{"id":3319,"date":"2020-05-10T10:07:01","date_gmt":"2020-05-10T06:07:01","guid":{"rendered":"https:\/\/techxmedia.com\/?p=3319"},"modified":"2020-07-23T21:31:54","modified_gmt":"2020-07-23T17:31:54","slug":"a-passwordless-server-run-by-spyware-maker","status":"publish","type":"post","link":"https:\/\/techxmedia.com\/en\/a-passwordless-server-run-by-spyware-maker\/","title":{"rendered":"A passwordless server run by spyware maker"},"content":{"rendered":"\n

As countries work<\/strong> to reopen after weeks of lockdown, contact-tracing apps help to understand the spread of the deadly coronavirus strain, COVID-19.<\/p>\n\n\n\n

While most governments lean toward privacy-focused apps<\/a> that use Bluetooth signals to create an anonymous profile of a person\u2019s whereabouts, others, like Israel, use location and cell phone data to track the spread of the virus.<\/p>\n\n\n\n

Israel-based private security firm NSO Group, <\/strong><\/a> known for making mobile hacking tools<\/a>, is leading one of Israel\u2019s contact-tracing efforts.<\/p>\n\n\n\n

Security researcher Bob Diachenko discovered one of NSO\u2019s contact-tracing systems on the internet, unprotected and without a password, for anyone to access. After he contacted the company, NSO pulled the unprotected database offline. Diachenko said he believes the database contains dummy data.<\/p>\n\n\n\n

NSO told TechCrunch that the system was only for demonstrating its technology and denied it was exposed because of a security lapse. NSO is still waiting for the Israeli government\u2019s approval to feed cell records into the system. But experts say the system should not have been open to begin with, and that centralized databases of citizens\u2019 location data pose a security and privacy risk.<\/p>\n\n\n\n

Codename \u2018Fleming\u2019<\/h2>\n\n\n\n

NSO began work on its contact-tracing system codenamed Fleming in March.<\/p>\n\n\n\n

Fleming is designed to \u201cpour\u201d in confirmed coronavirus test data from the health authorities and phone location data from the cell networks to identify people who may have been exposed to a person with the virus. Anyone who came into close proximity to a person diagnosed with coronavirus would be notified.<\/p>\n\n\n\n

The unprotected database was hosted on an Amazon Web Services server in Frankfurt, where the data protection regime is one of the strictest in the world.<\/p>\n\n\n\n

It contained about six weeks of location data, spanning around March 10 to April 23. It also included specific dates, times and the location of a \u201ctarget\u201d \u2014 a term that NSO used in the database to describe people \u2014 that may have come into contact with a potentially infected person.<\/p>\n\n\n\n

The data also included the duration of the encounter to help score the likelihood of a transmitted infection.<\/p>\n\n\n\n

\u201cNSO Group has successfully developed \u2018Fleming\u2019, an innovative, unique and purely analytical system designed to respond to the coronavirus pandemic,\u201d said Oren Ganz, a director at NSO Group. \u201cFleming has been designed for the benefit of government decision-makers, without compromising individual privacy. This system has been demonstrated worldwide with great transparency to media organizations, and approximately 100 individual countries,\u201d he said.<\/p>\n\n\n\n

TechCrunch was also given a demonstration of how the system works.<\/p>\n\n\n\n

\u201cThis transparent demo, the same shown to individual countries and media organizations, was the one located on the open random server in question, and the very same demo observed today by TechCrunch. All other speculation about this overt, open system is not correct, and does not align with the basic fact this transparent demonstration has been seen by hundreds of people in media and government worldwide,\u201d said Ganz.<\/p>\n\n\n\n

John Scott-Railton, a senior researcher at the Citizen Lab, part of the Munk School at the University of Toronto, said that any database storing location data poses a privacy risk.<\/p>\n\n\n\n

\u201cNot securing a server would be an embarrassment for a school project,\u201d said Scott-Railton. \u201cFor a billion-dollar company to not password protect a secretive project that hopes to handle location and health data suggest a quick and sloppy roll out.\u201d<\/p>\n\n\n\n

\u201cNSO\u2019s case is the precedent that proves the problem: rushed COVID-19 tracking efforts will imperil our privacy and online safety,\u201d he said.<\/p>\n\n\n\n

Israel\u2019s two tracing systems<\/h2>\n\n\n\n

As global coronavirus infections began to spike in March, the Israeli government passed an emergency law<\/a> giving its domestic security service Shin Bet \u201cunprecedented access\u201d<\/a> to collect vast amounts of cell data from the phone companies to help identify possible infections.<\/p>\n\n\n\n

By the end of March, Israeli defense minister Naftali Bennett said the government was working on<\/a> a new contact tracing system, separate from the one used by Shin Bet.<\/p>\n\n\n\n

It was later revealed that NSO was building the second contact-tracing system.<\/p>\n\n\n\n

Tehilla Shwartz Altshuler, a privacy expert and a senior fellow at the Israel Democracy Institute, told TechCrunch that she too was given a demonstration of Fleming over a Zoom call in the early days of the outbreak.<\/p>\n\n\n\n

Without the authority to obtain cell records, NSO told her that it used location data gathered from advertising platforms, or so-called data brokers. Israeli media also reported<\/a> that NSO used advertising data for \u201ctraining\u201d the system.<\/p>\n\n\n\n

Data brokers amass and sell vast troves of location data<\/a> collected from the apps installed on millions of phones. The apps that track your movements and whereabouts are often also selling those locations to data brokers, which then resell the data to advertisers to serve more targeted ads.<\/p>\n\n\n\n

NSO denied it used location data from a data broker for its Fleming demo.<\/p>\n\n\n\n

\u201cThe Fleming demo is not based on real and genuine data,\u201d said Ganz. \u201cThe demo is rather an illustration of public obfuscated data. It does not contain any personal identifying information of any sort.\u201d<\/p>\n\n\n\n

Since governments began to outline their plans for contact-tracing systems, experts warned that location data is not accurate and can lead to both false positives and false negatives. Currently, NSO\u2019s system appears to rely on this data for its core functions.<\/p>\n\n\n\n

\u201cThis kind of location data will not get you a reliable measure of whether two people came into close contact,\u201d said Scott-Railton.<\/p>\n\n\n\n

NSO\u2019s connection to the Middle East<\/h2>\n\n\n\n

Israel is not the only government interested in Fleming. Bloomberg reported in March<\/a> that a dozen nations were allegedly testing NSO\u2019s contact-tracing technology.<\/p>\n\n\n\n

A review of the unprotected database showed large amounts of location data points in Israel, but also Rwanda, Saudi Arabia and the United Arab Emirates.<\/p>\n\n\n\n

Spokespeople for the Saudi, Rwandan and Emirati consulates in New York did not respond to our emails. NSO did not answer our questions about its relationship \u2014 if any \u2014 with these governments.\"\"<\/p>\n\n\n\n

A map showing a sample of about 20,000 location data points across Israel (top-left); Abu Dhabi and Dubai, United Arab Emirates (top-right); Riyadh, Saudi Arabia (bottom-left) and Rwanda (bottom-right). (Image: TechCrunch)<\/p>\n\n\n\n

Saudi Arabia is a known customer of NSO Group. United Nations experts have called for an investigation into allegations that the Saudi government used NSO\u2019s Pegasus spyware to hack into the phone<\/a> of Amazon chief executive Jeff Bezos. NSO has denied the claims.<\/p>\n\n\n\n

NSO is also embroiled in a legal battle<\/a> with Facebook-owned WhatsApp for allegedly building a hacking tool<\/a> designed to be delivered over WhatsApp, which was used to hack into the cell phones of 1,400 users, including government officials, journalists and human rights activists, using AWS servers based in the U.S. and Frankfurt. NSO also rebuffed the claims<\/a>.<\/p>\n\n\n\n

Privacy concerns<\/h2>\n\n\n\n

Experts have expressed concerns over the use of centralized data, fearing that it could become a target for hackers.<\/p>\n\n\n\n

Most countries are favoring decentralized efforts, like the joint project between Apple and Google<\/a>, which uses anonymized Bluetooth signals picked up from phones in near proximity, instead of collecting cell location data into a single database. Bluetooth contact tracing has won the support<\/a> of academics and security researchers over location-based contact-tracing efforts, which they say would enable large-scale surveillance.<\/p>\n\n\n\n

Shwartz Altshuler told TechCrunch that location-based contact tracing is a \u201chuge infringement\u201d of privacy.<\/p>\n\n\n\n

\u201cIt means that you can\u2019t have any secrets,\u201d she said. \u201cYou can\u2019t have any meetings if you\u2019re a journalist, and you can\u2019t go to places where people want to know where you are.\u201d<\/p>\n\n\n\n

Favoring their own contact-tracing efforts, Apple<\/a> and Google have\u00a0already banned<\/a>\u00a0governments building contact-tracing apps utilizing their joint API from using location tracking, fearing that data stored on a centralized server could be breached.<\/p>\n\n\n\n

Just this week, the U.S. and U.K. governments warned<\/a> that nation-state hackers are targeting organizations involved in the coronavirus response.<\/p>\n\n\n\n

Alan Woodward, a professor at the University of Surrey, said location data makes it \u201cpossible to build social graphs and to begin identifying who met who, when and where.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

As countries work to reopen after weeks of lockdown, contact-tracing apps […]<\/p>\n","protected":false},"author":40,"featured_media":3320,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[1670],"contributor":[],"class_list":["post-3319","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-other-tech-events","tag-apple"],"featured_image_src":"https:\/\/techxmedia.com\/en\/wp-content\/uploads\/2020\/05\/fleming-webpage-1.jpg","author_info":{"display_name":"Techx Admin","author_link":"https:\/\/techxmedia.com\/en\/author\/techxadmin\/"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts\/3319","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/comments?post=3319"}],"version-history":[{"count":0,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/posts\/3319\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/media\/3320"}],"wp:attachment":[{"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/media?parent=3319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/categories?post=3319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/tags?post=3319"},{"taxonomy":"contributor","embeddable":true,"href":"https:\/\/techxmedia.com\/en\/wp-json\/wp\/v2\/contributor?post=3319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}