a.x61.sh

Hacker Accesses Internal ‘Tile’ Tool That Provides Location Data to Cops (www.404media.co)
from overflow64@lemmy.ml to privacy@lemmy.ml on 20 Jun 2024 21:50
https://lemmy.ml/post/17105433

#privacy

threaded - newest

henfredemars@infosec.pub on 20 Jun 2024 21:53 next collapse

Paywall.

But by the title, very disappointing to hear.

jabathekek@sopuli.xyz on 20 Jun 2024 22:10 next collapse

Not surprised though.

archive.ph/yJgue

disguy_ovahea@lemmy.world on 20 Jun 2024 22:41 collapse

They also share personal, location, and motion data with third-party advertisers as well as driving analytics services.

We may disclose your personal information to our vendors and consultants who help us provide our Services or who perform services on our behalf, such as accounting, managerial, technical, email or chat services, marketing or analytic services, fraud prevention, bot detection, web hosting, and to other third-party partners or Service Providers to provide services or features to our members on our behalf or on behalf of our permitted business partners.

We may disclose personal information, including contact information and location and movement data, mobile device information (such as information generated by the gyroscope and accelerometer in your device), application analytics (including IP address and device identifiers), technical and analytical data, and driving event data with third-party partners that provide certain features and services you elect to use through or in connection with our Products or Service, to the extent that they are available in your country or region of residence. Some examples are as follows:

Crash Detection and Emergency Dispatch Services; Roadside assistance; Identity theft protection; and Driving analytics services.

…zendesk.com/…/16038777217175-Life360-Privacy-Pol…

henfredemars@infosec.pub on 20 Jun 2024 22:43 next collapse

Oof. Us and over one hundred of our closest friends.

jabathekek@sopuli.xyz on 20 Jun 2024 23:08 next collapse

Identity theft protection

heh.

refalo@programming.dev on 21 Jun 2024 07:55 collapse

may

where’s the proof that they do?

helenslunch@feddit.nl on 21 Jun 2024 20:35 collapse

Pro-tip: anytime they say “may” they mean “do”.

refalo@programming.dev on 21 Jun 2024 22:13 next collapse

I prefer hard evidence to FUD

helenslunch@feddit.nl on 21 Jun 2024 22:16 collapse

I am not uncertain, there is no doubt. You should be afraid.

archy@lemmy.world on 21 Jun 2024 23:50 collapse

Pro tip #2.
Any time they have your stuff - they will use it (sell it) sooner or later. Zero knowledge is the answer

KillingAndKindess@lemmy.blahaj.zone on 20 Jun 2024 22:40 next collapse

I’m shocked, shocked I tell ya!

OsrsNeedsF2P@lemmy.ml on 20 Jun 2024 22:44 next collapse

Clearly, someone was not thinking of the children

some_guy@lemmy.sdf.org on 20 Jun 2024 23:05 next collapse

Add this to the list of products I won’t buy. Not that I would have before, but now it’s a rule rather than a preference.

umbrella@lemmy.ml on 21 Jun 2024 20:14 collapse

thats probably a helluva list, easier to list corpos who are NOT doing it instead.

root@lemmy.world on 21 Jun 2024 03:43 next collapse

Very disappointing. Does Apple sell Air Tag data to 3rd parties?

VelvetStorm@lemmy.world on 21 Jun 2024 07:01 next collapse

Yes. They all do.

ji17br@lemmy.ml on 21 Jun 2024 08:55 next collapse

AirTag location data is encrypted. Apple doesn’t know where they are.

VelvetStorm@lemmy.world on 21 Jun 2024 09:02 collapse

Right, apple definitely doesn’t have access to the info on the products they make and sell to the public.

ji17br@lemmy.ml on 21 Jun 2024 09:04 collapse

Do you know how encryption works?

LordKitsuna@lemmy.world on 21 Jun 2024 10:35 next collapse

Have you verified their encryption method? Where is the source code? Where is the third party public audit that verifies that it’s implemented properly with no other means of access?

Blindly trusting that they say it’s encrypted is basically the same as no encryption

IsThisAnAI@lemmy.world on 21 Jun 2024 11:01 next collapse

This is made up fantasy land paranoia. Charlie Day with a big board shit.

Yep apple is secretly grabbing data that not one privacy expert has found. Just like those sneaky Alexas that are always listening to me.

ji17br@lemmy.ml on 21 Jun 2024 15:43 next collapse

Here is the documentation regarding third party verification of their security claims.

support.apple.com/en-ca/guide/…/web

I’m assuming for some reason this is not good enough for you?

LordKitsuna@lemmy.world on 21 Jun 2024 17:04 collapse

I mean, None of these appeared to specifically be about the air tag. But it is at least does help show a general overall commitment to security. So it’s not as if it’s not a huge point in favor of trusting that the airtag data is safe

ji17br@lemmy.ml on 21 Jun 2024 15:47 next collapse

On top of being privacy focused themselves, they are only working with AI parters who also pass a third party code review verifying that zero user data is stored.

Shit on Apple for not being repairable, sure. Shit on Apple for their walled garden, sure. But shitting on Apple over privacy is insane. They are they only big tech company that actually cares.

funkycarrot@discuss.tchncs.de on 22 Jun 2024 18:51 collapse

I used to hold the same opinion you do, but after reading this article, reality caught up with me:

nytimes.com/…/apple-china-censorship-data.html

If you want a shorter version of this that puts the consequences into perspective, I recommend one of Cory Doctorow’s blog posts: pluralistic.net/2021/…/unhealthy-balance-sheet/#t…

Taking the above behavior into account, Apple’s value proposition for anyone that cares about digital sovereignty is extremely brittle. I’ve decided not to invest any further into their tech. Is it the worst evil that roams earth? No. But does it logically follow that you should defend all their practices? Also no.

After reading the above, it shouldn’t surprise your that Apple spies on their users too, if only a bit less than, say, Facebook/Meta: pluralistic.net/2022/11/14/luxury-surveillance/#l…

Hope you can approach this with an open mind. I know it’s hard, I certainly didn’t want to start doubting what I thought was a valiant defender of consumer privacy. Cases like the San Bernardino shooter were testaments for Apple’s commitment to me. It turns out that’s only half the story though.

[deleted] on 21 Jun 2024 19:09 collapse

LordKitsuna@lemmy.world on 21 Jun 2024 20:07 collapse

olafurp@lemmy.world on 21 Jun 2024 12:36 collapse

Do you know how decryption works?

ji17br@lemmy.ml on 21 Jun 2024 15:39 collapse

Yes, only the person with the key can decrypt. Apple doesn’t have the keys.

delirious_owl@discuss.online on 21 Jun 2024 17:02 next collapse

That’s what the NSA said about DES. Fun fact: they were lying.

Learn your crypto war history.

olafurp@lemmy.world on 21 Jun 2024 21:57 collapse

They also “Didn’t have them” in the past and then gave them to the NSA. 🙃

ji17br@lemmy.ml on 21 Jun 2024 22:35 collapse

Source? As far as I know they didn’t claim to not know location until iOS 17 release. Up until then they could access that info, and were required to give it up provided with warrants. This has been a reason Apple has actively been limiting the data they have access to. They cannot be compelled to give up data they have no way of accessing.

efstajas@lemmy.world on 21 Jun 2024 09:24 collapse

They sell AirTag location data? I honestly find that hard to believe. What’s your source on this other than big tech bad?

IsThisAnAI@lemmy.world on 21 Jun 2024 11:05 collapse

They don’t have one. It’s the new “Alexa is spying on you”.

ji17br@lemmy.ml on 21 Jun 2024 08:54 collapse

Apple cannot sell your AirTag data, because they don’t know it. It’s all encrypted.

potustheplant@feddit.nl on 21 Jun 2024 09:35 next collapse

You read the leaflet. Nice.

[deleted] on 21 Jun 2024 19:06 collapse

potustheplant@feddit.nl on 21 Jun 2024 19:47 collapse

Not relevant. I was just trying to say that you have to be very gullible to take a company’s word at face value.

olafurp@lemmy.world on 21 Jun 2024 12:35 next collapse

Sure, it’s encrypted, but there might be a way for them to decrypt it.

Telodzrum@lemmy.world on 21 Jun 2024 17:58 collapse

It lives in the same place as your other inaccessible data, which Apple has been unable to produce when served with warrants for iCloud data and the like.

delirious_owl@discuss.online on 21 Jun 2024 17:01 collapse

They say the same thing about some of the other data that they encrypt, but then they store the encryption private keys on their servers.

Encryption doesn’t mean they can’t see the data. It means only the people with the private keys (and those who can crack the private keys or a device with the private keys) can see the data.

One must know if the data is encrypted both at rest and in transit. What type of encryption is used. Where the private key is stored. And what are the protections in-place where the key is stored

ji17br@lemmy.ml on 21 Jun 2024 19:17 next collapse

They do outline all of that, explaining how it works. The private key pair and secret are never sent to Apple. And yes, it’s end-to-end encrypted of course.

help.apple.com/…/apple-platform-security-guide.pd…

Page 202 of you care to learn how it works.

delirious_owl@discuss.online on 21 Jun 2024 20:06 collapse

Is the source code public so we can verify the implementation matches the spec?

Zeroc00l@sh.itjust.works on 21 Jun 2024 21:11 collapse

It’s not open source if that’s what you mean. If you think that stops people looking at code then I’ll have some of what you’re smoking please.

If you’re genuinely interested in how the Find My system works Here’s a good paper on it. The papers publishers even have an open source tool to connect to Apples Find My network which is neat.

possiblylinux127@lemmy.zip on 21 Jun 2024 22:00 collapse

With proprietary software you have no way of knowing. Also avoid SaSS (service as a software substitute)

VelvetStorm@lemmy.world on 21 Jun 2024 07:02 next collapse

They should have hired their own hackers like Thor from piratesoftwear to find their own weaknesses. There are a lot of hackers out there that run services like that, and these companies should take advantage of that.

DrJenkem@lemmy.blugatch.tube on 21 Jun 2024 08:47 collapse

I’m sure they do, likely have their own internal security team as well as contract security work out. The purpose of hiring hackers isn’t to make the company unhackable, it’s to make it harder, more time consuming and costly to hack the company.

Opisek@lemmy.world on 21 Jun 2024 23:40 collapse

Aiming for a future in IT security, I find this branch of computer science somewhat ironic. You basically work to make your future work harder, i.e. you make things more secure, making your job of finding vulnerabilities even more difficult. Still a sucker for it, though

root@lemmy.world on 21 Jun 2024 07:18 next collapse

HootinNHollerin@lemmy.world on 21 Jun 2024 08:49 next collapse

I used to be a big user of tiles from their early days but when they sold to that shady company I threw them away and did the California privacy right action for them to delete my data

SeattleRain@lemmy.world on 21 Jun 2024 09:28 next collapse

I always thought the surveillance state was stupid even for the powerful. The problem is exactly what happened. They surveil their own security forces out of necessity. But if that info leaks it makes those proxies 1000% more vulnerable than the public they’re subjugating since way more people have a grudge against police and military personnel than some dweeb that watches Rick and Morty.

delirious_owl@discuss.online on 21 Jun 2024 16:56 next collapse

Authwall. Can’t read. Please always copy and paste the article contents into Lemmy when you share it

CrabAndBroom@lemmy.ml on 21 Jun 2024 17:17 collapse

I’m not OP but running it through Wayback Machine worked for me: web.archive.org/…/hacker-accesses-internal-tile-t…

If not here’s the text of the article (but the link has a bunch of images too that might be useful):

A hacker has gained access to internal tools used by the location tracking company Tile, including one that processes location data requests for law enforcement, and stolen a large amount of customer data, such as their names, physical addresses, email addresses, and phone numbers, according to samples of the data and screenshots of the tools obtained by 404 Media.

The stolen data itself does not include the location of Tile devices, which are small pieces of hardware users attach to their keys or other items to monitor remotely. But it is still a significant breach that shows how tools intended for internal use by company workers can be accessed and then leveraged by hackers to collect sensitive data en masse. It also shows that this type of company, one which tracks peoples’ locations, can become a target for hackers.

“Basically I had access to everything,” the hacker told 404 Media in an online chat. The hacker says they also demanded payment from Tile but did not receive a response.

Tile sells various tracking devices which can be located through Tile’s accompanying app. Life360, another location data focused company, acquired Tile in November 2021.

The hacker says they obtained login credentials for a Tile system that they believe belonged to a former Tile employee. One tool specifically says it can be used to “initiate data access, location, or law enforcement requests.” Users can then lookup Tile customers by their phone number or another identifier, according to a screenshot of the tool.

A drop down menu which is selected in the screenshot tells users to select a request type: “DATA_ACCESS,” “LOCATION_HISTORY,” and “LAW_ENFORCEMENT.”

Hackers in recent years have repeatedly targeted tools used by tech companies to provide data to law enforcement or ones that are otherwise used by the company’s own staff to manage and access data. Sometimes, the hackers gain access to the tool itself, like when one used an internal Twitter system to take over accounts. In another case, a fraudster bribed an insider at Roblox to use that company’s tools for malicious purposes. Some hackers have even taken to installing malware inside U.S. telecoms so they can remotely control internal employee tools themselves.

Hackers also compromise email accounts used by police or other government officials, and then use those to demand sensitive data from tech companies and platforms by posing as the respective law enforcement officer. Targeted companies include Facebook, TikTok, and Apple.

Some of the other internal tools the hacker provided screenshots of include those for transferring Tile ownership from one email address to another; one for creating administrative users; and one for sending a push notification to Tile users. The hacker says they decided not to use this capability.

The hacker says they then accessed another system used by Tile which contained the customer data. The samples the hacker gave to 404 Media included names, addresses, phone numbers, as well as order and returns information and details on the payment method used.

From here, the hacker said they scraped the data. “I was able to enumerate through customer ids. Sent millions of requests to scrape the data.”

404 Media verified the data by randomly selecting a series of email addresses from the data, and then using them to create new accounts on Tile’s website. In most cases this was not possible because the email address was already in use by an existing customer. 404 Media also contacted multiple people inside the data via email.

“Yep, that would be me,” one person said when 404 Media sent all of the data related to their account.

Tile told 404 Media in a statement “Recently, an extortionist contacted us, claiming to have used compromised Tile admin credentials to access a Tile system and customer data. We promptly initiated an investigation into the potential incident. Our investigation detected that certain admin credentials were used by an unauthorized party to access a Tile customer support platform, but not our Tile service platform. The Tile customer support platform contains l

Crikeste@lemm.ee on 21 Jun 2024 18:29 collapse

Thank you!

CrabAndBroom@lemmy.ml on 21 Jun 2024 18:40 collapse

No worries!

delirious_owl@discuss.online on 21 Jun 2024 16:58 next collapse

So can we now track the location of police? That sounds like valuable data that should be public

Opisek@lemmy.world on 21 Jun 2024 23:38 next collapse

We need an open source smart tag. I recently researched how the landscape has changed and, as an android user, still nothing good in available. I’m not sure if I remember right, but Google’s find my device was supposed to be open source or at least open spec? Might be worth looking into how easy it would be to code a lil firmware for this network myself. As much as I’d love a tag for things I cannot lose, the current options are throwing money away for no actual useful tracking (Samsung), forfeit your privacy (Tile, perhaps others), sell your soul (Apple).

finalarbiter@lemmy.world on 21 Jun 2024 23:47 collapse

There’s a few 3rd party solutions that are compatible with Google’s find my device coming out this year. Pebblebee just released a few trackers, and iirc chipolo is working on one too.

Sam_Bass@lemmy.world on 21 Jun 2024 23:46 next collapse

“This post is for paid members only”. Sounds like a dare

pineapplelover@lemm.ee on 22 Jun 2024 00:19 collapse

I guess that crosses Tile off of my list of tracking devices for my belongings. Would I have to deal with an apple airtag then?