Menu

Timesdelhi.com

June 16, 2019
Category archive

wi-fi

London’s Tube network to switch on wi-fi tracking by default in July

in api/controlled/Delhi/encryption/Europe/European Union/India/London/London Underground/MAC Address/Mayor/mobile devices/Politics/privacy/Security/smartphone/transport for london/Transportation/United Kingdom/wi-fi/wireless networking by

Transport for London will roll out default wi-fi device tracking on the London Underground this summer, following a trial back in 2016.

In a press release announcing the move, TfL writes that “secure, privacy-protected data collection will begin on July 8” — while touting additional services, such as improved alerts about delays and congestion, which it frames as “customer benefits”, as expected to launch “later in the year”.

As well as offering additional alerts-based services to passengers via its own website/apps, TfL says it could incorporate crowding data into its free open-data API — to allow app developers, academics and businesses to expand the utility of the data by baking it into their own products and services.

It’s not all just added utility though; TfL says it will also use the information to enhance its in-station marketing analytics — and, it hopes, top up its revenues — by tracking footfall around ad units and billboards.

Commuters using the UK capital’s publicly funded transport network who do not want their movements being tracked will have to switch off their wi-fi, or else put their phone in airplane mode when using the network.

To deliver data of the required detail, TfL says detailed digital mapping of all London Underground stations was undertaken to identify where wi-fi routers are located so it can understand how commuters move across the network and through stations.

It says it will erect signs at stations informing passengers that using the wi-fi will result in connection data being collected “to better understand journey patterns and improve our services” — and explaining that to opt out they have to switch off their device’s wi-fi.

Attempts in recent years by smartphone OSes to use MAC address randomization to try to defeat persistent device tracking have been shown to be vulnerable to reverse engineering via flaws in wi-fi set-up protocols. So, er, switch off to be sure.

We covered TfL’s wi-fi tracking beta back in 2017, when we reported that despite claiming the harvested wi-fi data was “de-personalised”, and claiming individuals using the Tube network could not be identified, TfL nonetheless declined to release the “anonymized” data-set after a Freedom of Information request — saying there remains a risk of individuals being re-identified.

As has been shown many times before, reversing ‘anonymization’ of personal data can be frighteningly easy.

It’s not immediately clear from the press release or TfL’s website exactly how it will be encrypting the location data gathered from devices that authenticate to use the free wi-fi at the circa 260 wi-fi enabled London Underground stations.

Its explainer about the data collection does not go into any real detail about the encryption and security being used. (We’ve asked for more technical details.)

“If the device has been signed up for free Wi-Fi on the London Underground network, the device will disclose its genuine MAC address. This is known as an authenticated device,” TfL writes generally of how the tracking will work.

“We process authenticated device MAC address connections (along with the date and time the device authenticated with the Wi-Fi network and the location of each router the device connected to). This helps us to better understand how customers move through and between stations — we look at how long it took for a device to travel between stations, the routes the device took and waiting times at busy periods.”

“We do not collect any other data generated by your device. This includes web browsing data and data from website cookies,” it adds, saying also that “individual customer data will never be shared and customers will not be personally identified from the data collected by TfL”.

In a section entitled “keeping information secure” TfL further writes: “Each MAC address is automatically depersonalised (pseudonymised) and encrypted to prevent the identification of the original MAC address and associated device. The data is stored in a restricted area of a secure location and it will not be linked to any other data at a device level.  At no time does TfL store a device’s original MAC address.”

Privacy and security concerns were raised about the location tracking around the time of the 2016 trial — such as why TfL had used a monthly salt key to encrypt the data rather than daily salts, which would have decreased the risk of data being re-identifiable should it leak out.

Such concerns persist — and security experts are now calling for full technical details to be released, given TfL is going full steam ahead with a rollout.

 

A report in Wired suggests TfL has switched from hashing to a system of tokenisation – “fully replacing the MAC address with an identifier that cannot be tied back to any personal information”, which TfL billed as as a “more sophisticated mechanism” than it had used before. We’ll update as and when we get more from TfL.

Another question over the deployment at the time of the trial was what legal basis it would use for pervasively collecting people’s location data — since the system requires an active opt-out by commuters a consent-based legal basis would not be appropriate.

In a section on the legal basis for processing the Wi-Fi connection data, TfL writes now that its ‘legal ground’ is two-fold:

  • Our statutory and public functions
  • to undertake activities to promote and encourage safe, integrated, efficient and economic transport facilities and services, and to deliver the Mayor’s Transport Strategy

So, presumably, you can file ‘increasing revenue around adverts in stations by being able to track nearby footfall’ under ‘helping to deliver (read: fund) the mayor’s transport strategy’.

(Or as TfL puts it: “[T]he data will also allow TfL to better understand customer flows throughout stations, highlighting the effectiveness and accountability of its advertising estate based on actual customer volumes. Being able to reliably demonstrate this should improve commercial revenue, which can then be reinvested back into the transport network.”)

On data retention it specifies that it will hold “depersonalised Wi-Fi connection data” for two years — after which it will aggregate the data and retain those non-individual insights (presumably indefinitely, or per its standard data retention policies).

“The exact parameters of the aggregation are still to be confirmed, but will result in the individual Wi-Fi connection data being removed. Instead, we will retain counts of activities grouped into specific time periods and locations,” it writes on that.

It further notes that aggregated data “developed by combining depersonalised data from many devices” may also be shared with other TfL departments and external bodies. So that processed data could certainly travel.

Of the “individual depersonalised device Wi-Fi connection data”, TfL claims it is accessible only to “a controlled group of TfL employees” — without specifying how large this group of staff is; and what sort of controls and processes will be in place to prevent the risk of A) data being hacked and/or leaking out or B) data being re-identified by a staff member.

A TfL employee with intimate knowledge of a partner’s daily travel routine might, for example, have access to enough information via the system to be able to reverse the depersonalization.

Without more technical details we just don’t know. Though TfL says it worked with the UK’s data protection watchdog in designing the data collection with privacy front of mind.

“We take the privacy of our customers very seriously. A range of policies, processes and technical measures are in place to control and safeguard access to, and use of, Wi-Fi connection data. Anyone with access to this data must complete TfL’s privacy and data protection training every year,” it also notes elsewhere.

Despite holding individual level location data for two years, TfL is also claiming that it will not respond to requests from individuals to delete or rectify any personal location data it holds, i.e. if people seek to exercise their information rights under EU law.

“We use a one-way pseudonymisation process to depersonalise the data immediately after it is collected. This means we will not be able to single out a specific person’s device, or identify you and the data generated by your device,” it claims.

“This means that we are unable to respond to any requests to access the Wi-Fi data generated by your device, or for data to be deleted, rectified or restricted from further processing.”

Again, the distinctions it is making there are raising some eyebrows.

What’s amply clear is that the volume of data that will be generated as a result of a full rollout of wi-fi tracking across the lion’s share of the London Underground will be staggeringly massive.

More than 509 million “depersonalised” pieces of data, were collected from 5.6 million mobile devices during the four-week 2016 trial alone — comprising some 42 million journeys. And that was a very brief trial which covered a much smaller sub-set of the network.

As big data giants go, TfL is clearly gunning to be right up there.

Lambs, the radiation-proof underwear company formerly known as Spartan, is now selling beanies

in articles/cancer/Cell phones/Delhi/India/Los Angeles/mobile phone/Paranoia/Physics/Politics/Radiation/Science/spartan/TC/telecommunications/United States/wi-fi/wireless/wireless routers by

Earlier this year, Spartan, the French manufacturer of a silver-lined underwear designed to block EMF radiation from cell phones and wireless routers, relocated to the U.S. and raised some capital from the Los Angeles-based investment firm, Science.

Now the company has relaunched as Lambs and is adding a radiation-proof silver-lined beanie to its $29-per-pair underwear already on sale in the U.S. The company’s goal is to capitalize on paranoia around the effects of cell phone radiation on health and possible links to cancer.

Any link between exposure to radiation from cell phones or wi-fi and cancer or other deleterious health effects is tenuous at best, according to the American Cancer Society, but that didn’t stop Lambs (nee’ Spartan) from launching at the Consumer Electronics Show in 2017 with a pitch designed to prey on fears about the potential health risks.

Indeed, there are no studies that definitively prove a link between radiation emitted by cell phones and cancer. The most serious health risk associated with cell phones is an accident caused by distracted driving, according to the National Cancer Institute.

The three co-founders Arthur Menard, Pierre Louis Boyer, and Thomas Calichiama were undeterred by the science and — spurred on by capital from Science — are expanding on their product line.

Since relocating to the U.S., the team went back to the drawing board and redesigned their underpants to align more with American tastes.

Now, the new and improved underwear and new beanie are going to be available to anyone who wants bacteria-resistant, silver-lined, underwear and headwear so they can wrap precious metals around their family jewels.

The company also plans to launch a line of t-shirts later this year. A line of women’s underwear is also on the roadmap.

Job recruitment site Ladders exposed 13 million user profiles

in Amazon/AWS/computer security/data breach/data security/database/Delhi/Elasticsearch/H1-B/India/marc Cenedella/New York/Password/Politics/Prevention/privacy/Security/security breaches/SMS/Stratics Networks/United States/wi-fi by

Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.

The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.

Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.

Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.

TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.

Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

A partial record (redacted) including a person’s name, address, phone number, job description and details of their security clearance (Image: supplied)

Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.

Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.

The database contained years’ worth of records.

Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.

More than 379,000 recruiters’ information was also exposed, though the data wasn’t as sensitive.

Security researcher Jain recently found a leaking Wi-Fi password database and an exposed back-end database for a family-tracking app, including the real-time location data of children.

Read more:

Meet the little-known Chinese WiFi startup that rubs shoulders with WeChat and Alipay

in alibaba/Asia/China/Delhi/e-book/India/internet access/OneWeb/Password/Politics/privacy/shanghai/Space/SpaceX/Tencent/WeChat/wi-fi by

A service that connects people to WiFi hotspots for free turned out to be one of China’s most popular apps, nestling in the top ranks with Tencent’s WeChat messenger and Alibaba’s digital wallet affiliate Alipay. According to a report from app tracking service App Annie, WiFi Master Key was China’s fifth-largest app and the world’s ninth largest by monthly active users in 2018, titles it also held in 2017.

Report: The State of Mobile 2019, App Annie

The aptly-named WiFi Master Key, which owns the enviable domain wifi.com, is the product of a little-known startup called LinkSure in Shanghai that gets people onto the nearest wireless networks without the need for passwords. In addition, the app also recommends news and video content based on users’ past habits to lock them in, a feature similar to that of ByteDance’s algorithm-driven Jinri Toutiao news app.

Like many consumer-facing services in China, the app is free to use and monetizes traffic through advertising. It claims 700 million MAUs in China and another 100 million around the world. WeChat and Alipay, by comparison, each has around 1 billion MAUs worldwide.

The internet connectivity service helped LinkSure secure $52 million from a Series A round and value the parent at $1 billion back in 2015, only two years after the firm had launched. LinkSure has not announced further fundings since then and has kept a relatively low profile, though its founder Chen Danian was a household name from China’s early internet days. Along with his brother Chen Tianqiao, Chen founded Shanda Games, once China’s largest operator of online games before the rise of Tencent.

In November, Chen resigned as LinkSure’s chief operating officer as former Shanda executive Wang Jingying took over the reins to become one of the few prominent female CEOs in China’s tech sector.

Sharing passwords

The idea of freeloading on strangers’ networks strikes one as dodgy (or too good to be true), but the reality is more nuanced. WiFi Master Key keeps a database of passwords while encrypts and hides them from users, the company explains on its site. How does it collect all the credentials in the first place? Well, every time someone uses it to key in a login, the internet access app transmits that piece of information to the cloud. When people use it to, say, enter the WiFi passcode a barista just gave them, the data gets stored and shared to whoever at the cafe that uses the app.

wifi master key

Aside from bringing connectivity, WiFi Master Key also provides news, e-book and video content to lock users in. Screenshot: TechCrunch

Those inner workings enable the app to bill itself as a WiFi “sharing” service and distance itself from anything that’s remotely a hack. But its data practice still draws concerns over user privacy. Last April, the Chinese state television broadcaster ran a 25-minute feature lambasting the app for “stealing passwords.” That was followed by an industry-wide crackdown from the state’s cybersecurity watchdog on all WiFi crowdsourcing services with lacklustre security practices.

LinkSure rebuked the state report and said it always asked for user consent before gleaning their data. Chances are few people read the lengthy terms of use on any kind of apps in real life, and the less digital savvy may fail to grasp how the app actually works. A major source of debate is when users inadvertently make their house WiFi publicly available after giving the credentials away to a guest who happens to use the data ravenous app to access the host’s network. WiFi Master Key has not responded to emailed questions about its security practices.

Aside from enabling strangers to crowdsource WiFi, LinkSure has also joined hands with two major Chinese telecommunication companies to offer a separate broadband card with appealing data plans. That puts it in competition with Tencent, Alibaba, Baidu and other tech firms that are working with big telcos to provide cheap or unlimited data enticing people to use their in-house apps.

Meanwhile, LinkSure is eying to beam down its own internet connection from the space as SpaceX and OneWeb do. The plan is to target the next few billion rural users who are just coming online and live in areas currently uncovered by terrestrial networks. LinkSure says it’s aiming to provide free satellite network around the world by 2026, with the first out of a constellation of 272 satellites bound to launch later this year.

A government-backed report put the number of people with internet access in China at 802 million in June, leaving nearly 600 million who are still unconnected. 30 million people came online for the first time last year, including an expanding base of elderly users who are increasingly embracing Alipay and WeChat to go about daily lives.

Researcher shows how popular app ES File Explorer exposes Android device data

in Apps/computing/Delhi/India/Politics/privacy/Security/smartphones/web server/wi-fi by

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

A script, developed by security researcher , to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment that they open the app.

1 2 3 4
Go to Top