Conversation

Notices

1. Embed this notice
   BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 01:50:10 JST BrianKrebs

   2025 is turning out to be very meta so far. Good scoop by 404 Media.

   Gravy Analytics was the supplier of location data for the service that both Joe Cox and I wrote about recently at Babel Street that makes it simple to track the whereabouts of hundreds of millions of mobile devices just by looking at mobile ad data. They were recently sued by the FTC.

   Hackers Claim Massive Breach of Location Data Giant, Threaten to Leak Data

   https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/

   https://www.ftc.gov/news-events/news/press-releases/2024/12/ftc-takes-action-against-gravy-analytics-venntel-unlawfully-selling-location-data-tracking-consumers

   https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 01:52:33 JST Rich Felker

     in reply to

     @briankrebs I'm confused how they end up getting so much location data. Are mobile carriers colluding with adtech industry to link up information (port and IP address used for ads -> subscriber id -> carrier location info), or is it just that Google and Apple have such bad permissions defaults/UX that junkware is able to access location unless you lock it down?

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 01:59:04 JST BrianKrebs

     in reply to

     • Rich Felker

     @dalias It's basically the nature of the mobile ad ecosystem in general. When you visit a website with your mobile, in a microsecond the ability to place a certain ad in front of you is put out as an automated bid request to hundreds of ad networks that can all bid on the ability to show their ad. There is a robust market now of participants to this real-time bidding market that simply collect and resell all the live bidstream data, which can include the phone's unique ID, precise location coordinates, and enriched data from other marketing and advertising firms that provide more details about the user.

     If you're really interested in learning more about how it all works, you could do a lot worse than to read my linked story, which explains it in more detail.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 01:59:04 JST Rich Felker

     in reply to

     @briankrebs What I'm asking is the technical question of where the location data originates from.

     Is the user's phone doxxing them due to defaults or poor ux tricking the user into letting the adtech libraries integrated into junkware apps access location api?

     Or are they getting access to location from the carrier via some identifying info the carrier can resolve back to a subscriber id to dox them?

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:02:52 JST BrianKrebs

     in reply to

     • Rich Felker

     @dalias There are a lot of self-interested parties to blame for this current situation. Among them are Apple and Google, for giving each phone a unique identifier for advertisers (IDFA) that could be used to track/differentiate users over time.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:02:52 JST Rich Felker

     in reply to

     @briankrebs Advertising IDs definitely can play some role, but they're not themselves a vector for leaking location, just linking up datasets.

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:03:36 JST BrianKrebs

     in reply to

     • Rich Felker

     @dalias Some of this is from mobile apps which sell user location data. A lot of it is from mobile websites that share location data with advertisers

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:03:36 JST Rich Felker

     in reply to

     @briankrebs But none of those should have access to location to begin with. Unless they've exploited bugs or tricked the user (or exploited bad OS defaults) to have location permission.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:05:28 JST Rich Felker

     in reply to

     @briankrebs I'm not asking this to be difficult or to blame users for installing junk apps and not locking down permissions right.

     I'm trying to understand who the real culprits in leaking this data are, to know both who to target, and who is affected (like, are carriers doxxing us even if we have location properly locked down?).

   • Embed this notice
     BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 08-Jan-2025 02:06:11 JST BrianKrebs

     in reply to

     • Rich Felker

     @dalias Yeah you're asking good questions, but afaict they are answered in the story I wrote and linked to. I realize it's long, but that's because it's also complicated.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:06:11 JST Rich Felker

     in reply to

     @briankrebs I didn't see answers but I'll re-scan or read it in detail again and see if I can find it. Thanks.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 08-Jan-2025 02:15:47 JST Rich Felker

     in reply to

     • Buccia

     @BucciaBuccia @briankrebs This seems like it's going to collect very limited data with a permission of "only while using the app".

   • Embed this notice
     Buccia (bucciabuccia@mastodon.social)'s status on Wednesday, 08-Jan-2025 02:15:48 JST Buccia

     in reply to

     • Rich Felker

     @dalias @briankrebs You give location access to the app or site to get the weather, the embedded SDK passes the location to data brokers.