"Real" ID on your phone

 

In June 2021, Apple announced an upcoming update to its Wallet app that will give the ability to scan your State issued ID and save it with encryption securely within the app. The digital identification could then be used wherever accepted. And that’s the hold up at this point.

Four years ago I wrote a blog about the REAL-ID Act and a little history about how driver’s licenses became forms of identification. You can read that blog at "Real" ID

The post was closed with, “While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane”. Well here we are in the 2020’s and we can use our phones to digitally access more services and places everyday. The coronavirus pandemic pushed companies to contactless services which helped increase the use of digital tickets, keys, payment, and identification,

We can use digital boarding passes to board planes. Concert and sporting events have digital tickets. Pretty much every cash register has some sort or digital payment system. But the question still remains, can you use a digital ID as an official identification? Companies like Apple are providing the tools. Venues and other services have to decide how to adapt.

States exploring the use of digital driver’s licenses is growing. As exploration continues, individual state’s are starting to implement programs. Colorado was the first state to implement a functional program that officials say is accepted by law enforcement throughout the State. Louisiana, Oklahoma, Delaware, and Arizona all have programs. Maryland, Wyoming, and Idaho have test programs. Utah, Iowa, and Florida will be launching programs in the next year.

As state’s begin accepting their own digital licenses there will have to be reciprocity between all of the state’s, as there is currently with card based driver’s licenses. And then there is the federal government. While there is not currently a federal identification system government agencies will have to be prepared to accept the individual state digital ID’s. Apple is working with the TSA to develop policy to accept ID’s contained in its Wallet app. Once enough state’s go digital, Congress will probably pass some sort of legislation that recognizes digital ID’s contained on phones. 

Juice Cleanse

While I am not educated in computer programming or repair I am knowledgeable and proficient enough to make computers do what I need and understand how that occurs. Because of my lack of formal training I never doubt what can be done with computers, I just assume that I do not know how to make it happen. Anything is possible. So when I hear of new smart devices or electronic conveniences that make our life easier, I figure it only a matter of time until someone compromises the security. 

In November 2019, the Los Angeles County District Attorney published a public service message warning travelers of using public USB charging stations.

http://da.lacounty.gov/about/inside-LADA/juice-jacking-criminals-use-public-usb-chargers-steal-data-ff

How it works

Criminals either conceal a computer in charging stations or load malware onto the stations. Much like credit card skimmers at gas pumps. When someone plugs their device into the charging station via USB the criminals computer can access the device.  Or the malware is transferred to the device so that the criminal can access at a later time. 

There have been mixed reactions to the LA County DA report. But no one is saying that it can’t been done. More likely it is the effort versus the reward. Snopes.com reported, "While it is technically possible for crooks to steal information or install malware via public USB ports, this practice doesn't appear to be widespread".

Best practice-Use your own charging cables with a transformer and plug directly into an AC outlet.

Lasers as keys

Another threat to smart devices or rather smart homes is lasers. Researchers at the University of Michigan have created attacks using focused light to manipulate smart speakers. From as far as one hundred yards researchers could transform their voice commands into light beams aimed at the speaker. Once beamed the speaker reacts as if someone were speaking to it.

The results of the discovery mean that criminals could trick smart speakers into opening garage doors, smart locks, lights, whatever security feature that is linked to the smart speaker.

In our brave new world one has to suspect that someone is always watching or listening. And no computer, mobile device, or now the things that charge them, are secure.

Find other posts on skimming, WiFi, and smart device security in my blog archive. 

How secure are apps?

Every business is pushing their mobile apps. Some are highly interactive, giving access to secure accounts. Others are merely informational almost static platforms. Everyday we become more and more dependent on our phones. The Pew Research Center estimates that 77% of Americans have a Smartphone. A conglomerate of different studies from 2017 reported that Americans average five (5) hours a day using mobile devices and of that time 90% is spent using apps. Now when you allow that everything on your phone is an app of some sort it kind of diminishes the 90%, but the point being is that we are on are phones a lot.

Why have an app?

Phones are now like appendages. We are rarely without them. This is a big reason why companies push apps. That and because the phones create a focal point for data collection. Most apps require some sort of registration. That provides a modicum of security but it is mostly for data collection. Location services on smart phones allow app users to be tracked and pinpointed where they are using the app. This let’s the business collect, not only, your personal information but how, why and where you’re using the app, and what you are buying. All of this data is used to target advertising and reshape sales.

Since 2014 mobile Internet use has been more common on mobile devices than desktops. You can accomplish so much on your phone now you probably could go days without turning on a laptop or desktop. Apple has a cute commercial where the camera follows a girl throughout her day using her iPad.

A neighbor asks her what she is doing on her computer. She answers, “What’s a computer?”

The procession to apps began with the advent of online access to accounts and shopping. To encourage electronic account access, some companies even threatened higher fees for receiving paper documents through the mail. Then everything moved to our phones. Businesses lure customers into their apps with rewards or deals for using them. Some put more effort into their apps than their websites.

Secure?

How secure are all these apps we’re either using voluntarily or “forced” to use by companies? The transmission of data between the users phone and the app servers usually has end-to-end encryption. Meaning the data being sent and received is encrypted. The problems arise from the users lack of security awareness and hacks into the apps servers.

A high percentage of our phone use is in public. If you’re concerned about data usage you’re always looking for a WiFi signal. Logging into public WiFi is one of the most unsecure actions a Smartphone user can do. If you don’t inadvertently log into a hackers signal then you’re sending a signal that your phone is publically available. Once a hacker zeros in on your phone they can intercept your transmissions to and from the apps you are using. Intercepting the phone’s connection to the router is commonly known as “man in the middle”. While that is still a popular hack it is time consuming and much more work than going after the bigger treasure. Company servers.

Why is it important to frequently change passwords? And not use the same passwords or login/password pair for more than one account? More sophisticated cyber criminals know where the money is. It’s in the servers of big companies. If not the financial records then the personal data. Recently, Under Armour announced that their app had been breached. They assured users that no financial data had been accessed only user names and emails. While that may give some a sigh of relief there’s still a problem. Hackers will sell those users names, emails, and passwords on the dark web. They’re valuable because many users will use the same login information across many accounts. Hackers can use the data gleaned from one breach to access your other accounts.

Using apps are as safe as the host makes their server data and how you use the app. Most of the security issues are out of your hands. If you are not compromised in public more than likely the company’s servers or app itself will be hacked, exposing your data. All you can do is be as safe and aware as possible on your end. Monitor accounts and change passwords frequently.

Please feel free to share. Check the archives for other posts about privacy and online security.

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

Are you being watched?

Do you feel safe in your home? Your exterior is probably pretty well defended against intruders with metal doors and deadbolts, locking windows, and maybe an alarm system. How about intruders from within?  “…The call is coming from inside the house”, an oft repeated quote from the 1979 movie, When a Stranger Calls, can still make your skin crawl when you’re all alone, think you heard a noise, and then the phone rings. Just the thought of an intruder with you in your home can be terrifying. There may not be physical intruders inside your home at this moment, but someone may be listening or quite possibly watching.

Internet of things

Kevin Ashton of Procter & Gamble first coined “Internet of things” in 1999. It is defined as network of devices, appliances, vehicles, etc. that connect and exchange data through the Internet. It is estimated the Internet of things will be populated with 30 billion devices by 2020.

Technology has always invaded our homes as we excitedly open the boxes to the latest modern conveniences. In the early days of the 1900’s telephones began appearing in homes. The 1950’s saw televisions showing up in living rooms. People started bringing home desktop computers in the 1980’s. Those computers were connected to the Internet in the 1990’s.  Phones went on our belts and into our pockets in the 2000’s and then became handheld computers. The first Internet connected appliance was a LG refrigerator released in 2000. According to Statista.com, there were nearly 36 million smart home devices sold in the U.S. in 2017. Over 40 million smart TV’s were sold in the U.S. in 2016 and 244 million worldwide.

Privacy

The remote accessibility of household devices creates new security issues everyday. As appliances get “smarter” their vulnerability also increases. Smart devices only work to their full capability if they are connected to the Internet. Once that occurs they are searchable and hackable. When the device reaches out to the web it declares itself open for business. Hackers are always looking for unsecure networks and devices to exploit. If not for gain then just because then can.

We first heard about these types of intrusions in 2015 two years after consumers starting bringing home smart TV’s.  Samsung released TV’s in 2013 that could listen to voice commands from their owners. The problem? The TV has to be listening all the time to pick up the commands. What was “heard” was being transmitted via the Internet. Samsung warned consumers, through privacy policies, that spoken words are being captured and transmitted through the voice recognition system. Consumers were further warned not to hold personal conversations in front of the television. But who read or reads the privacy policies, right?

Another popular device entering our homes are web accessible cameras. We set these up to watch the nanny, housekeeper, or house in general. There are even petcams available that not only allow owners to watch their pets but speak to them and deliver treats remotely. The first cameras imbedded in teddy bears, sold as a “nanny cams”, began appearing on the market in 1992. The first cameras to transmit remotely via IP were sold by Axis Communications in 1996. Today, the market is flooded with cameras and phone apps that allow web transmission of live video. It’s fun to watch Mr. Snugglekins romp around the house. But if you can access your webcam remotely, so can someone else.

Hacking

The device most people have heard stories about and are aware is the camera on your computer. Yes, they can be used against you. Unlike the movies, your home computer usually has to be “infected” with malware that you allowed in my clicking on a link or visiting a sketchy website. As with all of your devices, locally, you have to let someone in for them to be monitored. Not to say that you and your devices could not be specifically targeted and intruded. With the effort it could be done. Hackers and, yes, governments have the capability to access the television microphones, computer and remote cameras, turning them on and off and recording at will. However, most likely you’ve been the victim of malware.

The privacy and security issue with smart appliances is the collection and transmission of data. First, your viewing habits, conversations, actions are being collected. Second, the data is being transmitted to the Internet and held on third party servers. All of which can be hacked. So no matter the security measures you take at home, your personal data is vulnerable once it hits the WWW.

The thing is, you allow them into your home with the purchase, unpacking, and setup to connect to your network. Data transmissions you are unaware of because you have most likely allowed the device to set itself up per the manufacturer’s settings. Any warning or setup recommendations were clicked through and unread. Admit it. You’ve done it. Who reads the privacy settings on a new device? Or whenever you allow an update? That’s what the manufacturers are counting on. The key word in the previous paragraph is “allow”. You’re inviting the snooping by purchasing the device, bringing it into your home, and allowing self setup.

Your appliances aren’t the only ones listening. There’s been conspiracies floated the last couple of years that Facebook is listening to your conversations to better target ads. While feasible it is unlikely and has been debunked by several sources. Facebook may not be overhearing conversations but they, as is Google, “listening” by recording your search habits and even communications in messaging and emails apps to better address advertising. Netflix was recently caught by tweeting about the number of times a few viewers had watched one of its programs, trying to be funny. Netflix admitted that it did track viewing habits of subscribers.

Security

When you invite smart appliances into your home you give up your privacy. You have to consider these devices as other persons and guard your privacy accordingly. Take the time to read the manufacturer privacy policies. Read the manual setup instructions and adjust the device settings accordingly. Block cameras in sensitive areas or turn them towards the wall when you’re home.

This reads like an Orwellian or tinfoil hat conspiracy. It wasn’t meant to be or to keep you from enjoying the conveniences of technology. Just be aware of the surroundings you’ve created. Any smart device has to be considered to be listening or watching. Alexa, Siri, Google, they all have to be listening all the time to be able to pick up your commands.

Please feel free to share. Read other posts about security in the blog archive.

Time Expired on parking meters November 2017

Cleaning up online presence September 2017

Skimmers August 2017

Public WiFi for dummies July 2017

If you ever want to see your files again… August 2016

What did you say? August 2015

Keys to the vault August 2015

Keys to the vault

iPhone®s have a feature that enable users to share files via Bluetooth®. You simply activate Bluetooth® on your phone and search for the other person’s phone signal. Rather than send several emails or texts with photos it is simple file transfer. We successfully completed this method of file sharing in a public setting. Very simple and convenient. What was noted was the number of open Bluetooth® connections that were also within range. This is like walking around with your purse wide open or leaving your car keys in the door lock.

Bluetooth® use developed slowly, but once other technology caught up it’s use exploded. Bluetooth® was developed in the early 1990’s. It wasn’t until 2000 that the first mobile phone with Bluetooth® technology came to market. In 2001, laptops and peripherals (printer, ear pieces, car kits) came to market. The next several years produced everyday items that could connect via Bluetooth®, such as TVs, glasses, watches, and appliances. Around 2005 is when Bluetooth® became a popular feature on phones. After Smartphone’s took off in 2007, it became a standard feature and every year since more uses between phones and other devices have been released.

Hacking into Bluetooth began almost as soon as it became widely available on phones. Once consumers began using their phones for more financial exchanges and social media hackers seized on the opportunity to exploit users lack of knowledge in regards to security and Bluetooth® connections. Most phones at startup activate the Bluetooth® feature. The user has to purposely turn off the connection. However, few do, either because they are unaware or actually use features such as earpieces or car connections. When not using the devices users leave their phones in the discoverable mode.

Hacking exposure

As with Wi-Fi, hackers love sitting in public places scanning for phone signals in public places. They setup shop in common, high traffic (use) areas by sending an open Wi-Fi signal or intercepting Bluetooth® connections between phones and peripherals. Bluebugging is a term to describe identity theft by hacking access to mobile commands on Bluetooth®-enabled devices that are in discoverable mode. Your phone is tricked into thinking that it is connected to the peripheral when it is actually connected to the hacker’s device. Once intercepted the hacker can take control of the device and/or retrieve data.

In July 2015, hackers successfully hacked into the system of a Jeep Liberty, taking control of the vehicle’s comfort, operational, and safety systems too include braking. This was done purposely to prove the vulnerability to automakers. But if one person figured it out you can be sure there is a long line of others.

As of this writing, research revealed there was little data regarding the number of Smartphones or personal accounts used on Smartphones that are hacked. It is doubtful that the lack of data is due to a low occurrence, but rather lack of realization, little reporting and/or notice by the media. You may occasionally see a flip phone or non-Smartphone but these types of phones are becoming rare. Many carriers do not offer these types of phones. There are an estimated 183 million Smartphone users in the U.S. alone, 2 billion worldwide. Next time you’re in public take a moment to look around and let it sink in how people around you have phones. Probably safe to say everyone.

New target

Just as your home computer  became vulnerable in the 1990’s, your phone is now the target. Only with your home computer you almost have to invite the hacker in through malware or ill advised website visit. Your phone on the other hand is with you all the time exposing it’s signals to the public wherever you go.

Most times you won’t even realize that your phone has been hacked. Not until strange social media posts surprise you or you notice withdrawals from your bank account. You home computer will get a virus. You’re email account will be hacked. Your credit card information will be stolen. And growing every year, someone will be kind enough to file your taxes for you, for the small fee of receiving your refund.

Eventually your phone will be hacked.  The best you can do is try to limit your vulnerability by keeping the doors shut.  Limit you public broadcasting of a Bluetooth® signal and use of public Wi-Fi. Turn off your Bluetooth® when not needed. If you do use password protected accounts through public connections, change your passwords after each use. Watch your data usage for spikes. Constantly check your financial accounts as part of your regular security routine.