Unshakeable Salt
In LinkUK monolith

The In LinkUK monolith, providing a Universal Security Breach

This blog post is somewhat localised to the HQ of Unshakeable Salt, as it concerns the city of Leeds in the UK.  Leeds is one of a few cities in the UK that is being used to trial new phone booths for the “always-connected-yoof-of-today”. Gone are the iconic red phone boxes and instead we now have monolithic slabs that you would swear have been designed by Arthur C Clarke.

These vertical phalluses in our public spaces are seen by InLinkUK as the modern way of communicating. A small touch screen offers essential services such as the ability to call emergency services or to ask for directions to somewhere nearby. In the modern world where 70% of adults carry a smart phone, they are there to cater for the ‘other’ 30%. Or not – as the other 30% tend not to need these facilities. They do however have two large TV screens allowing for marketing revenue to pay for their presence in our public places.

Having seen them installed a few months ago, it was strange what ‘other’ services they provide. In addition to the small screen there is also a myriad of ports you can plug into. There is also the public WiFi, such that you can use them to browse the internet for ‘free’. They also have a built in CCTV camera, allowing for the capture of who is using the device (and those around at the time) – although privacy bodies in the UK have already ‘requested’ that these be disabled.

Free Wifi

It’s a local colloquialism, but you never get nowt for free. You should also never trust ‘free wifi’, as you have no idea of who might have tapped in into your communication. The real difference about these monoliths though is that they have reduced privacy by design.

Connection is via registration, so you must supply some personal information (name, address, postcode, email address etc) before you can connect for the first time.  There is a privacy policy when you first register (with the scary bits highlighted below) and then you are granted access to the WiFi.

Like all ‘public’ Wifi though, there is the issue of interception, inspection and manipulation. The network names are common, and it is very easy to create a ‘fake hotspot’ with the same name in the same place to pretend to be the happy, smiley secure BT WiFi. I’ve covered the dangers of this before – so let’s just say it’s a big security risk and leave it for now.

In LinkUK screens

In LinkUK screens, ignoring the reflection of your author

Tracking Wifi

Where this Free Wifi differs though is the ability for the providers to track you nationally. The terms and conditions of use include ‘technological profiling’, which although supposedly anonymous – does authorise the continuous tracking of devices. This means once there is a profile of your device (eg its non-changing MAC address), they create a profile of everything you do and where you are every time you connect. It states that they don’t locate your precise position, but they do track and follow your geo-location. Given that automatically reconnect to known Wifi access ports as you travel the country, this does give a pretty good way to track a device.

As a use case for marketeers, this is a wonderful opportunity to sell hyper localised advertising. However, as a misuse case, it’s also very valuable information – knowing when someone isn’t at home or is away from familiar surroundings.

Charge via the Universal Security Breach port

The architects of these devices must have had some real strange ‘Use Cases’ in their design briefs

As a Yorkshire woman who is out and about, I have found myself in Britains 6thlargest city with a flat battery on my smart phone. I have my USB charging cable and a charging dock in my handbag.

 I want to stand within the 1-meter cables length of a 55” TV being used as an advertising hoarding for 30 minutes in the pouring rain and hold my phone whilst it recharges.

The first thing we must ignore is the issue around what use is a charging point if it doesn’t have the ability to connect to your exact phone. Using the 20+ year old USB interface is their solution to something that has no standard, introducing a further problem. USB wasn’t originally designed for power, it was designed for data.

When people assume it’s only there for data, it becomes an issue and USB stands for Universal Security Breach once again. The physical solution was omitting the data pins on USB power cables, but people didn’t want one cable for charging and another that did both. Smartphone operating systems then started shipping with firewalls, treating unknown USB connections as hostile. This also worked for a while, until such time human behaviour saw it as an inconvenience. That popup warning you of an untrusted device was an annoyance and you accepted the risks to get your ‘fix’ of 5 volts being supplied at 2 amps per hour.

USBKill

We then had to bolster the popups with security training. I spend a good five minutes in my hour long SafeAndSecureOnline presentations going through the dangers of USB. These also include the demonstration of a USBKill device – something that you really cannot visually discern from a standard USB pen drive. These devices can be placed anywhere and come with both male and female interfaces. They can also be made to look like charging ports or cables. I wonder how many mobile phones I could kill in a single day if I placed the device on an InLinkUK charging point.

USBClone

I also own a USBClone device. This Raspberry Pi Zero sized device automatically connects and copies all data from devices connected to it. Powered entirely by its own USB port, how long would it take before the data card became full? In fact, it wouldn’t – as if it has an internet connection, it transfers all the data it captures up to the cloud. Did I mention that these InLinkUK devices provide free SuperFast WiFi? Not only do they offer a place to plug in your phone, they also provide the ability for sending your data across the planet. In theory, you could plant a USBClone device onto a monolith, living there in perpetuity capturing data and uploading away. I might even try it, just to see how long one can stay there.

(Lack of) Privacy (by) Policy

At the time of writing, privacy policies are a pretty big thing. The GDPR is only a fortnight away and every day your inbox is being bombarded with half a dozen new ones. They all say the good things like “Your data will only be stored in the UK / EEA in accordance with the Data Protection Act”.  Indeed, so does InLinkUK Privacy Policy. It also has this little gem much further down in the document :

Your information, including any personal data, may be transferred to, stored at and processed by us and our affiliates and other third parties outside the country in which you reside, including, but not limited to the United States, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world

In other words, “they only store data within in EEA”.  But not including  the data they may send anywhere else in the world. This is of course is legal, because you registered to use the service.  Somewhere in this registration there should have been great detail explaining this. In connecting to the service you have consented to be bound by this privacy policy.  Not exactly in the spirit of privacy, the GDPR or the Data Protection Act.

It all comes down to trust

BT (British Telecom by every other name and descendant of the General Post Office) is/was a name to trust. If it has the BT logo upon it, then surely it must be safe? Not anymore.

Who handles data worse than big business. BT is no better than TalkTalk, who at the time of writing still have one of the costliest security breaches. The Equifax breach is currently on track to be the most expensive in corporate history. With the implementation of the GDPR,  the next set of fines will easily dwarf them.

Something that is free, out in the public is never without risk. It is ‘buyer beware’, use at your own peril. If the peril is that charging your smartphone may blow it up, would you risk it?  Would be using the free Wifi mean that you get turned away by Homeland Security on holiday?

I’m sure these devices will save someone’s life by providing a point to call 999.  Should their design (and cost) have been limited to that?  Treat the Wifi and USB ports as extremely hostile and we can all avoid another universal security breach.

 

 

 

Director of Unshakeable Salt, an Information security specialist who first started contracting in 1997.

Next Post