security and privacy issues. Thus you need to choose carefully if you want to put any of these devices in your home. And even then you may still not be safe from something like this, or worse.

If You Have A Wyze Security Camera, Your Data Is Likely In The Wild

Posted in Commentary with tags on December 30, 2019 by itnerd

I guess we can’t end 2019 without talking about yet another company who somehow managed to leak data that’s tied to its customers. From CNET:

Security camera startup Wyze has confirmed it suffered a data leak earlier this month that left the personal information for millions of its customers exposed on the internet. No passwords or financial information was exposed, but email addresses, Wi-Fi network IDs and body metrics for 2.4 million customers were left unprotected from Dec. 4 through Dec. 26, the company said Friday.

The data was accidentally left exposed when it was transferred to a new database to make the data easier to query, but a company employee failed to maintain previous security protocols during the process, Wyze co-founder Dongsheng Song wrote in a forum post. “We are still looking into this event to figure out why and how this happened,” he wrote…

Among the data exposed in the Wyze leak was the height, weight, gender and other health information for about 140 beta users participating in testing of new hardware, Wyze said.

Amazing. And by amazing, I mean that this leak is amazingly bad. Why was this information needed from beta testers? That’s what I would like to know for starters. But back to the core issue. I’ve said it before and I will say it one more time. There need to be stricter laws to punish companies who let this sort of thing happen. Otherwise companies will just continue to do dumb stuff or not care about the security of the data that they are entrusted with. And customers will suffer as a result. Thus seeing as Wyze appears to be US based, I hope that some congressional committee decides to take a look at this, or somebody like the FTC decides to investigate Wyze and slap them silly. Because this nonsense has to end.