London Bans Creepy Stalker Trash Bins

A government not hesitating to take proactive and concrete steps to protect our privacy seems almost bizarre given recent news cycles, but indeed, the city of London stepped up and asked marketing company, Renew, to remove their mobile-tracking trash bins from London's sidewalks.

Renew deployed 12 bins featuring "ORB" technology that allowed them to collect the unique media access control (MAC) address of Wi-Fi enabled mobile devices as they passed within range. The idea, as outlined in a press release, was to use the data gleaned from tracking pedestrians to serve the most effective ads on the LCD screen on each bin.

The consolidated data...highlights the significance of the Renew ORB technology as a powerful tool for corporate clients and retailers. It provides an unparalleled insight into the past behavior of unique devices--entry/exit points, dwell times, places of work, places of interest, and affinity to other devices--and should provide a compelling reach data base for predictive analytics (likely places to eat, drink, personal habits etc.). [Renew]

You can think of this as a less malicious version of Moscow's new mobile tracking system (although, they use different technologies). 

With only 12 bins, Renew was able to log data from more than 4 million devices over a single week. It is unsettling, at best, that this data could be used to paint reasonably detailed portraits of pedestrian behaviour without any notification or ability to opt-in to this data collection program.

Certainly, tracking systems like this should be a concern for anyone using a Wi-Fi capable mobile device. And while Renew likely does not harbour any malicious intent, similar techniques have already been shown as feasible. In previous demonstrations, researchers showed that by simply using common network names like "Apple Store" or "Boingo Hotspot," mobile devices could be tricked into auto-connecting to unsecured Wi-Fi networks that serve your data to anyone watching.

Fortunately, defense against programs like ORB is available. A simple mobile VPN will ensure that any data sent over unsecured Wi-Fi networks is safe and disabling Wi-Fi on your device when you don't need it will prevent it from talking to these networks at all.

Lavabit and Silent Circle Shutter Secure Email Due to Gov. Pressure

Lavabit, the secure email service reportedly used by ex-National Security Agency contractor, Edward Snowden, has abruptly suspended its service without a complete explanation.

A letter posted on the company's homepage by Lavabit owner Ladar Levison said he made the decision to suspend service due to pressure from the U.S. government.

My Fellow Users, I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what's going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What's going to happen now? We've already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely, Ladar Levison, Owner and Operator, Lavabit LLC

Lavabit came on the scene in 2004 as a secure and privacy oriented alternative to other more popular email services. The service gained notoriety earlier this year when a representative from Human Rights Watch posted a message from Snowden that included the email address edsnowden@lavabit.com.

Following suit shortly after, Silent Circle has also scrapped Silent Mail, a similar encrypted mail service. The move to preempt any possibility that their users would suffer the same fate as LavaBit's customers calls into question whether a US company will ever be able to truly offer a secure mail service. 

Though we are unlikely to ever hear the full story, Levison’s predicament serves to emphasize the delicate nature of privacy and security in a cyber-age. At the end of the day it wasn't just Snowden's account that was closed. This case a loss for every user trying to licitly exercise their right to privacy and security.  

Aw Crap, Toilets are Hackable

Remember when we only had to worry about our computer being hacked? Those were the days. Unfortunately, as technology improves and an ever-increasing number of otherwise mundane devices are outfitted with microchips and wireless connections, we’ve also seen a rise in security vulnerabilities in everything from mobile phones to pacemakers. And now, sadly (or hilariously), even our toilets aren’t safe.

Security company Trustwave issued an advisory last week that LIXIL’s Satis line of smart toilets is vulnerable to hackers with a penchant for pranks. Among the many vital features of the toilets are the capabilities to play music, raise the lid, flush, and operate the bidet with a Bluetooth connection and an Android app. Unfortunately for the unsuspecting toilet enthusiast, LIXIL hard-coded the Bluetooth PIN “0000” into all of their toilets. This means that any ne’er-do-well with a smartphone can download the “My Satis” app and control any Satis toilet.

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.  Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user. [Trustwave]

Here at SumRando, we’re wondering why anyone would need to remotely access a toilet. Perhaps they just like a fresh bowl?

And while hacking a toilet may be laughable for the security-minded (or anyone), the widespread neglect of basic security precautions in non-traditional wireless devices is a serious issue. Things like computer-controlled power grids, remote-controlled pacemakers, and digital medical records have dramatically improve our quality of life through greater efficiency and accuracy. But as we increase our connectedness, we also open ourselves up to substantial risk. Moving forward, it is essential that we include security and privacy in any discussion relating to technology. Unless we establish and prioritise cybersecurity best practices, we could find our progress flushed down the tubes.

You can try SumRando for free here.

Moscow to Start Tracking Mobile Users in Metro System

This past Monday, Russian newspaper Izvestia reported that Moscow’s metro system will be implementing an elaborate mobile device tracking system that they say will help authorities recover stolen phones. Nope, not suspicious at all.

Image courtesy of whatleydude through Creative Commons

The system experts believe will be implemented is called a “stingray” or “IMSI catcher” and basically tricks phones into using a fake cell tower. The systems have a range of about five meters and will track SIM cards rather than actual devices. As mobile users pass the devices, the system will track SIM card’s mobile subscriber numbers (MSIs), figure out the target’s route, and then relay the data to the station manager.

In an interview with Ars Technica, Privacy International’s Eric King said:

Many surveillance technologies are created and deployed with legitimate aims in mind, however the deploying of IMSI catchers sniffing mobile phones en masse is neither proportionate nor necessary for the stated aims of identifying stolen phones.

Likewise the legal loophole they claim to be using to legitimize the practice—distinguishing between tracking a person from a SIM card—is nonsensical and unjustifiable. It's surprising it's being discussed so openly, given in many countries like the United Kingdom, they refuse to even acknowledge the existence of IMSI catchers, and any government use of the technology is strictly national security exempted.

Apparently, such a tracking system shouldn’t even be legal in Russia, but authorities are saying that because the system tracks SIM cards, which are technically owned by the service provider and not the mobile phone operator, the system is legal.

Experts have pointed out that for the system to be effective, multiple IMSI catchers would need to be deployed in each station, making the system financially ridiculous if its purpose truly is to track stolen phones.

Syrian Electronic Army Hacks Viber Support Desk

The Syrian Electronic Army is at it again. This time hacking the support page for the Israel-based instant messaging and VoIP service Viber.

The pro-Assad hacking group claimed to have access to Viber customers' personal details including email addresses and phone numbers, though Viber representatives say no such personal information was accessed.

"Yesterday, the Viber Support site was defaced after a Viber employee unfortunately fell victim to an email phishing attack. The phishing attack allowed access to two minor systems: a customer support panel and a support administration system. Information from one of these systems was posted on the defaced page.

 

The hacked page was defaced with a blue banner that read "Hacked by the Syrian Electronic Army". The SEA can add Viber to a relatively impressive list of hacked sites and Twitter feeds including those of The Financial Times, the Associated Press, The Onion, The Guardian, Al Jazeera, and others.