Posted on 10/14/2019 6:25:36 AM PDT by ShadowAce
There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.
In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.
The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.
The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.
“You’re probably scratching your head now, like we were a couple of months ago, because that doesn’t make any sense,” Podgorski said. “There's no way a third of Android users know what Tor is and are actually using it.”
What the researchers determined is that Tor is being bundled, embedded and installed in other applications and users are not aware of its existence. It was not entirely clear to the researchers why Tor was being bundled with so many applications. Podgorski said that it could be due to a misunderstanding of the technology and how it can be used. Tor was also found on Apple IOS devices, but the numbers were smaller with only approximately 5% of devices sending data.
Tracking Users
In a series of demonstrations, including live dashboards shown by Bhargava, the researchers showed what data they had collected from mobile users that were inadvertently using Tor. The data included GPS coordinates, web addresses, phone numbers, keystrokes and other PII.
“This data can be used to build a robust profile of an individual,” Podgorski said.
Bhargava explained that the exit nodes the researchers set up intentionally attempted to force browsers to not use encrypted versions of websites, forcing the devices to regular HTTP when possible. With data coming to the exit node without encryption, it was possible for the researchers to see the user data. Bhargava noted that for sites that force HTTPS encryption and do not offer any fallback option to regular un-encrypted HTTP, they wouldn’t be able to see the users data.
Also of note, Bhargava admitted that he found his own phone number in the data, which was a surprise to him, as he had not installed Tor on his device. The only applications on his phone were applications installed by the carrier.
There are several things that need to happen to fix the issue. Podgorski said that the first is awareness that there is a problem, which is what the research is intended to highlight for legislators, government and organizations. For users, Podgorski emphasized that good operational security practices need to be employed, by using encryption everywhere.
In Podgorski's view, there is already a legal compliance risk that the mobile application PII data leaks expose.
“We’re pretty sure what we found breaches GDPR on multiple levels,” he said, “but the issue is that governments can’t enforce the law if they’re not aware.”
If 30% of all Android phones were regularly connecting with Tor, the number of daily users of Tor in the US would be in the tens of millions. Tor actually reports 380k mean daily users in the US.
Something does not add up here.
Tech Ping
The NSA/CIA appreciates your cooperation in this sensitive matter.
Podgorski said that the first is awareness that there is a problem
I doubt very seriously it is a Problem as he describes, it sounds more like a Feature, intentionally built in to harvest data.
Imho Shadow is tip of spear or less
May I have your and the forum’s expertise on a report by local media in my area ??? Local media reported that flat screen TVs have receivers and transmitters ...... any opinions
Hard to give feedback without seeing the actual story. Do you have a link?
>>> that could enable potential attackers to track and profile users <<<
... the standard business model for social media and tech firms.
Agreed, in fact I suspect Whatsapp as one if the culprits.
Our govt developed TOR in the first place. Is it any surprise that it is surreptitiously used against us.
Was a report from WSOC in Charlotte given out on morning newscast but have no link
Patriot Act ??? Perhaps ???
Vizio privacy settlement:
https://koaa.com/news/2019/02/14/vizio-announces-17-million-settlement-in-class-action-lawsuit/
Newscast mentioned is two or three days old
The report involved audio and possible video
Mama always said TV was more complex than anyone realized
My apology for hijacking your thread ......
It seems like a straightforward solution would be to check for connections to known tor nodes.
https://www.dan.me.uk/tornodes
Don't get one that advertises the ability to Facetime/Portal/Alexa/etc with other people. That definitely has a transmitter that can possibly be controlled externally.
Only smart TVs.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.