This is a guest blog post by Andrius Ribinskas, Information Security Expert at Tesonet.
Today everything and everyone is connected. You wake up with an alarm on your phone tracking your sleep, instantly check Facebook messages and watch Instagram stories. And that’s just the morning. During the day, you probably track your steps with some kind of smartwatch. Go to a cafe after lunch and while sipping coffee, you scroll through the news. After work, you drive home using Waze, Google Maps or other apps. In every step, we sacrifice our privacy for a more seamless lifestyle and a better user experience, where Google knows the answer before you even ask.
But as the famous quote says, “If something is free – you are the merchandise.” And it’s true in today’s context. With the data given away left and right, our ad profiles tell us more about ourselves than the Myers-Briggs test. In 2018 alone, Facebook had almost 34 billion dollars in ad revenue, which translates to about $15 per year per account, if we take into consideration 2.27 billion active monthly users. This is just the tip of the iceberg. Bunch of new technologies like face recognition, location detection that doesn’t need GPS and even behaviour prediction, are picking up the pace and being rapidly researched by the big advertisers.
What does this mean to you?
Well, that’s a rhetorical question, actually. The answer depends on your need to stay private and how much user experience means to you. To make our lives easier, we usually turn to free apps that gather our data, sometimes without us realizing it. Because they’re free, to make revenue they provide collected information along with some sort of identifiable token (e.g. device ID or Google advertising ID) to the advertising providers. Advertisers analyze it to get basic information that, of course, leads to more personalized ads.
However, the main question should be if it’s possible to use that kind of information to find you? Or get some information about you, that you want to keep to yourself? And the answer is… Definitely, but with some caveats. Because of GDPR and other regulations, advertising providers can’t disclose this type of information about their users, but potential bad guys, investigators, or hackers might just use the same techniques to get a handle on your personal information.
That’s where it gets creepy
Did you know that hackers might be able to find your home address just by hanging around you in any public place? Can you guess what’s the little snitch in this case? Basically, everything that has the Wi-Fi capability, starting with your phone and ending with your smartwatch. All the gadgets might just give away everything there’s to know about where you live, work, or what places you visit. But how, you ask?
Let’s look at your smartphone, for this example. You get back home from work and it’s now magically connected to your home Wi-Fi. But in reality, your phone is constantly searching for known Wi-Fi names, not only when you are near one. Hackers can listen for such search probes and find the names of Wi-Fis that your phone is looking for. Let’s say, the hacker wants to find your home address. He follows you to some coffee shop or just walks past you on the crosswalk. You don’t see this, but he has a computer in his backpack that captures all the wireless traffic around him. After being within a range of your phone for a while, he comes back home and analyzes the data he just gathered. He then sees the following probes from his analysis:
A4:2B:B0:D1:9C:D5 88:E9:FE:52:30:7F -36 54 -54 0 128 MyHouse,Office,Cofe-GO,Tony_4g
A bit of explanation: A4:2B:B0:D1:9C:D5 is the MAC address of the router that the device is connected to. 88:E9:FE:52:30:7F is the MAC address of the device that sent out the probe. It can be decoded by its first 3 hexadecimal numbers. In this case, it’s an Apple device, so either an iPhone or a Mac that is connected to the TP-Link router. MyHouse,Office,Cofe-GO,Tony_4g is a Wi-Fi association request probe. This contains the names of Wi-Fis the phone remembers.
After getting the Wi-Fi names, a hacker can then use some sort of service to find the addresses associated with them. For this purpose, www.wigle.net webpage that tracks Wi-Fi names can be used. Hacker then searches for the MyHouse Wi-Fi name and finds the location for that network. In this fictional case, it’s 54th street in San Francisco:
To get a grip of how wide these services document Wi-Fi locations, take a look at the unfiltered and zoomed out view of the same area:
Every blue dot represents a Wi-Fi access point.
How creepy can it get?
Pretty creepy, actually. The above example only scratches the surface of the possible techniques hackers use nowadays. Have you heard about the recent database leaks? This year alone (in about 2 months) around 2.2 billion emails were compromised. This means, that somewhere in a darknet or some hacking forum, there are some links to the hypothetical database, that cover about 30% of the entire population. The number is quite massive.
People tend to make their life as comfortable as possible, and this includes their virtual life too. We don’t want to remember a number of complex passwords, so we just think of something quite simple and use that for everything. This makes hacker’s life so much easier as he only have to get your password from some random leak and he will be able to compromise all your other accounts. From that point on, your virtual life isn’t private anymore. Imagine someone browsing through your email, search history or visited locations, reading private Facebook messages. All without your knowledge. That’s pretty creepy, isn’t it?
What to do?
Luckily, there are many ways to protect your privacy. The most obvious is just to limit your app usage. I.e., you don’t need all of those apps on your phone if you just used them once and then left it installed on your device.
Next, review all your privacy settings in the biggest search providers. Facebook and Google made those settings accessible to everyone. You can even check what places you’ve visited recently here: https://www.google.com/maps/timeline. Also, be aware of what permissions the applications ask for when you install them. Imagine installing some random crossword game on your phone and it asking to get access to your location, network control and messages. Most unaware users just accept those warnings, but hey, doesn’t this sound a bit sketchy? Why would a simple game need all this potentially sensitive information?
Last, but not least: passwords. Try to think of a good password and don’t use it on more than 1 account. The best way to keep your passwords safe is to use a password manager. There are many of those and it’s a personal choice, but using it will increase your virtual safety exponentially. They work by generating unique and safe passwords for all your accounts and storing them into the database that is encrypted using a single master password. You don’t need to remember tons of passwords, they are all in this database. You only have to remember the master password to unlock it.
And the bonus advice would be to always keep your guard up. Always check all the URLs for the lock icon that indicates it’s secured using SSL/TLS, don’t ignore browser errors, especially ones that read “Your connection is not private” and check if an app you’re installing is from a reputable source.