SoylentNews is people
SoylentNews
From a story at ABC (Australian Broadcasting Corporation):
To be perfectly frank, it's getting harder and harder to resist donning that tinfoil hat.
[...] My confidence that I know — mostly — what data is being recorded about me and what information my apps and devices are sharing has been slowly but surely eroding as the revelations keep coming.
As my doubt grew I decided I wanted to know for sure what my devices were actually sharing. Not just feel like I've got a pretty good idea — but really know. So I've hatched a plan to find out, and I'd like your help along the way.
For about a week I'm going to intercept and record every bit of data sent from my two most personal internet-connected devices: my phone and my laptop. It will include all manner of personal information being sent to companies around the world.
If you're into that kind of thing, you can read all the technical details about how that's going to work.
Has anyone done like TFA's author? What were the results?
(Score: 0) by Anonymous Coward on Friday October 26 2018, @08:45AM (7 children)
You'd be surprised how much data is being sent in the clear as HTTP requests. Every time a channel was changed data was sent back. A whole steam of data. Just lovely.
It's worth having a firewall between 'smart' devices and the world to block data being sent to intrusive domains.
(Score: 2) by MostCynical on Friday October 26 2018, @09:31AM (5 children)
Do VPN-enabled phones pass all traffic through the VPN, or only some of it?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Friday October 26 2018, @11:59AM (1 child)
It should all go through the VPN. Pity users don't have root access to their own device so they could configure it properly themselves.
(Score: 2) by The Mighty Buzzard on Friday October 26 2018, @01:59PM
s/users/most users/
My rights don't end where your fear begins.
(Score: 3, Insightful) by ledow on Friday October 26 2018, @01:56PM (2 children)
The problem is - the VPN bit is the boring bit, and HTTP is the even-more-boring part of that. Nobody really cares because it's so easy to see and every workplace with a web proxy could tell you the same information. Literally, I have staff phones connected over VPN through a transparent, SSL-intercepting web filter. What do you want to know? It's all pretty dull.
But:
What's being sent over 3G/4G ANYWAY, no matter what else you have connected? To measure that you'd really need a fake cell tower or similar, or be able to tap the 3G/4G chip direct, I imagine.
What's being sent over other protocols that aren't so damned obvious? HTTP is so blindingly obvious, but there are thousands of protocols that fall out of that scope and can contain just the same (if not worse) information.
Even then, I bet Ethereal running on a Wifi point / VPN endpoint would tell you ten times more than the HTTP alone.
(Score: 2) by curunir_wolf on Friday October 26 2018, @07:27PM (1 child)
You don't need a fake one. AT&T sells a "microcell," and I have one because their towers cannot provide a good signal where I live. Calls and data get routed from that through my private internal network and then out to the Internet. Pretty easy to capture that traffic to see what's going on.
I am a crackpot
(Score: 2) by toddestan on Saturday October 27 2018, @04:45AM
What does the traffic look like from the microcell? Can you see where it's all going and inspect the packets? Or does it all get encrypted and sent through a tunnel to some server owned by AT&T?
(Score: 2) by The Mighty Buzzard on Friday October 26 2018, @01:58PM
It's worth having a firewall period. Running a network without one is some quality idiocy. Yes, even a home network.
My rights don't end where your fear begins.
(Score: 1) by bmimatt on Friday October 26 2018, @09:29AM (1 child)
Great idea and the github repo looks good. I'd love to see a follow up, with some nice data to possibly act on.
(Score: 0) by Anonymous Coward on Friday October 26 2018, @11:38AM
Fortunately for our spy overlords the code is All rights reserved and thus poses a minimal threat...
Or at least if you do find something using it, you will have to come up with some other explanation how you did it.
(Score: 4, Insightful) by opinionated_science on Friday October 26 2018, @12:37PM (5 children)
This is a tool best run from a laptop (so you can insert it into a network) and then capture *all* traffic.
There is some very clever out-of-band SNMP stuff that exists, that might not be seen unless you capture all traffic.
Report back what you find...
(Score: 2) by Farkus888 on Friday October 26 2018, @06:01PM (4 children)
For the truly dedicated the answer is OpenBSD with a transparent bridge configured. Physically place this at your networks choke point, usually between router and modem in a home network. Do your Wireshark data gathering on the bridge interface. The only remaining challenges are that you must only use that network, including insuring your phone isn't putting the bad stuff out its 4g radio, or you miss data sneaking out.
(Score: 2) by opinionated_science on Friday October 26 2018, @07:41PM (3 children)
thanks for the tip. Usually I use 2 eth? on linux and sniff that way. *every* byte is suspect, since by definition, if you can't place it , it's wrong.
The whole SNMP stuff, is plain weird...
(Score: 2) by Farkus888 on Saturday October 27 2018, @03:59PM (2 children)
I don't know if it works in Linux. I do know that the bridge step makes it not even appear in arp tables of the machines it is plugged into. That has advantages in both good and nefarious uses.
(Score: 2) by opinionated_science on Saturday October 27 2018, @04:36PM (1 child)
wireshark certainly works on linux. You can use a single bridge, but having two ports (e.g. like those nice "edge" routers) you a re guaranteed no nefarious "out-of-band" packets can make their way through.
(Score: 2) by Farkus888 on Sunday October 28 2018, @04:52PM
Yeah, the two interface bridge and it being transparent to the rest of the network is the part I was unsure of. I've also been meaning to try filtering and proxy there where traffic can't sneak by.
(Score: 0) by Anonymous Coward on Friday October 26 2018, @01:44PM (4 children)
It's not telling you that your iemi and mac address are being recorded every time you walk through a checkout at certain retailers, and that it is being correlated with the credit card you scan, linking your credit cards to your cell phone. Of course all without your informed consent. And data aggregators are correlating that to GPS data from your apps, so that your bank account, and your current gps location are available to anybody willing to pay.
(Score: 2) by ledow on Friday October 26 2018, @02:05PM (2 children)
Yeah, because that wouldn't show up in a PCI DSS audit, right?
You can link a *hash* of the card to the purchase.
If you believe that IMEI/MAC triangulation is anywhere near good enough to pick out a checkout, sure you could maybe correlate a purchase.
If people are giving away their GPS *and* IMEI data to apps that don't need it, they could correlate that to the same thing.
That doesn't give them "your bank account". It might tell them what you bought at a store and when. If that store likes breaking pretty much every data protection law (Oh, sorry, you're in the US, you don't have those, right?).
Or... the people who might want to touch that legal-shit-show-waiting-to-happen could just ask direct, because if your store is already holding your credit card data, and your purchase history... they don't even need your phone to tell you what you bought and when and where and with what card.
Though this might all be theoretically possible (I don't deny that), it's also of zero-value, while being so incredibly illegal in just about any civilised country that you'll go to jail for ever. They'd have to anonymise the shit out of it to the point of it being useless, or quite literally they wouldn't be able to store it and it would flag like many on any IT security audit (You're storing card numbers where? You're sharing them with who?).
But the result is down to one thing - installing crap on your phone and then giving it permission to everything. Everything else can already be obtained by just you shopping in a store, or using a loyalty card, or going on Facebook.
(P.S. the IMEI at the checkout thing - I'd really need to see any kind of hard evidence of that. I call bullshit, personally. I'm intrigued to be *proven* wrong, though.)
(P.P.S fight for better data protection laws - the EU have always had better laws than the US and even US companies ran scared when GDPR came in).
(Score: 1, Insightful) by Anonymous Coward on Friday October 26 2018, @02:46PM (1 child)
"anywhere near good enough"
They don't have to be. Consumers shop at the same stores multiple times. Statistical approaches can isolate single transactions from the larger data set of present users vs. transactions. But actually the same approach could be done by third parties without the retailer even being aware. They buy the purchase history from the Viga or Mastercunt correlated to the RFID, (which they must be selling, because the advertising is just too targeted) to the cell tower logs, and use stitistics to isolate the pairs, and bobs your uncle. The cell tower provides the large vector, and the transaction provides the small vector. Isolating down to the checkout lane maybe not, but certainly to the store.
"PCI DSS audit", if Viga and Mastercunt weren't doing it themselves I would be surprised. My guess is that the data aggregators, are in some cases their subsidiaries, though I haven't verified that.
Personally I'd love to have the time and money to suss this shit out. There is a lot going on that we aren't aware of. I'm thinking fast food joints are now doing license plate reading in their drive throughs. I always pay cash, and I don't eat fast food often, but when I do there is always a sudden increase in advertising for one or two particular stores, but not others. I may be mis correlating, but it does seem to be the case. The other option is that my TV is recording me mentioning to my housemate what food I was going for. Or cell phone GPS correlation without consent. In any case, I regard it as a crime.
All of this stuff needs some reverse engineering to see exactly what is going on. Would be nice if there was some funding for doing this kind of research that didn't come from criminal sources.
(Score: 2) by curunir_wolf on Friday October 26 2018, @07:30PM
You won't be, then, to learn that Amazon and MasterCard have a pretty detailed data sharing agreement. Amazon wants to know what you're buying from other retailers, and MasterCard wants to know what you're buying using other payment options. So they share...
I am a crackpot
(Score: 2) by The Mighty Buzzard on Friday October 26 2018, @02:09PM
Unless you're an ass like me and don't use anything except cash or one-time prepaid credit cards, don't have a bank account, have the actual GPS device on your phone disabled, and have a fake GPS provider telling Google and any spying apps that you never leave your favorite fishing spot. Sure, they still get to learn that my phone visits various stores set up to slurp the iemi and mac but at least most of what they try to correlate with that afterwards is untrue noise.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Friday October 26 2018, @02:06PM
What device is he using? He mentions something about iOS Safari later in the article, but it isn't part the examination of his device.