Malicious AdTech Spies on People as NatSec Targets
2024-1-26 02:22:5 Author: securityboulevard.com(查看原文) 阅读量:13 收藏

Rafi TonPatternz and Nuviad enable potentially hostile governments to track individuals by misusing ad bidding.

Two companies are allegedly tracking target individuals for security services, it’s been revealed. In theory, the pair are separate firms, but in practice they appear joined at the hip.

Tens of thousands of phone apps are unwittingly playing a part. National security agencies around the world can precisely target a person of interest, track their movements, watch their proximity to others and even push malware to their devices.

The CEO of both is Rafi Ton (pictured). In today’s SB Blogwatch, we unpick the supposedly sordid story.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: An adless ad.

Targeted Ads Target Targets

What’s the craic? Joseph Cox reports—“Inside a Global Phone Spy Tool Monitoring Billions”:

AdTech
Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability. [It] starts with ads … and ends with the apps’ users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people. … The company says it can also help push malware to targets.

Patternz’s marketing material explicitly mentions real time bidding. This is where companies in the online ad industry try to outbid one another to have their ad placed in front of a certain type of user. But a side effect is that companies, including surveillance firms, can obtain data on individual devices such as the latitude and longitude of the device.

Patternz says it has a “fully commercial and operational AdTech arm.” … Rafi Ton, the CEO of Patternz at one point, … is also CEO of Nuviad. … This week Google said it has decided to terminate Nuviad’s Authorized Buyer account, which is what allows Nuviad to interact with Google’s ad network.

Is this news? Ben Lovejoy explains why—“Patternz: ‘An ad-based spy tool monitoring billions’”:

The villain
Patternz strikes deals with smaller ad networks, willing to engage in shady practices, to gather the device fingerprints, and to use them to trigger surveillance. … When Apple changed the rules, to require apps to seek your permission before tracking you, it wasn’t long before companies started working on a backdoor method of achieving the same thing: Device fingerprinting.

This is done by abusing an … ad tool known as real-time bidding: … If you’re a widget maker wanting to sell to iPhone 15 users in the US with an interest in cars, you can compete with other advertisers seeking the same audience. The bidding process reveals how many users are available which match.

The problem is that the security services can pose as an ad bidder, put in a massively-specific set of target criteria – so specific that it will identify particular individuals – and then obtain a vast amount of sensitive data. … The study identified 61,894 iOS apps being used in this way – without their knowledge. The villain here is the company behind Patternz, not the app developers.

ELI5? lifeisstillgood explains like you’re five:

Foreign spy company signs up for one of the many real time bidding ad networks, pretends to bid on many many adverts and starts to de-anonymize ad bids. [It] starts unpicking the 45 y/o male who has a gym app that locates him next to the military base, but also drinks in the … pub on the base and visits the cycle-maniac website.

And suddenly you are tracking the colonel at the base.

AdTech considered harmful? Say it ain’t so! Pollux says it is so:

I’ve tried to explain to people why data harvesting is a dangerous thing. The response I typically get is, “It’s only advertising, what harm is there?” The harm is when the data collectors only care about money. … The scum that trade in personal data are as ruthless as the Ferengi, and they’ll sell to marketers and insurance companies and the police and Uncle Sam and the CCP, if the price is right. … This is why we need regulation.

Don’t be surprised one day when you get a letter from your insurance company saying that your rates are increasing because some app on your phone monitored you and determined that you’re an increased risk. [Or] if you get arrested immediately after entering a foreign country, because that country has an extradition treaty with China, who has a warrant for your arrest because you posted a picture of Winnie the Pooh waving a Chinese flag.

There outta be a law, or something. BLKNSLVR asks a “semi rhetorical question”:

Is it too late to introduce legislation protecting this kind of private data? … Is the industry profiting from gathering, shifting, mining, selling this data … enough that it would cause an employment problem?

Is it likely that, even if the legislation doesn’t have favoritism carve-outs for specific groups/companies, the industry would find ways around it? With the end game being: Nothing changes.

What can we do? Hannibal Lester pours a nice Chianti: [You’re fired—Ed.]

This adds to the reasons I stick to 1st party apps and disable all notifications, almost exclusively. 3rd party apps just aren’t worth the headache.

The irony of Google shuting off the AdTech company, though. Here’s JohnFen:

Most companies seem to be of the opinion that spying is bad except when they’re the ones doing it. … Companies don’t tend worry about protecting the privacy of their users from themselves.

Regardless, at least in the tech space, companies don’t actually seem to take that professional and ethical obligation very seriously. Just look at how common it is for tech companies to sell their user’s data or allow targeted ad companies in.

Meanwhile, pr0t0 is ready to dump their phone:

I’m not an off-grid living doomsday prepper type who transacts in cash with the security threads pulled out, but damn, stuff like this makes wonder if I might just be better off using a dumb flip phone. If nothing else, it would probably force me to live more “in the moment.”

Then again, it would also force me to go back to terrestrial radio for music in the car. … I don’t think I can do that.

And Finally:

But first, a lorem ipsum from our sponsor

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/01/patternz-nuviad-adtech-spies-richixbw/
如有侵权请联系:admin#unsafe.sh