Guess Who's Listening Now? Just About Anyone, on Your Devices
I remember being at a friend's house recently and she said, "Alexa, play 'Uh Oh,'" and it (she?) did, and I thought, hmm, I wonder who else is listening in?
Turns out your devices are.
"We have become accustomed to carrying our mobile phones and tablet devices everywhere we go," says newswise.com. The mobile phone has essentially become an extension of our bodies, helping us to communicate, make payments and socialize.
Unfortunately, the web site goes on, the smart devices of today are equipped with many different types of sensors that may be listening in on our conversations.
The heat gets turned on in our homes by a computer. Cameras scan our property. Our billing is often handled electronically. Don't you think the people behind these machines are listening, and recording our lives, too?
Turns out your devices are.
"We have become accustomed to carrying our mobile phones and tablet devices everywhere we go," says newswise.com. The mobile phone has essentially become an extension of our bodies, helping us to communicate, make payments and socialize.
Unfortunately, the web site goes on, the smart devices of today are equipped with many different types of sensors that may be listening in on our conversations.
The heat gets turned on in our homes by a computer. Cameras scan our property. Our billing is often handled electronically. Don't you think the people behind these machines are listening, and recording our lives, too?
“In reality, we have threats from two directions — malicious apps that hijack the phone sensors to spy on us, and otherwise benign apps secretly listening to or sensing our activities, and then sending the data ‘home’ for advertising and other activities,” says Ragib Hasan, Ph.D., associate professor in the Department of Computer Science at the University of Alabama at Birmingham.
Hasan says the first type of threat — malicious apps — are easier to prevent, especially if users install apps only from trusted sources. The second types of threats — otherwise benign apps secretly eavesdropping on us — are harder to identify and prevent.
“A tell-tale sign is what kinds of sensors an app is accessing — does it really need access to that for the advertised operation of the app?” he says at newswise.com. “For example, if a user is installing a calculator app, does it need access to the microphone or camera? Most likely, no. However, if the app requests access to such sensors, then it may indicate that the app is going to use that privilege to gather information.”
Nitesh Saxena, Ph.D., professor in the UAB Department of Computer Science, says consumers need to be sure they trust the apps downloaded to their devices.
“It’s not really the devices, but the apps running on these devices that may gather personal information, if they wish to,” Saxena notes. “The Android OS employs a permission-based security model whereby the user is alerted at the time of the app’s installation as to what resources on the device — microphone, camera, GPS, etc. — the app has access to for its overall functioning.
"So, if the user allows that app to have access to the microphone, that app can turn the microphone on. If that app is benign, it would just do what it is supposed to be doing. For example, a calling app will turn your microphone on only during a call. However, if the app happens to be a malicious one, it could turn the microphone on even when the user is not aware, and it may record the audio and exfiltrate it to a remote attacker.”
Another issue for users lies in checking the permissions on app requests. Some permissions may make a device vulnerable to malicious apps’ accessing resources to which they are not supposed to have access.
“A vast amount of security research shows that users do not pay much attention to these permissions while installing the apps on their devices; they don’t have the right mental models for these things or can easily get habituated to accepting without paying attention,” Saxena explains. “It is also possible for two malicious apps to collude with each other. For example, app A with user-granted access to a resource can share the data with app B, which may not have user-granted permission to access that resource.”
Researchers have also demonstrated side channel attacks "in which a malicious app can exploit benign-looking resources — motion sensors such as accelerometer or gyroscope or power consumption readings — for which the Android OS does not explicitly ask any user permission prior to granting access. By doing this, it can infer personal and sensitive information, including:
- he PIN codes entered on the touch screen, an otherwise restricted resource, based on vibrations of finger presseshttps://www.newswise.com/articles/shh-your-devices-may-be-listening-to-you/sc-lwhp
- Speech/speech characteristics, especially if you use your phone in the speakerphone mode. It picks these up via the speech reverberations;
- Tracking your locations when you are driving via vibration information captured from your phone placed in the car; and
- Tracking your location based on the power consumptions. Your phone incurs different amounts of power when it is near different cell towers, etc.
Although these attacks may not be fully practical today, they definitely showcase the underlying vulnerability, according to the web site.
Saxena says some recent research studies have demonstrated that many apps in the Android ecosystem have actually been exploiting Android’s permission model to learn sensitive information, such as the device’s IMEI, MAC address or geolocation information to track the device/user, and even exploiting and exfiltrating audio and video data.
“The security vulnerability of smart speakers, like Amazon Alexa or Google Home, is slightly different,” said Saxena.
“Here, the user has installed a device in his home or office, and this device has a microphone that receives and understands users’ vocal commands,” Saxena said. “Ideally, the speaker system should wake up only when the user issues a wake phrase like “OK, Google,” but there is nothing that prevents it from recording the audio at will on regular user conversations. Also, it is likely that, as the speaker listens to our commands, which are often stored on the cloud servers of these companies, the audio could contain sensitive information spoken in the background — music and TV programs played in the background — that may be of interest to some malicious actors.
What can users do to prevent the threat to their privacy?
- Check all permissions given to various apps. Does each app really need to access sensitive sensors — GPS, microphone, camera — to function? If something has requested and received more access and privileges than it should have, turn that off from the settings.
- When installing new apps, do the same check. Do not give permission to all privileges the app is asking for, unless it really needs the privilege to function.
- Only install apps from official or legitimate sources.
- For sensitive conversations, it might be a good idea to put your phone away or turn it off.
- Disable apps from recording and maintaining users’ location history — Google Maps, Facebook.
- Utilize anti-virus apps.
Research is underway attempting to solve some of these problems. Google is currently working on a project called Project Alias that aims to prevent the smart speaker devices, like Google Home, to eavesdrop on people’s conversations. The device works by inserting random noise into the microphone of the speaker except when the user issues a command to the speaker.
The bottom line, Saxena says, is that our phones and tablets now have eyes and ears and they can easily collect very intimate details about our personal lives. “We must be aware of the phone’s capabilities and take proactive actions,” he concludes.
Comments
Post a Comment