Posted on 10/14/2019 6:25:36 AM PDT by ShadowAce
There is a privacy threat lurking on perhaps hundreds of millions of devices, that could enable potential attackers to track and profile users, by using information leaked via the Tor network, even if the users never intentionally installed Tor in the first place.
In a session at the SecTor security conference in Toronto, Canada on October 10, researchers Adam Podgorski and Milind Bhargava from Deloitte Canada outlined and demonstrated previously undisclosed research into how they were able to determine that personally identifiable information (PII) is being leaked by millions of mobile users every day over Tor.
The irony of the issue is that Tor is a technology and a network that is intended to help provide and enable anonymity for users. With Tor, traffic travels through a number of different network hops to an eventual exit point in the hope of masking where the traffic originated from. Podgorski said that there are some users that choose to install a Tor browser on their mobile devices, but that’s not the problem. The problem is that Tor is being installed by mobile applications without user knowledge and potentially putting users at risk.
The researchers explained that they set up several Tor exit nodes, just to see what they could find, and the results were surprising. The researchers found that approximately 30% of all Android devices are transmitting data over Tor.
“You’re probably scratching your head now, like we were a couple of months ago, because that doesn’t make any sense,” Podgorski said. “There's no way a third of Android users know what Tor is and are actually using it.”
What the researchers determined is that Tor is being bundled, embedded and installed in other applications and users are not aware of its existence. It was not entirely clear to the researchers why Tor was being bundled with so many applications. Podgorski said that it could be due to a misunderstanding of the technology and how it can be used. Tor was also found on Apple IOS devices, but the numbers were smaller with only approximately 5% of devices sending data.
Tracking Users
In a series of demonstrations, including live dashboards shown by Bhargava, the researchers showed what data they had collected from mobile users that were inadvertently using Tor. The data included GPS coordinates, web addresses, phone numbers, keystrokes and other PII.
“This data can be used to build a robust profile of an individual,” Podgorski said.
Bhargava explained that the exit nodes the researchers set up intentionally attempted to force browsers to not use encrypted versions of websites, forcing the devices to regular HTTP when possible. With data coming to the exit node without encryption, it was possible for the researchers to see the user data. Bhargava noted that for sites that force HTTPS encryption and do not offer any fallback option to regular un-encrypted HTTP, they wouldn’t be able to see the users data.
Also of note, Bhargava admitted that he found his own phone number in the data, which was a surprise to him, as he had not installed Tor on his device. The only applications on his phone were applications installed by the carrier.
There are several things that need to happen to fix the issue. Podgorski said that the first is awareness that there is a problem, which is what the research is intended to highlight for legislators, government and organizations. For users, Podgorski emphasized that good operational security practices need to be employed, by using encryption everywhere.
In Podgorski's view, there is already a legal compliance risk that the mobile application PII data leaks expose.
“We’re pretty sure what we found breaches GDPR on multiple levels,” he said, “but the issue is that governments can’t enforce the law if they’re not aware.”
“If 30% of all Android phones were regularly connecting with Tor, the number of daily users of Tor in the US would be in the tens of millions. Tor actually reports 380k mean daily users in the US......”Something does not add up here.”
When a transaction hits the Tor network, who is the “user” to Tor. Can it be the App that is calling upon Tor, as the servant (the phone user) did not sign up for Tor.
If that is the case, a bunch of Apps - with each App surreptitiously installed on tons of devices - can easily multiply into millions of devices.
So, they set up exit nodes that they control. How do they get a target to use their exit nodes? I thought the selection of intermediate and exit nodes was random. If anyone can set up an exit node and force a target to use it, then tor is useless.
“The NSA/CIA appreciates your cooperation in this sensitive matter.”
Someday someone will do a deeply investigated study of how much NSA/CIA workers pass back and forth between the NSA/CIA jobs and the big technology companies - like a revolving door.
At no point in history has any government ever wanted its people to be defenseless for any good reason ~ nully's son
Nut-job Conspiracy Theory Ping!
To get onto The Nut-job Conspiracy Theory Ping List you must threaten to report me to the Mods if I don't add you to the list...
Mine doesn’t. The cord is too small...................
They don't necessarily "force" you to use a particular node. However, the gov't has enough exit nodes that they can just lie in wait like a spider on its web.
I thought the selection of intermediate and exit nodes was random.
It is. But they run enough noes you will hit one at some point.
bkmk
“Don’t get one that advertises the ability to Facetime/Portal/Alexa/etc with other people.”
Just yesterday I learned that my Haier TV and Denon A/V receiver, which are both non-smart and non-connected, are detected by the alexa app. The receiver has bluetooth, so I can understand how that might work (although is was NOT in BT mode at the time), but the TV - no. Dumb, cheap, 50” 4k TV. No wifi, no BT.
This is very creepy.
If you don’t connect your TV to the interwebs, I’d say their ability to phone home stolen data is approximately zero. When I watch Netflix or some Internet video, it’s running on a PC with a simple video cable to the TV.
How would you go about doing this on a phone?
Very. My friends and I joke that the IOT (Internet-Of-Things) is getting so pervasive that some day your car won't start because the dishwasher is acting up. ;-)
When I said it would be straightforward, I meant for an app dev. Someone would need to develop an app that could detect these connection and give you a warning. I do not know of any such app, but I am pretty sure it could be done.
I am a retired software dev. Who knows, if I took a lot of motivation pills I might be able to do this myself!
It is unpleasant to think that the gummit controls a large portion of the tor network, but they probably do. And since they have a man in the middle, https will not be much help.
If that was the extent of the problem, it would just be kind of funny. But given the authoritarian rhetoric of the current Democrat party, it feels more like an existential threat.
Thank you for the reply, I was curious about that. You know... They have phone app building software that provides the basic core framework and does most of the work for you. I would be elated to see someone do that if they happened to be bored. :)
And phone apps are a business opportunity with real residuals to be had. Wish I had that knowledge and skills. I have thought of several that are needed but don’t have the skills. :)
Wouldn't surprise me. After you use your smartphone to get GPS directions to the next Donald Trump rally your car is disabled and your UBER app shuts down. ;-)
The more I think about this particular hack, the less sense it makes. Using tor would probably draw the attention of your ISP. If someone wants to hook out data from your phone, the best approach would be to send it to some unremarkable IP address using some unremarkable protocol, like HTTPS. Part of the exchange could be another IP address for the next nuggets of data, so that no pattern of usage would be noticed.
In short, I think that this particular claim is bogus. But that does not mean that other things are not afoot, such as my non-wifi non-bluetooth, non-smart TV showing up as a device in the alexa app. I might have to put some effort into figuring that one out.
Shadow ace
I need someone to pull together my digital world
I am looking at the new private phone Librum and perhaps even their computer. I will need a privacy package on computer so I can meet with clients through internet, I also need private email that can merge with phone and computer
There doesnt seem to be any one who will put it all together. Is there?
I have an old TOM-TOM GPS unit. I still get free updates every quarter, so the best they could do is get info about my travels once a quarter after the fact. I do not use a smartphone, but I do occasionally use real maps just to stay in practice.
Hmmmm
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.