FBI warns about snoopy smart TVs spying on you

An FBI branch office warns smart TV users that they can be gateways for hackers to come into your home. Meanwhile, the smart TV OEMs are already spying on you

A recent #FBI #report warned #smart #TV users that #hackers can also take control of your unsecured TV. "At the low end of the risk spectrum, they can change channels, play with the volume, and show your kids inappropriate videos. In a worst-case scenario, they can turn on your bedroom TV's camera and microphone and silently #cyberstalk you," explained the FBI.

The risk isn't new. A few years ago, smart TVs from #LG, #Samsung, and #Vizio were #spying and #reporting on your viewing habits to their #manufacturers.

Today, the FBI is warning that "TV manufacturers and #app #developers may be listening and watching you." It added, "[A] television can also be a gateway for hackers to come into your home. A bad cyber actor may not be able to access your locked-down computer directly, but it is possible that your unsecured TV can give him or her an easy way in the #backdoor through your #router."

That's true, but while there have been relatively few cases of hackers invading homes via their smart TVs, it's only a matter of time until they're watching and listening to you.

👉🏼 Read more:
https://www.zdnet.com/article/fbi-warns-about-snoopy-smart-tvs-spying-on-you/

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Privacy Analysis of Tiktok’s App and Website (#PoC)

I did a detailed privacy check of the Tiktok app and website. Tiktok commits multiple breaches of law, trust, transparency and data protection.

Here are all technical and legal details. You can read a less technical article about it at the Süddeutsche Zeitung (german).

This is my setup: I used #mitmproxy to route all #app #traffic for #analysis. See in this #video how device information, usage time and watched videos are sent to #Appsflyer and #Facebook.

Hard to believe that this is covered by „legitimate interest“ and transparency: Entered search terms are sent to Facebook...

👉🏼 Read more:
https://rufposten.de/blog/2019/12/05/privacy-analysis-of-tiktoks-app-and-website/

#TikTok #PoC
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Ring’s Hidden Data Let Us Map Amazon's Sprawling Home Surveillance Network

As reporters raced this summer to bring new details of Ring’s law enforcement contracts to light, the home security company, acquired last year by Amazon for a whopping $1 billion, strove to underscore the privacy it had pledged to provide users.

Even as its #creeping objective of ensuring an ever-expanding #network of home #security devices eventually becomes indispensable to daily #police work, #Ring promised its customers would always have a choice in “what information, if any, they share with law enforcement.” While it quietly toiled to minimize what police officials could reveal about Ring’s police partnerships to the public, it vigorously reinforced its obligation to the privacy of its customers—and to the users of its crime-alert #app, #Neighbors.

However, a #Gizmodo #investigation, which began last month and ultimately revealed the potential locations of up to tens of thousands of Ring #cameras, has cast new doubt on the effectiveness of the company’s privacy safeguards. It further offers one of the most “striking” and “disturbing” glimpses yet, privacy experts said, of #Amazon’s privately run, #omni-#surveillance shroud that’s enveloping U.S. cities.

Gizmodo has acquired data over the past month connected to nearly 65,800 individual posts shared by users of the Neighbors app. The posts, which reach back 500 days from the point of collection, offer extraordinary insight into the proliferation of Ring video surveillance across #American #neighborhoods and raise important questions about the #privacy trade-offs of a consumer-driven network of surveillance cameras controlled by one of the world’s most powerful corporations.

And not just for those whose faces have been recorded.

👉🏼 Read more:
https://gizmodo.com/ring-s-hidden-data-let-us-map-amazons-sprawling-home-su-1840312279

#DeleteAmazon #DeleteRing #why #thinkabout
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

#app (SharpApp).

A #app with cutting edge technology to minimize windows-10 telemetry and maximize privacy plus many more

SharpApp is a free and portable tool building upon a PowerShell engine and community powered script files for disabling telemetry functions in Windows 10, uninstalling preinstalled apps, installing software packages and automating Windows tasks with integrated PowerShell scripting.

https://github.com/mirinsoft/sharpapp

https://www.mirinsoft.com/ms-apps/sharpapp

📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_DE
📡@NoGoolag

Over 4000 Android Apps Expose Users' Data via Misconfigured Firebase Databases

More than 4,000 Android apps that use Google's cloud-hosted Firebase databases are 'unknowingly' leaking sensitive information on their users, including their email addresses, usernames, passwords, phone numbers, full names, chat messages and location data.

The investigation, led by Bob Diachenko from Security Discovery in partnership with Comparitech, is the result of an analysis of 15,735 Android apps, which comprise about 18 percent of all apps on Google Play store.

"4.8 percent of mobile apps using Google Firebase to store user data are not properly secured, allowing anyone to access databases containing users' personal information, access tokens, and other data without a password or any other authentication," Comparitech said.

👀 The full contents of the database, spanning across 4,282 apps, included:

‼️ Email addresses: 7,000,000+
‼️ Usernames: 4,400,000+
‼️ Passwords: 1,000,000+
‼️ Phone numbers: 5,300,000+
‼️ Full names: 18,300,000+
‼️ Chat messages: 6,800,000+
‼️ GPS data: 6,200,000+
‼️ IP addresses: 156,000+
‼️ Street addresses: 560,000+

👉🏼 Read more:
https://thehackernews.com/2020/05/android-firebase-database-security.html

#android #app #google #playstore #firebase #database #security #breach #leak
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

India's Contact Tracing App Is All But Mandatory. So This Programmer Hacked It So That He Always Appears Safe.

A software engineer from Bangalore was worried about being forced to download Aarogya Setu. So he ripped its guts out.

For days, Jay, a software engineer in Bangalore, watched with mounting alarm as people in India were forced to install the government’s coronavirus contact tracing app. Then, he rolled up his sleeves and ripped its guts out.

“I didn’t like the fact that installing this app is slowly becoming mandatory in India,” said Jay, who requested a pseudonym to speak freely. “So I kept thinking of what I could personally do to avoid putting it on my phone.”

Jay started work at 9 a.m. on a Saturday. He chopped away at the app’s code to bypass the registration page that required people to sign up with their cellphone numbers. More pruning let him bypass a page that requested personal information like name, age, gender, travel history, and COVID-19 symptoms. Then, he carved away the permissions that he viewed as invasive: those requiring access to the phone’s Bluetooth and GPS at all times

By 1 p.m., the app had become a harmless shell, collecting no data but still flashing a green badge declaring that the user was at low risk of infection.

“That was my goal,” said Jay. “I succeeded. You can show the green badge to anyone if they ask to check your phone and they won’t be able to tell.”

👉🏼 Read more:
https://www.buzzfeednews.com/article/pranavdixit/india-aarogya-setu-hacked

#hacked #india #coronavirus #tracing #app
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

EU-funded COVID-19 app ‘listens to voices and coughs’

A recently launched EU-funded mobile application records users’ breathing and coughing to diagnose cases of COVID-19, scientists involved in the project have said.

The initiative, which has been developed by researchers at Cambridge University and partially funded by the European Research Council through Project EAR, aims to build up a large, crowdsourced dataset in order to develop machine learning algorithms to be used in automatic disease detection.

It will collect demographic and medical information from users, in addition to “spoken voice samples, breathing and coughing samples through the phone’s microphone.”

In an attempt to allay privacy fears, researchers say that the app will collect ‘one coarse grain location sample’ but that it would not track users, only recording location data once when are actively using the software.

“The data will be stored on University servers and be used solely for research purposes,” the university added.

“There are very few large datasets of respiratory sounds, so to make better algorithms that could be used for early detection, we need as many samples from as many participants as we can get,” said Professor Cecilia Mascolo from Cambridge’s Department of Computer Science and Technology, the lead team on the app.

“Even if we don’t get many positive cases of coronavirus, we could find links with other health conditions.”

👉🏼 Read more:
https://www.euractiv.com/section/digital/news/eu-funded-covid-19-app-listens-to-voices-and-coughs/

#coronavirus #eu #tracing #tracking #app #privacy #surveillance
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Report: Indian e-Payments App Exposes Millions of Users in Massive Data Breach

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a massive amount of incredibly sensitive financial data connected to India’s mobile payment app BHIM that was exposed to the public.

The website was being used in a campaign to sign large numbers of users and business merchants to the app from communities across India. All related data from this campaign was being stored on a misconfigured Amazon Web Services S3 bucket and was publicly accessible.

The scale of the exposed data is extraordinary, affecting millions of people all over India and exposing them to potentially devastating fraud, theft, and attack from hackers and cybercriminals.

👀 Data Breach Summary 👀

Company/Website: http://cscbhim.in/
Located: India
Industry: Mobile banking; e-payments; personal finance
Size of data in gigabytes: 409 GB
Suspected no. of records: ~7.26 million
No. of people exposed: Millions
Geographical scope: Nationwide across India
Types of data exposed: PII data
Potential impact: Identity theft, fraud, theft, viral attacks
Data storage format: AWS S3 bucket

👉🏼 Read more:
https://www.vpnmentor.com/blog/report-csc-bhim-leak/

#BHIM #india #data #brach #leak #epayment #app
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv

Germany’s Corona-Warn-App: Frequently Asked Questions
https://www.eff.org/deeplinks/2020/06/germanys-corona-warn-app-frequently-asked-questions
---
Die deutsche “Corona-Warn-App” - Frequently Asked Questions
https://www.eff.org/de/deeplinks/2020/06/germanys-corona-warn-app-frequently-asked-questions


#Germany #coronavirus #app #tracking

Google removes Android app that was used to spy on Belarusian protesters

App mimicked a popular anti-government news site and collected location and device owner details.

Google has removed this week an Android app from the Play Store that was used to collect personal information from Belarusians attending anti-government protests.

The app, named NEXTA LIVE (com.moonfair.wlkm), was available for almost three weeks on the official Android Play Store, and was downloaded thousands of times and received hundreds of reviews.

To get installs, NEXT LIVE claimed to be the official Android app for Nexta, an independent Belarusian news agency that gained popularity with anti-Lukashenko protesters after exposing abuses and police brutality during the country's recent anti-government demonstrations.

https://www.zdnet.com/article/google-removes-android-app-that-was-used-to-spy-on-belarusian-protesters/

#Europe #Belarus #Google #spy #protesters #app #surveillance

Locking down Signal

Concerned about the privacy and security of your communications? Follow our guide to locking down Signal.

The encrypted messaging app, Signal, is quickly becoming a newsroom staple for communicating with sources, accepting tips, talking to colleagues, and for regular old voice calls and messages. While it’s a practical tool for anyone concerned with the security and privacy of their conversations, people working in newsrooms are particularly interesting targets, and should benefit from locking down Signal.

💡 (If you’re not yet using it, learn how to get started here.)

Signal makes it easy to have a secure conversation without thinking about it. On its face, it looks and feels identical to your default text messaging app, but security experts so often recommend it because of what it does in the background.

First, Signal offers end-to-end encryption, meaning only conversational participants can read the messages. While regular phone calls or text messages allow your phone company to unscramble your conversations, even the team behind Signal can’t listen to them. You don’t need to take their word for it. Signal is open source, meaning the code is available for anyone to review. This also makes security audits simpler for independent specialists, who have torn apart the code and published findings that everything works as intended. Finally, Signal retains nearly no metadata — information about who spoke to whom, and when. (The developers proved as much in court.)

These are some of the advantages you want in an encrypted messaging app.

Because newsrooms can attract a lot of attention, journalists who already use Signal should consider hardening it against physical access, as well as unwanted remote access and network-based eavesdropping. So let’s talk about how.

👀 👉🏼 https://freedom.press/training/locking-down-signal/

#signal #encrypted #messaging #app #guide
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@BlackBox_Archiv
📡@NoGoolag

Bing mobile apps suffered a data leak, leaking 6.5TB of search data

Microsoft’s Bing mobile apps, available on Android and iOS, have been the victim of a data leak. Security researchers found an Elastic server that had its password protection removed, reportedly as a “misconfiguration” of the server, which has resulted in 6.5TB of search data being made available publicly on the internet, which grew by up to 200GB per day.

Security researchers from WizCase found the unprotected server on September 12, although the authentication is estimated to have been removed 2 days prior. After discovering the data was coming from Bing’s mobile apps, by performing a search themselves and seeing it appear in the data, the researchers contacted Microsoft on September 13, and the information was given to Microsoft’s Security Response Centre, who acted to resolve the problem a few days later.

The data leak has exposed a trove of data that Microsoft collects from users who use the Bing mobile apps. The data included:

✅ Search terms (excluding any searches in ‘private’ mode)

✅ GPS coordinates (if location permissions are enabled, with a ~500 metre accuracy)

✅ Date and time of the search

✅ Firebase notification tokens

✅ Coupon data

✅ Partial list of the URLs visited by the user from the search results

✅ Device model

✅ Operating system

✅ 3 unique identifiers, including:
⭕️ ADID: possibly an identifier for a Microsoft Account
⭕️ deviceID
⭕️ devicehash

None of the data was encrypted.

https://www.onmsft.com/news/microsoft-bing-data-leak

#Microsoft #Bing #mobile #app #dataleaks

Police told not to download NHS Covid-19 app

The National Police Chiefs Council (NPCC) has confirmed officers are being told not to install the NHS Covid-19 app on their work smartphones.

The app detects when users have been in proximity to someone with the virus.

Some officers have also been told they may not need to obey self-isolate alerts generated by the app when downloaded to their personal phones.

Lancashire Constabulary has told staff to call the force's own Covid-19 helpline instead.

The BBC contacted the North-West of England force after a source claimed the advice had been given because of "security reasons".

The source also said officers had been told not to carry their personal phones while on duty if they had activated the app.

This applies to staff working in public-facing roles as well as those in back-office positions.

https://www.bbc.com/news/technology-54328644

#Europe #UK #police #covid #app