Violating Your Privacy is NOT an Oopsies - It's Premeditated and Systematic

I’m just re-stating the obvious. But I think it’s worth re-stating because most of you are not cyber security researchers by day and may not remember the many reported examples of security and privacy violations over the years. 

Let me paint you a picture, starting with the smart devices we willingly invited into our homes in recent years -- Amazon Alexa, Google Home, and Apple HomePod with Siri. Indeed it is convenient to be able to ask “Alexa, what’s the weather today?” in the mornings, or “OK, Google, how many feet in a mile?” But are these cool, little conveniences worth the privacy tradeoffs? Oh, you didn’t know these smart assistants were constantly sending data to the cloud, in addition to listening to you all the time? Of course, these devices have to send some data to the cloud in order to return responses, but that should happen only after you activate it with your hot word. And all of that assumes the devices are working properly, and not hacked. 

Further reading: 

• Google Home Mini caught recording everything and sending all the data to Google
• Google Defends Listening to Private Conversations on Google Home

Assuming you’re comfortable with Amazon, Google, and Apple listening to you in your home all the time, let’s take a look at other devices you may have brought into your home -- connected security cameras, speakers, light bulbs, refrigerators, televisions, photo frames, microwave ovens, bathroom scales, toothbrushes (yeah, there are connected toothbrushes), etc. -- collectively known as the Internet of Things (IoT). Are they all honoring your privacy? Or are they collecting and sending data about you to the cloud, or worse, to servers in foreign countries? How would you even know?

Well, now we know, through some documented examples of privacy faux pas. Within the last week, we saw Xiaomi home security cameras “accidentally” sending video feeds to strangers’ Nest Hubs. They called it a “bug” -- oopsies! Perhaps Vizio and Samsung smart TVs listening to your conversations were not oopsies; those were features! Further, we’ve seen repeated, documented examples of Ring camera hacks, where hackers gained access to video feeds inside and outside the home and in one-case, the hacker told an 8-yr old girl he was Santa Claus. Smart lightbulbs have been shown to leak Wi-Fi passwords and smart plugs have been documented being used as a jumping off point for hackers to get into your home or office networks. These security issues are not new at all. Everyone has heard of the examples of hacking home networks via connected printers, which have been around a lot longer than IoT devices. 

Further reading:

• Many examples of Amazon Ring Camera hacks
• Security Vulnerability in Smart Electric Outlets (Belkin Wemo)

Are you still comfortable that a wide variety of IoT devices have been documented to have security “flaws?” What if I showed you some more examples of low-cost Android devices coming with pre-installed malware, bloatware, adware, or worse. 

• 2019 - Xiaomi - https://www.andmp.com/2019/04/xiaomi-url-spoofing-w-ssl-vulnerability.html
• 2018 - ZTE, Honor, OPPO, Huawei https://www.engadget.com/2018/05/24/report-finds-android-malware-pre-installed-on-hundreds-of-phones/- and https://www.express.co.uk/life-style/science-technology/933477/Android-warning-smartphone-malware-Samsung-Huawei
• 2017 - BLU - https://www.theverge.com/2017/7/31/16072786/amazon-blu-suspended-android-spyware-user-data-theft
• 2016 - ZTE, Huawei - https://www.cyberscoop.com/android-malware-china-huawei-zte-kryptowire-blu-products
• 2015 - Xiaomi, Huawei, Lenovo, Alps, ConCorde, DJC, Sesonn and Xido - https://www.pcworld.com/article/2978120/bought-a-brand-new-phone-it-could-still-have-malware.html

Note that malware or adware that is pre-installed by the manufacturer cannot be uninstalled; also, it may not be detected by anti-malware software, and it basically has administrative access to everything on your device. Do you still think these are “flaws” or “bugs” and do you believe the manufacturers of these devices when they claim “oopsies, we didn’t know?”

Consider the following graphic, that shows you what your devices “know” about you -- including passwords, credit card numbers, social security numbers, etc. 

What about the mobile apps that you voluntarily downloaded and installed on your own smartphone. And gave them a whole bunch of permissions. Of course, Instagram needs you to give it permission to record video and audio; but is there any reason that superbright flashlight app needs to turn on and off microphone, send and receive SMS, read and write to device storage, prevent the device from sleeping, and connect and disconnect to networks? Probably not. 

Further reading:

• Popular Apps In Google's Play Store Are Abusing Permissions And Committing Ad Fraud
• Google Removed Dozens Of Android Apps From A Major Chinese Developer Due To "Deceptive Or Disruptive Ads"
• A Huge Chinese Video App Is Charging People, Draining Their Batteries, And Exposing Data Without Their Knowledge
• These Hugely Popular Android Apps Have Been Committing Ad Fraud Behind Users’ Backs

What about apps tracking your geolocation? You may not care if some company or many companies are tracking your location and selling that data. But what if your precise location was being constantly “leaked” so a stalker could know when you are home, or at the library, or walking home alone? And have you considered the broader implications of fitness tracking apps “accidentally” revealing the locations of secret military bases? The U.S. government seems to think this is important. In early 2019, the U.S. forced a Chinese company to divest a mobile app, citing “Chinese ownership of gay dating app Grindr is a national security risk.” In early 2020, both the U.S. Navy and the U.S. Army banned the popular app TikTok from all military devices over spying and privacy concerns. 

Further reading: 

• U.S. government says Chinese ownership of Grindr is a national security risk
• U.S. Military bans chinese-owned TikTok over spying concerns 

Let’s bring this full circle, and think about why you should care. You may be OK with Amazon, Google, and Apple listening in on all your dinner table conversations at home; because you can ask about the weather, with your voice. You may also be OK with your microwave and light bulbs being constantly connected to the Internet; because you can remotely check if you accidentally left them on. 

But are you OK with connected security cameras that hackers can use to peer into your bedroom, or your child’s bedroom? (Of course, those were “oopsies” by the device manufacturers.) Are you still OK with low-cost Android phones that have adware and malware pre-installed to continuously collect and send data back to the cloud? Or mobile apps that do the same? Perhaps you are still OK with everything so far -- I’ve literally heard this from many young people (who are constantly on Instagram, Snapchat, and now TikTok) -- they are cool with being tracked because they have “nothing to hide.” 

Perhaps I am just scaring myself, because I’ve seen too much as a security researcher. Perhaps I shouldn’t be concerned that connected devices can be leveraged to gain access to networks that would have otherwise been secure. Perhaps I should not be afraid of the possibility of real-world loss of life when connected street lights are remotely controlled to all turn green at the same time or connected cars are remotely controlled to brake suddenly or accelerate. 

Perhaps I should be OK with all of that. Are you OK with all these?

Further reading: 

• Hackers Remotely Kill a Jeep on the Highway—With Me in It
• Researchers are sounding the alarm on a little-known risk of connected cars
• Security researchers hack a car and apply the brakes via text

?

Here are some of the ways I protect myself from "surveillance marketing"

https://www.linuxjournal.com/content/wizard-kit-how-i-protect-myself-surveillance