Secrets in the pocket: how smart devices monitor users
Smart devices and personalized advertising know almost everything about users today. Many people believe that the devices spy on people, using the data they receive at best to sell goods and services, and at worst to harm them. However, the principles of information collection are much more complicated today, experts say. And often the carelessness of device owners leads to surveillance. How to protect your equipment from espionage — in the Izvestia article.
Total surveillance
Personalized advertising today knows a lot about the user — his interests and preferences, plans and needs. There is an opinion that gadgets spy by collecting all the necessary information through wiretapping. In fact, the data aggregation process is much more complicated. Experts spoke about how exactly devices monitor users at Positive Hack Days.
— It would probably be easier to assume that we are being tapped, but phones collect much more information about us than just our conversations. In order to understand who we are and what we are interested in, we don't need to record our speech," independent expert Olga Sviridova points out.
There are several ways to spy on users. First of all, data is collected through mobile applications. Information can be obtained through social networks, various games, and other services.
— They know what kind of phone a person has, how many percent of charge it has, what operating system, brightness level, whether it is connected to Wi-Fi, which mobile operator. All this allows you to collect the device identifier, on the basis of which personalized advertising is built," Sviridova lists.
This information is then passed on to marketers who create profiles of people. Any game, even the simplest one, collects a huge amount of data that defines a user as a specific person.
In addition, you can receive data using cookies, the expert adds. They allow you to find out the history of the page visit, how long the user scrolled the feed, which publications and sections of the site they are interested in, and so on. All this data is also accumulated and helps to create a unique image of a person.
Today, however, most browsers protect users from tracking cookies. However, technology also does not stand still. One of them allows you to make an impression (fingerprint) of the browser, which can tell a lot more about a person than a cookie.
"Thanks to the browser's impression, companies know what kind of computer a person has, what programs are on it, whether it has a charge, and so on," Sviridova notes.
A behavioral portrait is formed from the totality of online activity. Thanks to the collected data, it is possible to predict what a person will like, as well as correlate the information with the behavior of another person with the same applications and interests.
Another popular area is tracking via Wi—Fi, the expert points out.
— If it is turned on, the phone constantly sends signals to the outside world, thanks to which the geo-location is revealed. This allows you to find out how a person moves around the city. In addition, thanks to Wi-Fi, you can find out that two people are spending time together. And the social profile makes it clear that they are in some kind of relationship," explains Sviridova.
And through a person's environment, it can be tracked using marks on social networks in photos, links sent in dialogs, etc. Accordingly, ads that a user's friend may like will be displayed on his own.
— The mechanism that helps determine that two people have similar interests is called look-alike, and with its help, marketers today bring income to companies. Actually, all this huge aggregated data helps marketers know a lot more about you than just talking next to a smart speaker," the expert emphasizes.
Antispyware
It is still possible to protect yourself from such surveillance today. To do this, there are various privacy settings on phones and computers, Olga Sviridova points out.
— Firstly, in the privacy and tracking settings, you can prohibit applications from collecting geolocation, access to photos and other information. On iOS, for example, the function of disabling tracking of third-party libraries has become popular over the past year. On Android, when you select the appropriate settings, you can do the same thing," she lists.
In addition, personalized advertising can be disabled on both operating systems. This does not mean that user data will stop being aggregated. However, the device will stop receiving targeted ads.
— Almost all modern browsers allow you to automatically protect users by blocking the tracking path. However, they do not help protect themselves from collecting casts, which are more popular today than tracking groups, warns Sviridova.
You can also protect yourself from tracking using Wi-Fi, she adds. To do this, you can set a private MAC address on both Android and iOS.
— Using this feature, the phone generates a new identifier each time it scans the Network, which is sent to the device. And thus, advertising companies that aggregate such data will not be able to identify you," the expert draws attention.
Woe from wit
However, device surveillance is not only used by advertising companies. Hackers can also use the obtained data for their own purposes, warns Inforus CEO Andrey Masalovich. This threatens a person with physical harm and reputational damage. But you can also use hijacked devices to attack other, more serious ones. Such actions become a full-fledged element of cyber warfare.
It is noteworthy that the disparate attacks on IoT (Internet of Things) devices affect the same vectors of vulnerabilities. First of all, devices with the default password and the login "admin" suffer. At the same time, the device itself sends open credentials to the Network when working with Wi-Fi.
Smart scales, for example, can "merge" data. An ordinary stove is capable of reading, writing and sending SMS messages on behalf of the user. And a kettle or coffee maker can reveal the Wi-Fi password, the expert lists.
— Those who create such devices do not understand the basics of cybersecurity. This is a systematic problem, because it is important for developers that the device turns on and works, but they do not know what needs to be checked," Masalovich emphasizes.
For this reason, the top 5 cyber attacks of the past five months included two attacks related to the Internet of Things. One of them was named "smart home". It was carried out with the help of a new Trojan that hijacked millions of smart home control devices. Later, the equipment was used for espionage inside the house.
— We live on a planet where you can capture almost any device containing a battery. As a rule, hackers' goals are data collection and cyber attacks aimed at disabling devices," Masalovich points out.
It is important to understand that attacks on the Internet of things are part of a more complex, complex process, which is cyber warfare, he emphasizes. Any items can be used as part of it, as there are Trojans that can attack devices in the physical world.
Intellectual attack
The situation will only get more complicated with the advent of artificial intelligence, warns Andrei Masalovich. Neural networks have not yet been adapted to free people from routine work. But it's already possible to use AI to harm.
The expert predicts several types of cyber attacks using artificial intelligence that will become popular in the future. There are five of these directions in total. And the first is attacks on voice assistants and smart devices.
In particular, you can generate audio queries that mimic a person's voice. Including using realistic deepfakes, which can be created in a short time. And such a voice synthesis will pass any examination.
— You can also collect typical commands that a person gave to a device and use them in the interests of a hacker. At the same time, audio signals are already being created at the boundary of audible frequencies, which a person will not perceive as a voice message, but the device will. And the command that can be given in this way can be any one. For example, you can transfer all the money from the account to a hacker," Masalovich notes. Such attack vectors have already appeared and will develop in the future.
Attacks through industrial artificial intelligence are also possible. We are talking about infecting machine learning models in factories by spoofing telemetry.
It also allows attacks through offline scripts. Today, every large company is trying to create its own ecosystem based on microservices. Each of them must be protected, because without proper protection, ensembles of such agents can be used to attack. And from the user's point of view, in this case, the work of the services will not differ.
Another option, according to Masalovich, is data poisoning. Malicious information can be prepared in advance at the machine learning stage.
— You can "poison" the data so that it is not recognized by the configured neural network. For example, you can make noise in a photo so that artificial intelligence no longer recognizes a person in it. Although for the user, the photo will look the same as before," the expert explains.
A dangerous attack option would be to create synthetic identities, he adds.
— Using deepfakes, you can generate characters that will look like your clients, job seekers, partners, bosses, or relatives. And a person will not understand that they are not communicating with a real person, because today it is technically almost impossible to determine," Masalovich is convinced.
However, it is quite easy to deal with such fraud. To do this, he said, it is necessary to work out several code phrases for communicating with different people.
— It is necessary to say this code phrase in case of a call and get an answer. In other words, you can actually enter your username and password into the conversation. Because today, people, in fact, launch a user into their lives without authentication, starting a conversation with a person who has not been verified," the expert emphasizes.
Переведено сервисом «Яндекс Переводчик»
