"Can you Hear Me Now?” - Security Professionals Warn about Who May Be Listening

Wednesday, June 27, 2018

Jeannie Warner

D47111ebac9e529cc7e382f0f095f32b

In light of the recent move by Verizon to stop sharing location data with third parties, companies need to rethink strategies for data gathering from users.

While in the past, companies and app makers used different technologies on mobile devices in order to gather more and more data it is becoming more attractive for unethical hackers to find a way in for malicious purposes.

In one case, the company ‘La Liga’ disclosed to the user about what the microphones will be used for and how they’re used. Malicious app developers are not always so kind, and ignorant app developers put people at risk without realizing it.

La Liga wants to collect user locational data to track down unlicensed broadcasts of soccer games at sports bars and clubs. This activity is for their own interests without consideration for the user. Of course, there are likely other ways to approach this problem that don’t require utilizing their customers' mobile devices as their own personal eavesdropper, but this is the route they undertook. And to top it all off, they had enough courage to openly disclose this to their userbase, perhaps because they hope there will not be any huge any significant user backlash. While this approach will likely be successful, due to a prevailing lack of information to end users in many countries about data privacy, the rights to information privacy, and inappropriate sharing.

The tradeoff here with trying to stop someone from misusing a service is opening up a new potential attack scenario for the bad guys.  As we have seen with other apps that drive voice-enabled technology, how it is intended to work, and how it may be used or misused are two very different things.  

Don Green, Mobile Security Manager, WhiteHat Security, shared his thoughts on a few items that might have a bad guy smiling, including:

  • “The mobile device microphone and geolocation will only be activated during the time slots of matches in which La Liga teams compete.”

The Bad Guy perspective is the first thing I am going to do is try to abuse the match time slot data to have listening and geolocation occur 7x24.   If I’m after you, I want to make sure I’m hearing everything you say all the time and know where you are at all times.

  • “La Liga will periodically remind users that it can activate their microphones and GPS and will ask them to reconfirm consent.”

“Periodically” is a term hackers just love, while for users it’s a nightmare.   Oh here’s a notice to reconfirm consent…is it really? For bad guys, this is the perfect scenario set up to send users fake notices and get them to download malware.

While it is a good practice for businesses who are fighting against fraud, extreme caution must be used with the approach. There’s a fine line between protecting the business and putting business at risk by passing additional risks to customers.  For example, courts want to track the phones of criminals and inmates on parole and Apple recently started cracking down on geolocation apps especially since GDPR views location and personally identifiable information (PII) with a broad spectrum.

Application designers and sellers need to be able to scan the apps and determine whether they are accidentally releasing this kind of information, versus making a deliberate decision based on business need to broadcast where each cell phone user is. Ultimately, customers define what is an acceptable level of risk and privacy.

About the author: Jeannie currently serves security manager at WhiteHat Security. She believes application security is the Next Big Thing in the security space.

Possibly Related Articles:
48125
Security Awareness Privacy Webappsec->General
Privacy Security User Data User Tracking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.