The issue brought up in this part of Eric Fulton’s presentation is what user data Google is collecting, and how Wi-Fi connection can expose your exact locationContinuing on the theme of strings – and this is the one that I had no idea, and I really do not appreciate – when you on your Android phone go to Google, and if your Wi-Fi is on, Google instantly knows, and it sends back to home all of the Wi-Fi access points around you. These are the people that live around me; they are creative people (see image).
I mean, how many of you knew that every time a user is going: “Oh, what’s around me? I wanna Google for something” – boom, opening up a web browser, – “Oh, my Wi-Fi is on, Google actually knows all the Wi-Fi access points that are beaconing”. No one really thinks of this.
And I think: “Oh, well, that’s fine, what’s up with Wi-Fi access points?” But if you heard of Skyhook, what Skyhook basically does is it uses Wi-Fi to geolocate people. And Google is trying to essentially squeeze Skyhook out of the market, or at the very least not pay them, because they are going: “Okay, if you are at this location, and these wireless access points are around you; if you are using an application and someone else is using this application, and they can see this Wi-Fi, they also know where you are at”. In the meanwhile, you don’t even have your GPS on.
Let’s say you are a super paranoid person, and you’re like: “No, no, no, my GPS is off, Google will not find me”. Well, now they know wireless IPs are around you. They also know exactly, because of those wireless IPs, where you are located. That’s kind of scary.What is also sent to Google (and I totally anonymized this, the X’s are me) is my exact address (see image). I was looking through the captures, and I was like: “DevLock, what’s that? Is that, like, my phone is locked?” It’s actually device location. And when I have my GPS on, and I am just browsing to Google, they instantly know where exactly I am pinpointed to a dot. I’m not kidding. I mean, I remember back when GPS was kind of sketchy, they could figure out you are in this area, but now they know you are standing right here, where those X’s are the latitudinal and longitudinal lines.
They are also sending a bunch of other information that I haven’t decoded yet but I plan on looking through. But at the same time, there is a lot of easy stuff to be picked up right away. I mean, why does Google need to know my specific exact location when I am browsing? And again, you could say it’s useful because they need to know when you search for pizza – what pizza is nearby. Completely agreeable, but then we have to move a layer higher in terms of privacy.
Well, because Google is collecting my location, who are they sharing it with? Who else knows where I am located when I am browsing for pizza? Do they share it with their advertisers? Do they share the time that I search for it? And then you starting to think this is getting a little creepier.
Advertisers now know when I’ve got a hankering for food, or whenever I search something. They potentially know where I search for that. They know what time I search for it. And they can start to build a profile about you.
In terms of privacy, I personally think that we shouldn’t have advertisers that know your most intimate detail without you even understanding what are you sharing. Google does not instantly say: “Hey, if you don’t have your GPS on, we’ll just send the Wi-Fi access points around you. If you turn off GPS location assistance for web applications, we’re gonna figure out your Wi-Fi to try to guess where you are at”. They don’t allow you to turn that off.We also continue through, and we get a little bit more interesting information as well (see image). We have the lan_mac address, the wan_mac address, the wl_mac address, and the lan_ip, what type of wireless you are using, what type of protocol it’s using, what the active wireless is, and I could keep reading through it. And just for no reason Google knows how long the uptime has been on my device, the actual IP of it, the load average, etc. They know all of this just because I popped open my web browser. It’s quite crazy and it’s insanely disturbing in terms of privacy because you think: “Why do they need to know this?” Now we’re gonna look at why data is collected, and I am hypothesizing here. We’ve got advertising. We’ve got statistics, because obviously they want know whether you are using an application, what you are using it for etc. – we have advertising. We have legitimate business purposes, so maybe an application needs to know what version of Android you are using, so it’s affective – we have advertising again. We have things that can increase the value of a service, so it’s helpful when you search for pizza, where you get results for pizza near you – we have advertising… I hope I’ve made my point here, I’m repeating advertising over and over because advertising is, again, the number one reason why they collect this information. And maybe they could collect it without advertising, but it’s number one reason that they use.
Why do they need to know where you are locate? To give you the correct ads. Why do they need to know Wi-Fi around you? Well, it helps find your location, which helps you get proper ads. Why do they need to know your device version? Well, if they’re gonna run an ad on your screen, they need to know the resolution. It’s creepy.
So in terms of this, what about man-in-the-middle attacks? Traffic can be intercepted. You can use SSLStrip, exploits, etc. And so just from sniffing your traffic from you hopping on my Wi-Fi point, I know you have applied your latest carrier upgrade. I know you decided to root your phone and put Gingerbread on it from certain community. I know exactly what device you have, where you’ve been, etc.
This is all very fascinating information. If I know that you are using a phone that your carrier decided not to upgrade and that there are active vulnerabilities in it, I also know that I can screw you. I know that if I have one of the exploits probably released at Defcon or that I made myself, targeting Gingerbread, I know I’m gonna have 100% effective rate.
And I know this just because you are playing Angry Birds on my wireless network or, not that have I done this yet, you happen to be within a certain foot range of my Femtocell, and are on my cellular network. But that’s a whole other talk.
And so I am going to go back to the original question I asked: to what extent do participants in the cellular ecosystem (OS creators, app creators, carriers, etc) respect user privacy? My answer is – not very much.
And the reason for this is that no one has really called out for it. I mean, we are at Defcon, I think a lot of people here really believe in privacy. We’ve got the Electronic Frontier Foundation who fights for our privacy. And yet, for convenience we sacrifice our privacy. For the ability to Google something out of your pocket, to run a little GPS location on your phone and find out where are you going, to do any of these things – you are sacrificing your privacy.
And that’s fine. If that’s something you wanna do and you are comfortable with, that’s fine. But myself, I don’t like Google knowing my neighbors have very creative wireless access point names. I don’t like Google knowing exactly where I am located when I browse a website. I don’t like it that when I use turn-by-turn navigation, Google knows exactly when I am taking those turns. I don’t mean to pick on Google, they just happen to have the phone that I was able to obtain. You can only postulate what’s on an Apple iPhone, what’s on a BlackBerry etc.
Let’s assume a beautiful perfect world where all of these companies believe in your privacy, which is definitely false. But let’s say they do. Well, aside from that, what about the people that have access to your traffic? As I stated before, I did all of these, I ran strings and collected all these packets so long ago on my own network. And I was able to analyze this. But how many people are able to write filters, put out a Wi-Fi point, put out a Femtocell? And as soon as you walk by, you’ve instantly shared so much information about yourself. If you just happen to walk by a store, and they happen to know certain details about you, they could change their advertising.