This blog post is somewhat localised to the HQ of Unshakeable Salt, as it concerns the city of Leeds in the UK. Leeds is one of a few cities in the UK that is being used to trial new phone booths for the “always-connected-yoof-of-today”. Gone are the iconic red phone boxes and instead we now have monolithic slabs that you would swear have been designed by Arthur C Clarke.
These vertical phalluses in our public spaces are seen by InLinkUK as the modern way of communicating. A small touch screen offers essential services such as the ability to call emergency services or to ask for directions to somewhere nearby. In the modern world where 70% of adults carry a smart phone, they are there to cater for the ‘other’ 30%. Or not – as the other 30% tend not to need these facilities. They do however have two large TV screens allowing for marketing revenue to pay for their presence in our public places.
Having seen them installed a few months ago, it was strange what ‘other’ services they provide. In addition to the small screen there is also a myriad of ports you can plug into. There is also the public WiFi, such that you can use them to browse the internet for ‘free’. They also have a built in CCTV camera, allowing for the capture of who is using the device (and those around at the time) – although privacy bodies in the UK have already ‘requested’ that these be disabled.
It’s a local colloquialism, but you never get nowt for free. You should also never trust ‘free wifi’, as you have no idea of who might have tapped in into your communication. The real difference about these monoliths though is that they have reduced privacy by design.
Like all ‘public’ Wifi though, there is the issue of interception, inspection and manipulation. The network names are common, and it is very easy to create a ‘fake hotspot’ with the same name in the same place to pretend to be the happy, smiley secure BT WiFi. I’ve covered the dangers of this before – so let’s just say it’s a big security risk and leave it for now.
Where this Free Wifi differs though is the ability for the providers to track you nationally. The terms and conditions of use include ‘technological profiling’, which although supposedly anonymous – does authorise the continuous tracking of devices. This means once there is a profile of your device (eg its non-changing MAC address), they create a profile of everything you do and where you are every time you connect. It states that they don’t locate your precise position, but they do track and follow your geo-location. Given that automatically reconnect to known Wifi access ports as you travel the country, this does give a pretty good way to track a device.
As a use case for marketeers, this is a wonderful opportunity to sell hyper localised advertising. However, as a misuse case, it’s also very valuable information – knowing when someone isn’t at home or is away from familiar surroundings.
Charge via the Universal Security Breach port
The architects of these devices must have had some real strange ‘Use Cases’ in their design briefs
As a Yorkshire woman who is out and about, I have found myself in Britains 6thlargest city with a flat battery on my smart phone. I have my USB charging cable and a charging dock in my handbag.
I want to stand within the 1-meter cables length of a 55” TV being used as an advertising hoarding for 30 minutes in the pouring rain and hold my phone whilst it recharges.
The first thing we must ignore is the issue around what use is a charging point if it doesn’t have the ability to connect to your exact phone. Using the 20+ year old USB interface is their solution to something that has no standard, introducing a further problem. USB wasn’t originally designed for power, it was designed for data.
When people assume it’s only there for data, it becomes an issue and USB stands for Universal Security Breach once again. The physical solution was omitting the data pins on USB power cables, but people didn’t want one cable for charging and another that did both. Smartphone operating systems then started shipping with firewalls, treating unknown USB connections as hostile. This also worked for a while, until such time human behaviour saw it as an inconvenience. That popup warning you of an untrusted device was an annoyance and you accepted the risks to get your ‘fix’ of 5 volts being supplied at 2 amps per hour.
We then had to bolster the popups with security training. I spend a good five minutes in my hour long SafeAndSecureOnline presentations going through the dangers of USB. These also include the demonstration of a USBKill device – something that you really cannot visually discern from a standard USB pen drive. These devices can be placed anywhere and come with both male and female interfaces. They can also be made to look like charging ports or cables. I wonder how many mobile phones I could kill in a single day if I placed the device on an InLinkUK charging point.
I also own a USBClone device. This Raspberry Pi Zero sized device automatically connects and copies all data from devices connected to it. Powered entirely by its own USB port, how long would it take before the data card became full? In fact, it wouldn’t – as if it has an internet connection, it transfers all the data it captures up to the cloud. Did I mention that these InLinkUK devices provide free SuperFast WiFi? Not only do they offer a place to plug in your phone, they also provide the ability for sending your data across the planet. In theory, you could plant a USBClone device onto a monolith, living there in perpetuity capturing data and uploading away. I might even try it, just to see how long one can stay there.
(Lack of) Privacy (by) Policy
It all comes down to trust
BT (British Telecom by every other name and descendant of the General Post Office) is/was a name to trust. If it has the BT logo upon it, then surely it must be safe? Not anymore.
Who handles data worse than big business. BT is no better than TalkTalk, who at the time of writing still have one of the costliest security breaches. The Equifax breach is currently on track to be the most expensive in corporate history. With the implementation of the GDPR, the next set of fines will easily dwarf them.
Something that is free, out in the public is never without risk. It is ‘buyer beware’, use at your own peril. If the peril is that charging your smartphone may blow it up, would you risk it? Would be using the free Wifi mean that you get turned away by Homeland Security on holiday?
I’m sure these devices will save someone’s life by providing a point to call 999. Should their design (and cost) have been limited to that? Treat the Wifi and USB ports as extremely hostile and we can all avoid another universal security breach.