Unveiling the Privacy Risks Associated with Push Notifications

Andy Greenberg Andrew Couts Matt Burgess

Just days after an international law enforcement operation disrupted LockBit, the ransomware group reemerged with a new dark-web site where it threatened to release documents stolen from Fulton County, Georgia, where Donald Trump and 18 codefendants stand accused of a conspiracy to overturn the 2024 election. But by the time the deadline for Fulton County to pay arrived, all mention of the leak had mysteriously disappeared. Fulton County says it didn’t pay LockBit’s ransom, suggesting that the group may be bluffing. If there is a leak, however, it could wreak havoc on an already chaotic US presidential election, the security of which is already under threat.

Regardless of what’s going on with the Fulton County leak, it’s become clear that ransomware groups are getting faster at rebounding after law enforcement crackdowns. Around two months after the FBI disrupted the ransomware gang known as Blackcat or AlphV, the group successfully attacked Change Healthcare earlier this month, causing ongoing delays at pharmacies around the United States.

US fears over international threats were front and center this week. First, the White House announced a new executive order that aims to prevent “countries of concern,” including China, North Korea, and Russia, from purchasing sensitive data about Americans—a plan that may or may not work. Then the Biden administration said it is launching an investigation into national security threats posed by vehicles imported from China. And the US Department of Commerce imposed sanctions on Canada-based Sandvine, a company whose web-monitoring tech has been used by authoritarian governments to censor the internet.

A study released this week found that Russia has likely launched more than 200 attacks on Ukraine’s power grid since its 2022 full-scale invasion, 66 of which researchers at the Conflict Observatory have confirmed. These attacks are in addition to the blackouts caused by Russia’s military intelligence hacking unit known as Sandworm. In the UK, the interior ministry has been tracking the locations of migrants with GPS devices—a practice ruled illegal by a British court this week.

Meanwhile, the UK version of Pornhub tested a chatbot and warning message built to deter people searching for illegal images of child abuse on the website, finding it resulted in a “meaningful decrease” in the problematic searches. In the world of generative AI, researchers have created a “worm” that is capable of spreading between different AI agents and could potentially be used to steal data or send spam messages. Finally, we rounded up all the major security patches released in the past month—patch as soon as you can.

That’s not all. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The push notifications that populate the screens of our smartphones have become a kind of convenient central dashboard for modern digital life. They also serve, it’s becoming increasingly clear, as a powerful hidden surveillance mechanism.

An investigation by The Washington Post revealed this week that law enforcement has sought push notification data from Google, Apple, Facebook, and other tech companies fully 130 times in recent years. Those requests span 14 states and the District of Columbia and have targeted the data of criminal suspects in cases ranging from terrorism to Covid-19 relief fraud to January 6 insurrectionists to Somali pirates, according to the Post. In three cases, the push notification data was used to identify and arrest alleged abusers of children. In another case, it helped identify an alleged murderer.

Steven Levy

Marah Eakin

Byron Tau

Megan Farokhmanesh

To send those notifications that awaken a device and appear on its screen without a user’s interaction, apps and smartphone operating system makers must store tokens that identify the device of the intended recipient. That system has created what US senator Ron Wyden has called a “digital post office” that can be queried by law enforcement to identify users of an app or communications platform. And while it has served as a powerful tool for criminal surveillance, privacy advocates warn that it could just as easily be turned against others such as activists or those seeking an abortion in states where that’s now illegal.

In many cases, tech firms don’t even demand a court order for the data: Apple, in fact, only demanded a subpoena for the data until December. That allowed federal agents and police to obtain the identifying information without the involvement of a judge until it changed its policy to demand a judicial order.

Europe’s sweeping Digital Markets Act comes into force next week and is forcing major “gatekeeper” tech companies to open up their services. Meta-owned WhatsApp is opening its encryption to interoperate with other messaging apps; Google is giving European users more control over their data; and Apple will allow third-party app stores and the sideloading of apps for the first time.

Apple’s proposed changes have sparked controversy, but as the March 7 implementation date approaches, the company continues to assert that sideloading apps introduces additional security and privacy risks. The company’s white paper suggests that apps from third-party stores could more easily harbor malware or attempt to access personal iPhone data. Apple intends to introduce new checks to ensure app safety.

“We aim to keep the iPhone experience for EU users as secure, privacy-oriented, and safe as possible—although this may not be to the same extent as in other parts of the world,” maintains Apple. The company reports receiving feedback from EU entities, including those in the banking and defense sectors, expressing worry about employees installing third-party apps on their work devices.

WhatsApp achieved a significant legal victory this week against the infamous hacking firm NSO Group in a lengthy lawsuit over alleged breaches of its app and user devices. Judge Phyllis Hamilton ruled in favor of WhatsApp’s demand for NSO Group to surrender the Pegasus spyware code, considered one of the most advanced spyware targeting mobile devices, sometimes exploiting WhatsApp vulnerabilities. The turnover of code—which covers Pegagus versions from 2018 to 2020 and NSO’s documentation relating to its spyware—may aid WhatsApp in substantiating its claims that NSO compromised 1,400 of its users, 100 of whom are members of the “civil society” such as journalists and human rights advocates. “Spyware companies and other bad actors should recognize that they can be caught and will not be allowed to flout the law,” a WhatsApp spokesperson told the Guardian.

Remember this helpful guideline: Avoid placing a device with a camera and internet connection, manufactured by an unknown Chinese brand, in or around your home. In a recent case validating this precept, Consumer Reports disclosed this week that countless video-enabled doorbell brands exhibit notoriously lax security. With many of these devices, anyone can approach your door, press a button to sync their smartphone, and then gain access to your camera. In some instances, acquiring only the device’s serial number enables them to commandeer it remotely from anywhere in the world, as per the investigation. The implicated devices, marketed under the brand names Eken and Tuck, seem to originate from a manufacturer connected to no less than 10 similarly designed devices. These products, despite their obscurity, are reportedly available through major retail platforms such as Amazon, Walmart, Sears, Shein, and Temu, with Amazon previously designating the devices as an “Amazon’s Choice: Overall Pick”—even after being informed about the security vulnerabilities by Consumer Reports.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

Introducing Veeam Data Cloud: Comprehensive Protection for Azure & Microsoft 365

Next Article

The Disconnect Between Open-World Games' Storytelling and Their Best Features

Related Posts