If you’ve read this far, you’re obviously concerned about privacy, but for most of us it’s not a matter of hiding from the federal government. Rather, we know that when we’re at work, our employers can see exactly what we’re doing online over their networks (e.g., shopping, playing games, goofing off). A lot of us just want to cover our asses!
And that’s getting harder to do, thanks in part to the cell phones we carry. Whenever Jane Rodgers, finance manager of a Chicago landscaping company, wants to know whether her employees in the field are where they should be, she pulls up their exact locations on her laptop. Like many managers and company owners, she is turning to tracking software on corporate-owned, personally enabled (COPE) smartphones and service trucks with GPS devices to surveil her employees. One day a customer asked Jane whether one of her landscapers had been out to perform a service. After a few keystrokes, Jane verified that between 10:00 a.m. and 10:30 a.m. one of her employees had been to the specified place.
The telematics service Rodgers uses provides capabilities beyond geolocation. For example, on her nine company-owned phones she can also view photos, text messages, and e-mails sent by her gardeners. She also has access to their call logs and website visits. But Rodgers says she only uses the GPS feature.1
GPS tracking in the service industry has been available for a long time. It, along with United Parcel Service’s own ORION system of algorithmic route selection, has allowed the package delivery company to cut down on gas expenses by monitoring and suggesting optimized routes for its drivers. The company was also able to crack down on lazy drivers. In these ways, UPS has increased its volume by 1.4 million additional packages per day—with one thousand fewer drivers.2
All this is good for the employers, who argue that by squeezing out higher margins they can in turn afford to pay better wages. But how do employees feel? There is a downside to all this surveillance. In an analysis, Harper’s magazine featured a profile of a driver who was electronically monitored while at work. The driver, who did not give his name, said that the software timed his deliveries to the second and informed him whenever he was under or over optimal time. At the end of a typical day, the driver said he might be over by as much as four hours.
Slacking off? The driver pointed out that a single stop might include multiple packages—which the ORION software does not always account for. The driver described coworkers in his New York distribution center who were battling chronic pain in their lower backs and knees from trying to carry too much in a single trip—despite constant reminders from the company regarding proper handling of heavy loads—in order to keep up with the software. So there’s one kind of human cost to this employee monitoring.
Another place where work surveillance is used regularly is the food service industry. From cameras in the ceilings of restaurants to kiosks at the tabletop, wait staff can be watched and rated by various software systems. A 2013 study by researchers from Washington University, Brigham Young University, and MIT found that theft-monitoring software used in 392 restaurants produced a 22 percent reduction in server-side financial theft after it was installed.3 As I mentioned, actively monitoring people does change their behavior.
There are currently no federal statutes in the United States to prohibit companies from tracking their employees. Only Delaware and Connecticut require employers to tell employees when they are being tracked. In most states, employees have no idea whether they are being watched at work.
What about employees in the office? The American Management Association found that 66 percent of employers monitor the Internet use of their employees, 45 percent track employee keystrokes at the computer (noting idle time as potential “breaks”), and 43 percent monitor the contents of employee e-mail.4 Some companies monitor employees’ Outlook calendar entries, e-mail headers, and instant-messaging logs. The data is ostensibly used to help companies figure out how their employees are spending their time—from how much time salespeople are spending with customers to which divisions of the company are staying in touch by e-mail to how much time employees are spending in meetings or away from their desks.
Of course there’s a positive spin: having such metrics means that the company can be more efficient in scheduling meetings or in encouraging teams to have more contact with each other. But the bottom line is that someone is collecting all this corporate data. And it could someday be turned over to law enforcement or at the very least used against you in a performance review.
You are not invisible at work. Anything passing through a corporate network belongs to the company—it is not yours. Even if you are checking your personal e-mail account, your last order with Amazon, or planning a vacation, you are probably using a company-issued phone, laptop, or VPN, so expect to have someone monitoring everything you do.
Here’s an easy way to keep your manager and even your coworkers from snooping: when you leave your desk to go to a meeting or the bathroom, lock your computer screen. Seriously. Don’t leave your e-mail, or details about the project you’ve spent weeks on, open—just sitting there for someone to mess with. Lock your computer until you return to your screen. It takes a few extra seconds, but it’ll spare you a lot of grief. Set a timer in the operating system to lock the screen after a certain number of seconds. Or look into one of the Bluetooth apps that will automatically lock your screen if your mobile phone is not near the computer. That said, there is a new attack that uses a weaponized USB device. A lot of offices seal the USB ports on their laptops and desktops, but if yours doesn’t a weaponized USB stick could still unlock your computer without a password.5
In addition to corporate secrets, there’s also a fair amount of personal e-mail that passes through our computers during the workday, and sometimes we print it out for ourselves while in the office. If you are concerned about privacy, don’t do anything personal while at work. Keep a strict firewall between your work life and your home life. Or bring a personal device such as a laptop or an iPad from home if you feel the need to do personal stuff while on break. And if your mobile device is cellular-enabled, never use the company Wi-Fi, and, further, turn off the SSID broadcast if you are using a portable hotspot (see here). Only use cellular data when conducting personal business at work.
Really, once you arrive at your office, your public game face needs to be on. Just as you wouldn’t talk about really personal things with your casual office mates, you need to keep your personal business off the company computer systems (especially when you’re searching for health-related topics or looking for a new job).
It’s harder than it sounds. For one thing, we’re used to the ubiquity of information and the nearly universal availability of the Internet. But if you are going to master the art of invisibility, you have to prevent yourself from doing private things in public.
Assume that everything you type into your office computer is public. That doesn’t mean that your IT department is actively monitoring your particular device or will ever act on the fact that you printed out your child’s science fair project on the expensive color printer on the fifth floor—although they might. The point is, there’s a record that you did these things, and should there be suspicion in the future, they can access the records of everything you did on that machine. It’s their machine, not yours. And it’s their network. That means they’re scanning the content that flows in and out of the company.
Consider the case of Adam, who downloaded his free credit report on his work computer. He logged in to the credit bureau’s site using the company computer over the company network. Let’s say you, like Adam, also download your credit report at work. You want to print it out, right? So why not send it to the company printer over in the corner? Because if you do, there will be a copy of the PDF file containing your credit history sitting on the hard drive of the printer. You don’t control that printer. And after the printer is retired and removed from the office, you don’t have control over how that hard drive is disposed of. Some printers are now encrypting their drives, but can you be sure that the printer in your office is encrypted? You can’t.
That’s not all. Every Word or Excel document that you create using Microsoft Office includes metadata that describes the document. Typically document metadata includes the author’s name, the date created, the number of revisions, and the file size as well as an option to add more details. This is not enabled by default by Microsoft; you have to go through some hoops to see it.6 Microsoft has, however, included a Document Inspector that can remove these details before you export the document elsewhere.7
A 2012 study sponsored by Xerox and McAfee found that 54 percent of employees say they don’t always follow their company’s IT security policies, and 51 percent of employees whose workplace has a printer, copier, or multifunction printer say they’ve copied, scanned, or printed confidential personal information at work. And it’s not just work: the same goes for printers at the local copy shop and the local library. They all contain hard drives that remember everything they’ve printed over their lifetimes. If you need something personal printed out, perhaps you should print it out later at home, on a network and printer over which you have control.
Spying, even on employees, has gotten very creative. Some companies enlist nontraditional office devices that we might otherwise take for granted, never imagining they could be used to spy on us. Consider the story of a young Columbia University graduate student named Ang Cui. Wondering if he could hack into a corporate office and steal sensitive data through nontraditional means, Cui decided first to attack laser printers, a staple in most offices today.
Cui noticed that printers were way behind the times. During several pen tests, I have observed this as well. I have been able to leverage the printer to get further access into the corporate network. This is because workers rarely change the admin password on printers that are internally deployed.
The software and the firmware used in printers—especially commercial printers for the home office—contain a lot of basic security flaws. The thing is, very few people see an office printer as vulnerable. They think they’re enjoying what’s sometimes called “security by obscurity”—if no one notices the flaw, then you are safe.
But as I’ve said, printers and copy machines, depending on the model, have one important thing in common—they both may contain hard drives. And unless that hard drive is encrypted—and many are still not—it is possible to access what has been printed at a later date. All this has been known for years. What Cui wondered was if he could turn a company printer against its owners and exfiltrate whatever was printed.
To make things more interesting, Cui wanted to attack the printer’s firmware code, the programming embedded inside a chip within the printer. Unlike our traditional PCs and mobile devices, digital TVs and other “smart” electronics do not have the power or the processing resources to run a full-blown operating system such as Android, Windows, and iOS. Instead these devices use what’s called real-time operating systems (RTOS), which are stored on individual chips inside the device (frequently known as fireware). These chips store only the commands needed to operate the system and not much else. Occasionally even these simple commands need to be updated by the manufacturer or vendor by flashing or replacing the chips. Given that this is done so infrequently, it’s obvious that many manufacturers simply did not build in the proper security measures. This, the lack of update, was the vector that Cui decided to pursue for his attack.
Cui wanted to see what would happen if he hacked the file format HP used for its firmware updates, and he discovered that HP didn’t check the validity of each update. So he created printer firmware of his own—and the printer accepted it. Just like that. There was no authentication on the printer’s side that the update came from HP. The printer only cared that the code was in the expected format.
Cui now was free to explore.
In one famous experiment, Cui reported that he could turn on the fuser bar, the part of the printer that heats the paper after the ink has been applied, and leave it on, which would cause the printer to catch fire. The vendor—not HP—immediately responded by arguing that there was a thermo fail-safe within the fuser bar, meaning the printer could not overheat. However, that was Cui’s point—he’d managed to turn that fail-safe feature off so that the machine could actually catch fire.
As a result of these experiments, Cui and his adviser, Salvatore Stolfo, argued that printers were weak links in any organization or home. For example, the HR department of a Fortune 500 company might receive a maliciously-coded résumé file over the Internet. In the time it takes the hiring manager to print that document, the printer through which it travels could be fully compromised by installing a malicious version of the firmware.
Preventing someone from grabbing your documents off the printer, secure printing, also known as pull printing, ensures that documents are only released upon a user’s authentication at the printer (usually a passcode must be entered before the document will print). This can be done by using a PIN, smart card, or biometric fingerprint. Pull printing also eliminates unclaimed documents, preventing sensitive information from lying around for everyone to see.8
Building on his printer attacks, Cui began to look around the typical office for other common objects that might be vulnerable and settled on Voice over Internet Protocol (VoIP) telephones. As with printers, no one had appreciated the hidden yet obvious-once-you-thought-about-it value of these devices in collecting information. And as with a printer, an update to the system can be faked and accepted by the VoIP phone.
Most VoIP phones have a hands-free option that allows you to put someone on speakerphone in your cubicle or office. Which means there’s not only a speaker but also a microphone on the outside of the handset. There’s also an “off the hook” switch, which tells the phone when someone has picked up the receiver and wants to make or listen to a call as well as when the receiver has been put back and the speakerphone is enabled. Cui realized that if he could compromise the “off the hook” switch, he could make the phone listen to conversations nearby via the speakerphone microphone—even when the receiver was on the hook!
One caveat: unlike a printer, which can receive malicious code via the Internet, VoIP phones need to be “updated” individually by hand. This requires the code to be propagated using a USB drive. Not a problem, Cui decided. For a price, a night janitor could install the code on each phone with a USB stick as he or she cleaned the office.
Cui has presented this research at a number of conferences, each time using different VoIP telephones. And each time the vendor was notified in advance, and each time the vendor did produce a fix. But Cui has pointed out that just because a patch exists doesn’t mean it gets applied. Some of the unpatched phones might still be sitting in offices, hotels, and hospitals right now.
So how did Cui get the data off the phone? Since office computer networks are monitored for unusual activity, he needed another means of extracting the data. He decided to go “off network” and use radio waves instead.
Previously, researchers at Stanford University and in Israel found that having your mobile phone positioned next to your computer can allow a remote third party to eavesdrop on your conversations. The trick requires malware to be inserted onto your mobile device. But with maliciously coded apps available for download from rogue app stores, that’s easy enough, right?
With the malware installed on your mobile phone, the gyroscope within the phone is now sensitive enough to pick up slight vibrations. The malware in this case, researchers say, can also pick up minute air vibrations, including those produced by human speech. Google’s Android operating system allows movements from the sensors to be read at 200 Hz, or 200 cycles per second. Most human voices range from 80 to 250 Hz. That means the sensor can pick up a significant portion of those voices. Researchers even built a custom speech-recognition program designed to interpret the 80–250 Hz signals further.9
Cui found something similar within the VoIP phones and printers. He found that the fine pins sticking out of just about any microchip within any embedded device today could be made to oscillate in unique sequences and therefore exfiltrate data over radio frequency (RF). This is what he calls a funtenna, and it is a virtual playground for would-be attackers. Officially, says security researcher Michael Ossmann, whom Cui credits for the idea, “a funtenna is an antenna that was not intended by the designer of the system to be an antenna, particularly when used as an antenna by an attacker.”10
Aside from a funtenna, what are some other ways people can spy on what you do at work?
Researchers in Israel have found that ordinary cell phones can—with malware installed—be made to receive binary data from computers. And previously, Stanford researchers found that mobile phone sensors could intercept the sound of electronic emissions from a wireless keyboard.11 This builds on similar research conducted by scientists at MIT and Georgia Tech.12 Suffice it to say that everything you type or view or use in the office can be listened to in one way or another by a remote third party.
For instance, say you use a wireless keyboard. The wireless radio signal sent from the keyboard to the laptop or desktop PC can be intercepted. Security researcher Samy Kamkar developed something called KeySweeper that’s designed to do just that: a disguised USB charger that wirelessly and passively looks for, decrypts, logs, and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.13
We’ve discussed the danger of using bogus hotspots at cafés and airports. The same can be true in offices. Someone in your office may set up a wireless hotspot, and your device might automatically connect to it. IT departments typically scan for such devices, but sometimes they don’t.
A modern equivalent of bringing your own hotspot to the office is bringing your own cellular connection. Femtocells are small devices available from your mobile carrier. They’re designed to boost cellular connections within a home or office where the signal might be weak. They are not without privacy risks.
First of all, because femtocells are base stations for cellular communications, your mobile device will often connect to them without informing you. Think about that.
In the United States, law enforcement uses something called a StingRay, also known as an IMSI catcher, a cell-site simulator. Additionally there are TriggerFish, Wolfpack, Gossamer, and swamp box. Though the technologies vary, these devices basically all act like a femtocell without the cellular connection. They’re designed to collect the international mobile subscriber identity, or IMSI, from your cellular phone. Their use in the United States is significantly behind that of Europe—for now. IMSI catchers are used at large social protests, for example, to help law enforcement identify who was at the assembly. Presumably the organizers will be on their phones, coordinating events.
After a protracted legal battle, the American Civil Liberties Union of Northern California obtained documents from the government detailing how it goes about using StingRay. For example, law enforcement agents are told to obtain a pen register or a trap-and-trace court order. Pen registers have been used to obtain phone numbers, a record of digits dialed on a phone. Trap-and-trace technology has been used to collect information about received calls. In addition, law enforcement can, with a warrant, legally obtain the voice recording of a phone call or the text of an e-mail. According to Wired, the documents received by the ACLU state that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III order.”14 A Title III order allows for real-time interception of communication.
Let’s say you’re not under surveillance by law enforcement. Let’s say you’re in an office that is highly regulated—for example, at a public utility. Someone may install a femtocell to allow personal communications outside the utility’s normal call-logging system. The danger is that the coworker with the modified femtocell at his or her desk could perform a man-in-the-middle attack, and he or she could also listen in on your calls or intercept your texts.
In a demonstration at Black Hat USA 2013, researchers were able to capture voice calls, SMS text messages, and even Web traffic from volunteers in the audience on their Verizon femtocells. The vulnerability in Verizon-issued femtocells had already been patched, but the researchers wanted to show companies that they should avoid using them anyway.
Some versions of Android will inform you when you switch cellular networks; iPhones will not. “Your phone will associate to a femtocell without your knowledge,” explained researcher Doug DePerry. “This is not like Wi-Fi; you do not have a choice.”15
One company, Pwnie Express, produces a device called Pwn Pulse that identifies femtocells and even IMSI catchers such as StingRay.16 It gives companies the ability to monitor cellular networks around them. Tools like these, which detect the full spectrum of potential cellular threats, were once bought largely by the government—but not anymore.
As user-friendly as it is, Skype is not the friendliest when it comes to privacy. According to Edward Snowden, whose revelations were first published in the Guardian, Microsoft worked with the NSA to make sure that Skype conversations could be intercepted and monitored. One document boasts that an NSA program known as Prism monitors Skype video, among other communications services. “The audio portions of these sessions have been processed correctly all along, but without the accompanying video. Now, analysts will have the complete ‘picture’,” the Guardian wrote.17
In March of 2013, a computer-science graduate student at the University of New Mexico found that TOM-Skype, a Chinese version of Skype created through a collaboration between Microsoft and the Chinese company TOM Group, uploads keyword lists to every Skype user’s machine—because in China there are words and phrases you are not permitted to search for online (including “Tiananmen Square”). TOM-Skype also sends the Chinese government the account holder’s username, the time and date of transmission, and information about whether the message was sent or received by the user.18
Researchers have found that even very high-end videoconferencing systems—the expensive kind, not Skype—can be compromised by man-in-the-middle attacks. That means the signal is routed through someone else before it arrives at your end. The same is true with audio conferences. Unless the moderator has a list of numbers that have dialed in, and unless he has asked to verify any questionable numbers—say, area codes outside the United States—there is no way to prove or determine whether an uninvited party has joined. The moderator should call out any new arrivals and, if they fail to identify themselves, hang up and use a second conference-call number instead.
Say your office has spent big bucks and bought a really expensive videoconferencing system. You’d think it would be more secure than a consumer-grade system. But you’d be wrong.
In looking at these high-end systems, researcher H. D. Moore found that almost all of them default to auto-answer incoming video calls. That makes sense. You set a meeting for 10:00 a.m., and you want participants to dial in. However, it also means that at some other time of day, anyone who knows that number could dial in and, well, literally take a peek at your office.
“The popularity of video conferencing systems among the venture capital and finance industries leads to a small pool of incredibly high-value targets for any attacker intent on industrial espionage or obtaining an unfair business advantage,” Moore wrote.19
How hard is it to find these systems? Conferencing systems use a unique H.323 protocol. So Moore looked at a sliver of the Internet and identified 250,000 systems using that protocol. He estimates from that number that fewer than five thousand of these were configured to auto-answer—a small percentage of the whole, but still a very large number by itself. And that’s not counting the rest of the Internet.
What can an attacker learn from hacking such a system? The conferencing system camera is under the control of the user, so a remote attacker could tilt it up, down, left, or right. In most cases the camera does not have a red light to indicate that it’s on, so unless you are watching the camera, you might not be aware that someone has moved it. The camera can also zoom in. Moore said his research team was able to read a six-digit password posted on a wall twenty feet from the camera. They could also read e-mail on a user’s screen across the room.
Next time you’re at the office, consider what can be seen from the videoconferencing camera. Perhaps the department’s organizational chart is on the wall. Perhaps your desktop screen faces the conference room. Perhaps pictures of your kids and spouse are visible as well. That’s what a remote attacker could see and possibly use against your company or even you personally.
Some system vendors are aware of this issue. Polycom, for example, provides a multipage hardening (security-strengthening) guide, even limiting the repositioning of the camera.20 However, IT staffers don’t usually have the time to follow guidelines like these, and they often don’t even deem security a concern. There are thousands of conferencing systems on the Internet with default settings enabled.
The researchers also discovered that corporate firewalls don’t know how to handle the H.323 protocol. They suggest giving the device a public Internet address and setting a rule for it within the corporate firewall.
The biggest risk is that many of the administration consoles for these conferencing systems have little or no security built in. In one example, Moore and his team were able to access a law firm’s system, which contained an address-book entry for the boardroom of a well-known investment bank. The researchers had purchased a used videoconferencing device from eBay, and when it arrived its hard drive still had old data on it—including the address book, which listed dozens of private numbers, many of which were configured to auto-answer incoming calls from the Internet at large.21 As with old printers and copy machines, if it has a hard drive, you need to securely wipe the data from it before you sell it or donate it (see here).
Sometimes at work we are tasked with collaborating on a project with a colleague who may be halfway across the planet. Files can be shared back and forth over corporate e-mail, but sometimes they’re so large that e-mail systems will simply balk and not accept them as attachments. Increasingly, people have been using file-sharing services to send large files back and forth.
How secure are these cloud-based services? It varies.
The four big players—Apple’s iCloud, Google Drive, Microsoft’s OneDrive (formerly SkyDrive), and Dropbox—all provide two-step verification. That means you will receive an out-of-band text on your mobile device containing an access code to confirm your identity. And while all four services encrypt the data while it is in transit you must—if you don’t want the company or the NSA to read it—encrypt the data before you send it.22
There the similarities end.
Two-factor authentication is important, but I can still bypass this by hijacking unused accounts. For example, I recently did a pen test where the client added Google’s 2FA to their VPN website using publicly available tools. The way I was able to get in was by obtaining the active directory log-in credentials for a user who didn’t sign up to use the VPN portal. Since I was the first to log in to the VPN service, I was prompted to set up 2FA using Google Authenticator. If the employee never accesses the service himself, then the attacker will have continued access.
For data at rest, Dropbox uses 256-bit AES encryption (which is pretty strong). However, it retains the keys, which could lead to unauthorized access by Dropbox or law enforcement. Google Drive and iCloud use a considerably weaker 128-bit encryption for data at rest. The concern here is that the data could potentially be decrypted by strong computational force. Microsoft OneDrive doesn’t bother with encryption, which leads one to suspect that this was by design, perhaps at the urging of some governments.
Google Drive has introduced a new information rights management (IRM) feature. In addition to the documents, spreadsheets, and presentations created within Google Docs, Google Drive now accepts PDF and other file formats as well. Useful features include the ability to disable the download, print, and copy capabilities for commenters and viewers. You can also prevent anyone from adding additional people to a shared file. Of course these management features are only available to file owners. That means if someone has invited you to share a file, that person has to set the privacy restrictions, not you.
Microsoft has also introduced a unique per-file encryption feature, which is what it sounds like: a feature that encrypts each individual file with its own key. If one key is compromised, only that individual file will be affected rather than the whole archive. But this is not the default, so users will have to get in the habit of encrypting each file themselves.
Which seems like a good recommendation overall. Employees and users in general should get used to encrypting data before it gets sent to the cloud. That way you retain control of the keys. If a government agency comes knocking at the door of Apple, Google, Dropbox, or Microsoft, those companies won’t be able to help—you’ll have the individual keys.
You could also choose to use the one cloud service provider that sets itself apart from the rest—SpiderOak, which offers the full benefits of cloud storage and sync capability along with 100 percent data privacy. SpiderOak protects sensitive user data through two-factor password authentication and 256-bit AES encryption so that files and passwords stay private. Users can store and sync sensitive information with complete privacy, because this cloud service has absolutely zero knowledge of passwords and data.
But most users will continue to use other services at their own risk. People love the ease of grabbing data from the cloud, and so do law enforcement agencies. A huge concern about using the cloud is that your data does not have the same Fourth Amendment protections that it would have if it were stored in a desk drawer or even on your desktop computer. Law enforcement agencies are requesting cloud-based data with increasing (and unsettling) frequency. And they can obtain access with relative ease, since everything you upload online—whether to a Web-based e-mail service, Google Drive, or Shutterfly—goes to a server that belongs to the cloud service provider, not to you. The only true protection is to understand that anything you put up there can be accessed by somebody else and to act accordingly by encrypting everything first.