Early this month, some Apple FaceTime users discovered a bug in the group video calling feature. It gave callers access to the microphone and, in some cases, the front camera of the recipient’s iPhone, allowing them to listen and even see the latter for a brief period. To be sure, Apple disabled group calling in FaceTime and fixed it later with an update.
Similarly, this February, mobile security expert App Analyst discovered that iOS apps of some of the leading travel companies, such as Expedia, Hotels.com, Hollister and Air Canada, were secretly recording displays using a session-replay technology, which allows the app developer to capture every activity on the phone’s screen while the app was open. The recording was forwarded to analytics firm Glassbox for a deeper examination of how users were interacting with the apps so that they could identify the pain points and address them. The data gathering was carried out without the knowledge of users. In some cases, the apps were also found to be capturing passport info and credit card numbers of users as well.
One of the apps was by Air Canada, which had reported a data breach affecting more than 20,000 users in August 2018. Experts feel that if hackers had gained access to these sessions the situation could have been worse. “There can be good reasons for session replay analytics as it allows those companies to see, for example, which of their options are most used so that they can then make them more accessible. However, doing that without even mentioning it (so that the user at least knows that this is being done), is not right and probably illegal in some countries,” Luis Corrons, security evangelist, Avast Software, pointed out in an official post.
Apple is simply a case in point. According to a July 2018 study from Northeastern University, Boston, security researchers found several Android apps secretly taking screenshots and video recordings of displays, and forwarding them to mobile analytics firms. It’s hardly a surprise, then, that a majority of smartphone users believe that many apps secretly listen to their conversations in a bid to target them with contextual advertisements.
There’s merit in this view. According to reports from early 2018, hundreds of apps on the Play Store and App Store were using access to microphones to listen to hidden ultrasonic signals being broadcast in advertisements on TV and websites, or to track how many times a user has visited a physical store. These signals are inaudible to humans as they are outside their hearing range.
Further, cameras on smartphones have become an integral part of people’s lives and are being used to document and share important moments of their lives. Cybercriminals have been known to be taking over laptop webcams of unsuspecting users through Remote Access Trojan (RAT) attacks. It gives hackers complete control over the infected laptop, allowing them to switch-off the light indicator for the web cam.
Another technology that is available on every smartphone and laptop, and which is vulnerable to hacking, is Bluetooth. In July 2018, researchers at the Israel Institute of Technology found a security flaw in Secure Simple Pairing and Low Energy Security Connections—two features that are used to establish a secure connection between two devices before allowing data transfer between them.
According to the Bluetooth Special Interest Group (SIG), the organisation responsible for developing and enforcing these specifications, vendors were not enforcing public key validation during the pairing process (which connects devices to each other) for users’ ease, putting millions of devices at risk. “This can allow a remote attacker within range to carry out a man-in-the-middle attack by injecting a bogus public key to determine the encrypted keys used by the device. The attacker can then intercept and decrypt all device messages or forge and inject malicious messages,” cautioned the United States Computer Emergency Readiness Team (US- CERT).
One can take inspiration from the likes of Mark Zuckerberg and former FBI director James Comey, and put a tape on webcams and smartphone cameras. However, for most of us, this may not be a practical suggestion. Further, while vendors and app developers can be held accountable for their omissions, users need to be more aware so that they can spot any suspicious activity themselves. Else, the stable doors would be closed after the horses have bolted.