Tag Archives: Eavesdropping

That App You Just Installed – It Might Be Listening To You

If you were not paranoid before, you may be now.  According to a lawsuit filed last month, the Golden State Warrior’s app turns on your phone’s microphone in order to figure out where the owner is, in order to serve ads to the user.

The suit names the NBA team, Yinzcam, Inc., which developed the app and Signal 360, which licenses the technology that makes it all work.

The law firm who filed the suit, Edelson, PC and attorney Christopher Dore said that they plan to bring lawsuits against almost a dozen pro sports teams for violating people’s privacy.

While the purpose of the technology is to use the mic to listen to beacons in and around the arena to serve ads, the microphone has to listen to your conversations as well in order to do that.

In theory they might be able to throw out your conversations, but then again, maybe not.

The app does this whether it is in the foreground or in the background.

While the app does request permission to access your phone’s microphone, it doesn’t clearly explain why or what they are collecting.

While this suit only addresses Android users, there is an iPhone app as well.  Apparently, the way that the app requests permission on an iPhone is different, so the suit doesn’t cover Apple users.  That doesn’t mean that the Apple app is not doing the same thing, however.

The suit is asking for damages for each of the 100,000 users who downloaded the Android app.

The team did not respond to requests for comment.

Most people do not bother to even look at the permissions that apps ask for.  Most users would not even consider not installing an app that asks for too many permissions.

This is an example of what happens when you don’t do that.

This is far from the only app that uses the Signal 360 technology and the firm is attempting to file other lawsuits on behalf of users of other apps that do the same thing.

One other thing to consider.

Not only would the app record your voice, but it would record the voice of anyone nearby, so even if you haven’t installed the Warrior app, it doesn’t mean that you are not being recorded.

THIS is why Snowden made people take the batteries out of their phone or put their phone in the freezer (the metal box does a good job of shielding the phone from communicating).

So next time you install an app or even say something private, consider that a nearby phone may be recording the conversation.

Maybe the FBI should use this technology?

MAYBE they already are!

Cop Accused Of Spying On Breastfeeding Mom

A Michigan woman is suing a police officer who used the baby monitor app on her fiance’s cell phone that he confiscated when the fiance was arrested, to spy on her while she was nude and breastfeeding her son.

Note that nothing has been proved yet, so this is only claims and allegations, but it points to a whole new series of issues, concerns and challenges that we didn’t even have to think about just a few years ago.  A few years ago, baby monitors only let you hear, not see and at most, you were worried about the sound being heard by your neighbor on their radio, because that was a far as it could possibly reach.  This is not really a story about a baby monitor, but rather about how technology is changing our lives and shaping what are kids are going to deal with.  These challenges will not end in our lifetime or even our kid’s lifetimes.  People will need to consider and deal with a whole new set of issues that were not possible before.

The woman in the lawsuit first noticed that the LED on the baby monitor was flashing while she was breastfeeding her son and given that her fiance wasn’t using it, that meant someone else was.

Later that night she saw the light flashing again and realized that someone was watching her again and when she reacted, the light stopped flashing.

WARNING:  Just because the light is not flashing does not mean that you are safe.  It is certainly possible that the baby monitor could be hacked to operate without turning on the LED. We have seen many demonstrations of this on phones.  But, certainly, if the light is flashing, it is likely that someone is looking.  Not all monitors have a feature like that.

The lady then used the “find my iPhone” feature and found that the phone was located in the Hazel Park, Michigan home of police officer Michael Emmi.

The police chief seems to be siding with the police officer, so this may all play out in court.  Or, it may be settled out of court. To me, if true, the find my iPhone locating the phone at the house of the police officer is a bit of a red flag.  You don’t take evidence home as a general rule.

There are several things that come to mind as a result of this incident:

  1. Put a strong password on your phone.
  2. Do NOT unlock it just because a police officer asks.  Consult with your attorney.  As a general rule, in the most cooperative case, you want the police to get a warrant and you want the judge to limit what they can look for.  If possible, you would like your attorney present while they rummage through the phone.  They are likely going to take an image of the phone when they unlock it and you want to the court to specify how they need to protect the data if they do that.
  3. If there are adult images on the phone (as opposed to the guy with the child porn in an earlier post), fess up to that to your attorney.  The attorney may be able to get the court to require that those images be deleted prior to imaging – or at least protected – since they are likely not to be relevant.
  4. If you have been texting adult images, you are likely S.O.L. since the cops can get those texts with a warrant from the carrier.
  5. Some secure messaging services require a separate password to start the app, but if you tell the app to save the password, then that does not help.  SECURITY. CONVENIENCE.  PICK ONE AND ONLY ONE.  Consider what you are using the phone for, your level of concern and then make choices you can live with.
  6. This does not only affect YOUR phone.  In this case, it was not the woman’s phone, it was her boyfriend’s phone.  We have seen many cases of schools confiscating kids phones and searching them.  I am sure that there are “inappropriate” images on many kids phones, especially the older kids.  This means you need to train your entire family.
  7. Most courts (with the one I reported on recently being an exception and that is being appealed), will not require you to divulge your password.  Fingerprints yes, passwords no.  Your attorney may be able to negotiate some form of immunity for unlocking your phone if you are a small fish in the police’s mind.
  8. Some phones can be remotely wiped.  I have no idea if this is legal if the phone has been confiscated.  Protocol should require the phone to be place in a shielded bag and sealed to stop anyone from remotely wiping it , but I doubt all police departments do that.  If the phone is in a bag or powered off, the remote wipe won’t work, but it may automatically wipe it when the phone comes back online.

There is an ongoing tension between people’s privacy and law enforcement’s need to investigate crimes.  In this case, the phone was confiscated from someone who was arrested on marijuana charges.  I gather, although it doesn’t say so, that the crime was not smoking a joint, it was something more serious.  If you don’t want the cops searching your phone, the first thing you might want to consider is not growing or selling illegal drugs.

All of this just points to the fact that our world is changing as tech becomes an integrated part of our lives and the law is going to have to adjust.

This is just my two cents – remember, I am not a lawyer and do not play one on the Internet.

Information for this post came from the Detroit Free Press.

Supreme Court Gives FBI Hacking Permission Via “Rule Change”

The Supreme Court, last week, gave the FBI permission to hack into any computer anywhere in the world with the stroke of a single pen.

Ignoring, for the moment, whether other countries are going to think this gives them permission to hack into any computer in the U.S., this could be problematic.

What is at stake here is the current rule for a warrant which says that the warrant requestor has to know where the computer is that they want to hack into and get the warrant from a judge in that jurisdiction.  Currently, if the FBI is investigating a case in New York and thinks that a computer in Texas is of interest, they have to go to a judge in, say, Dallas, to hack into that computer.

Under the proposed rule change to Rule 41 of the Federal Rules of Criminal Procedure, the FBI would still need a warrant.  And the rule changes do not make it any easier to get that warrant.  It just means that one warrant could ask for permission to hack into thousands of computers anywhere in the world.

Those computers may belong to one or more hackers, victims or businesses that are only incidentally involved in the situation.  Since the parties to be hacked will not be served notice of the proposed warrant, they likely will never know that they have been hacked.  And, if there is some side effect to the hack such as loss of data or leaving a security vulnerability behind, the owner of the computer will never know about that either.  And, I do not see anything in the proposed rule change making the hacker responsible for damage that they do during the hack.

Oh, and the FBI doesn’t call it hacking.  Hacking has a bad name.  They call it Network Investigative Techniques.  Maybe the bad guys should use that euphemism – we weren’t hacking, we were just conducting a network investigation.

The FBI claims that they want to use this in cases where the user is using TOR and they are bouncing their traffic all over the globe.  This can be a hard nut to crack because many TOR nodes are hardened – but certainly not all – to avoid being susceptible to techniques like the ones the FBI uses.  Still, crooks make stupid errors.

The proposed rule change does have some limitations, but the permission certainly covers a very wide range of situations and is clearly not limited to TOR users.

Network Investigative Techniques could include things like uploading all of the photos or emails from a computer under investigation to an FBI controlled computer or turning on the microphone and camera on a target computer as happened to Miss Teen USA Cassidy Wolf.  In her case, the FBI was not the perpetrator, but it points to what can happen to someone when their computer is taken over.  In Cassidy’s case, the FBi did, eventually, find the extortionist (he was demanding even more nude pictures of her than he already had), but that certainly did not reduce the stress and embarrassment that this young woman suffered.  These are just a couple of examples of what the FBI could do.

The computer that I am writing this blog on does not have a microphone or camera, so it would be extremely difficult for a government approved or non approved hacker to turn them on, but most devices today do have cameras and microphones.  You occasionally do see people with tape or post-it notes over their cameras.  That is why.

What we have seen with the FBI’s requests in the past for Stingray warrants (A Stingray is a cell phone hacking tool) was opacity on the part of law enforcement agencies when telling judges what they were going to do and who might be affected.  Judges, for the most part, are not the most technically savvy people on the planet and it would be easy to fool at least some judges.  This means that extra diligence on the part of all parties is required when these type of warrants are approved.

The rules process allows Congress to intervene – in fact overturn – this change, but they would have to do that by December 1, 2016.  If they do not, then the rule will go into effect.  Given Congress’ history in privacy matters, I would not expect them to do so, although Sen. Ron Wyden has indicated his desire to do so.

In the FBI’s defense, it is getting harder and harder to figure out where computers are.  I am less concerned about the location of the computer than the issues associated with authorizing law enforcement agencies to surreptitiously hack into my computer – by definition, without me knowing about it – on some unknown basis. The odds of this being cleaned up perfectly after the hack are almost zero.

If you assume that most law enforcement organizations try to do a good job and are honest – and I do assume that even though other people may not – that permission is a pretty scary thing to grant.

The other thing that people are concerned about is that this change was done by some judges with no oversight by the legislative branch, no public discussion and no external review.  Only as a result of the media discovering this change, has any public attention at all been created.  Otherwise, it would have silently happened and that is the root of the problem.

Maybe this is a good change, maybe it is not.  Secrecy and lack of an informed debate, however, is not good.

 

Information for this post came from The Intercept and Just Security.

Researchers Discover Flaws That Allow Eavesdropping Of Cell Calls

Signalling System 7 or SS7 has long known to be vulnerable to hackers.  SS7 is the control system protocol that telephone companies use to route and transfer calls between companies and, in the cellular world, between towers.

Since SS7 was designed in the early 1980s, no one was terribly concerned about security.  Hackers – or foreign spies – could use SS7 to reroute calls, eavesdrop on calls, intercept text messages and locate users anywhere in the world for example.

As carriers harden their own systems (the front doors), they leave the side doors (the SS7 signalling system that they use to talk to each other) not only unlocked, but propped open.

The Washington Post reported that systems are widely available that allow someone to track where a user is, anywhere in the world, if they have their cell phone powered on.

The GSM Alliance, an industry trade group did acknowledge vulnerabilities for an earlier WaPo article and said that they are planning to replace SS7 over the next DECADE due to vulnerabilities and technical issues.

That means, for at least the next decade, assume that any skilled hacker or spy, anywhere in the world, can eavesdrop on your calls and text messages.

The researchers demonstrated decrypting a call with a German Senator – with his permission.   They also said that they could perform mass eavesdropping using a network of antennas.

While there are subtleties and nuances to what can and cannot be done and there are ways that users can better protect themselves, in the absence of users taking extra precautions, they should assume cell phone conversations are not private.

 

Information for this post came from The Washington Post.