Tech Friday


  • Keyboard app ai.type collects personal data 31 million users:
    • ai.type is a customizable virtual keyboard for mobile phones and tablets, and has more than 40 million users worldwide
    • Kromtech Security Center researchers have discovered data belonging to over 31 million users of the popular app on the Internet
    • It appears that the data was leaked online and can be accessed without a password
    • ai.type asks for "Full Access" during installation and if permission is granted, the add-on keyboard can transmit anything typed through the keyboard to the developer
    • The company claims that it will never use personal information it collects, but unfortunately, it has leaked
    • A misconfigured database exposed their entire 577 GB dataset for 31,293,959 users which includes many sensitive user details including
      • Names, phone numbers, and email addresses
      • Device information
      • Mobile carrier information such as country of residence
      • IP address (if available), along with GPS location (longitude/latitude).
      • Links and the information associated with the social media
    • Additionally, the keyboard app is capturing users' contacts
    • "It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
    • "There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day': 0.0, 'word_per_session and a detailed look at their customers," researchers said
    • ai.type CEO Eitan Fitusi told the BBC that the stolen information was a "secondary database." 
    • Fitusi also indicated the database has been taken down and is "confident" about the security of the company
    • If you're not paying with money, you're paying with data. You are not the customer, you are the product
  • People continue to find hidden cameras in their Airbnbs:
    • Airbnb has a major problem, renters keep finding hidden cameras in their rental homes
    • In the second incident since October a host was filming guests without their knowledge
    • Hosts in Florida and California have been banned for the same thing in the past
    • The most recent victims tweeted a photo of a device they discovered in an undisclosed Airbnb
    • It said "In ‘oh, that’s a thing now’ news, a colleague of mine thought it odd that there was a single ‘motion detector’ in his AirBNB in the bedroom and voila, it’s an IP camera connected to the web," Jason Scott tweeted. "(He left at 3am, reported, host is suspended, colleague got refund.)"
    • Airbnb released a statement saying they had "permanently banned" the homeowner and "supported our guests with a full refund and reimbursement for expenses incurred."
    • An Airbnb spokesperson told BuzzFeed that finding cameras in rental homes was "incredibly rare" and also said "Cameras are never allowed in bathrooms or bedrooms; any other cameras must be properly disclosed to guests ahead of time"
    • If you stay in an Airbnb, beware, that smoke alarm or motion detector may be a video camera
  • Internet-connected toys create privacy concerns:
    • Many toys (dolls, cars, drones, robotics, games, etc.) are Internet of Things (IoT) devices connected to the Internet
    • The popularity of these types of toys is growing, and is expected to grow faster than non-connected toys this holiday season
    • These toys can include a variety of sensors including microphones, cameras and/or video cameras, and can store and transmit data
    • These features could put the privacy and safety of children at risk due personal information that is disclosed
    • Like so many Internet of Things (IoT) devices, many of these toys are not very secure and collect more data than necessary
    • The Shodan search engine makes it easy to find and target insecure devices including these toys
    • We've already seen instances of hackers using IoT devices to spy on children, for example, the infamous baby monitor hack a few years ago
    • A VTech hack a few years ago exposed data including names, birthdays and addresses of 6.4 million children 
    • Mattel's Wi-Fi connected Hello Barbie talking doll which works similarly to Siri or Cortana was found to have security issues around the conversations captured
    • According a 2011 Experian study, identity theft of children is thirty five times more common than adults. This is due in large part to the fact that thieves can often use a child's identity for years before it's noticed
    • "Children often do not realize they have been hacked for many years, which gives hackers time to take out loans or file fraudulent tax returns in their name," said Javvad Malik at cybersecurity firm AlienVault
    • "A lot of time manufacturers don't want to spend the money [to keep information safe]," Corynne McSherry, legal director at Electronic Frontier Foundation
    • If you purchase these types of toys, you should be aware of what information is captured, as well as where it is stored, who has access to it, how it is protected and how it is being used
    • Consumers should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services
    • When registering the toys, provide as little information as possible
    • Understand that software and security updates for these toys may be limited or non-existent, making them increasingly vulnerable over time
    • Get more detailed information and tips from the FBI: https://www.ic3.gov/media/2017/170717.aspx