ADINT: Do It Yourself Surveillance

"If it's free you're the product." Most of us have heard this meme often enough, and have a vague understanding that it relates to online ads. But when most of us think about online ads, we think about the occasional annoyance of having to scroll past or otherwise ignore an ad—doing so is assumed to be the price of free online services, and it seems a small price to pay.

If only it were so simple.

Researchers at the University of Washington published a paper at the ACM Workshop on Privacy in the Electronic Society entitled "Exploring ADINT: Using Ad Targeting for Surveillance on a Budget." The subtitle is "How Alice Can Buy Ads to Track Bob." Yes, it's as bad as it sounds. The authors point out that for as little as $1,000, someone can use targeted ads to track the location of specified individuals. The mobile advertising infrastructure allows any attacker with modest means to to "know where the target goes, where they live, and other sensitive information such as what apps they use". Knowledge of what apps are being used can be considered sensitive for a variety of reasons, including mental health conditions, diabetes trackers, dating apps (which can indicate relationship or sexual preferences), political affiliation apps, and religious and church apps.

As I've pointed out before, most people think it's a reasonable trade-off to allow ads to be shown in order to get apps and services for free. But in order to deliver those ads, the ad networks need to learn as much as possible about all of us, so that advertisers know whether it's worth paying to target an ad to any of us (and when and where it should do so). Advertisers have enabled what we can refer to as a stalker economy. If you think it sounds creepy, you're right. And it's also ubiquitous, part of the background noise of being a mobile-phone using netizen. 

This is how Alice can buy ads to track Bob. But what is meant by "ADINT"? The authors invented this term, and I think it's a good one. Whereas the intelligence community refers to human intelligence as "HUMINT" and signals (electronic) intelligence as "SIGINT", the corresponding term for advertising intelligence has been coined by the paper's researchers as "ADINT."

Most of the focus on mobile security has been around malware and network attacks that deliver malware. But malware is rare, whereas the stalker economy, or ADINT, can affect us all. In my previous post, I noted that mobile devices send considerable amounts of data into the cloud, which is to say the data is now in the wild—outside of our ability to track and control it. ADINT represents another threat vector regarding the digital exhaust of our mobile devices. This should worry us.

Mobile Security: Focusing On What's Important

Often, it's what we don't know that gets us in the most trouble.

Conventional wisdom regarding mobile security in many enterprises is that it's not an urgent requirement. Many enterprises have convinced themselves that it's sufficient to implement policies to ensure that users don't root or jailbreak their phone, and that they only download apps from an official app store. With such policies in place, the CISO's mental image of their mobile security posture might look like this:

In actuality, their mobile security policy probably looks more like this:

The good news is the gate is closed--and locked! And, per security best practice the policy is publicly posted (Keep Gate Closed). Luckily, due to the security of Android and iOS, the mobile device is probably secure, as is the data on the device--despite the incompleteness of the mobile security controls.

But what about the data that leaves the device? How well is it protected by the locked gate?

Not very well, unfortunately. Most mobile device and their apps send considerable amounts of data into the cloud, and it's not obvious to most enterprises what data leaks from mobile devices into the wild--and how effectively the data is secured in the cloud. App developers have a financial incentive to report location and other personal data to ad networks, marketing frameworks, and apps' back ends when aggregation or persistent storage is required. Personal data might include device identifiers, phone number or email address, calendar and contact info, and app-related usage information. Ad networks are relentless in collecting as much data as possible to support the real-time bidding (RTB) process for mobile ad placements. And while most of this data leakage is privacy related, some can be used to inform an enterprise attack.

Meanwhile, we obsess over whether Face ID is better than Touch ID, and lament that the iOS 11 control center doesn't fully disconnect Bluetooth and WiFi. We breathlessly follow headline after headline making us scared over malware campaigns in Asia that truth be told represent little threat to the enterprise--in the unlikely event an employee's phone is infected (the employee, though, has plenty of reason to worry).

Multiple vendors have developed Mobile Threat Defense (MTD) solutions that address mobile security issues, each with their own unique focus. The MTD market is still in its infancy, and only a small percentage of enterprises have adopted and fully operationalized a solution. MTD solutions don't readily fall into typical enterprise security paradigms, and of course they compete for scarce dollars and security staff resources. As the world shifts to a "mobile first" focus, it will be interesting to see the degree to which MTD emerges as a major factor in enterprise security.