this post was submitted on 20 Jun 2024
357 points (98.6% liked)

Privacy

31981 readers
334 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 6 points 4 months ago

I guess that crosses Tile off of my list of tracking devices for my belongings. Would I have to deal with an apple airtag then?

[–] [email protected] 6 points 4 months ago* (last edited 4 months ago)

"This post is for paid members only". Sounds like a dare

[–] [email protected] 5 points 4 months ago (1 children)

We need an open source smart tag. I recently researched how the landscape has changed and, as an android user, still nothing good in available. I'm not sure if I remember right, but Google's find my device was supposed to be open source or at least open spec? Might be worth looking into how easy it would be to code a lil firmware for this network myself. As much as I'd love a tag for things I cannot lose, the current options are throwing money away for no actual useful tracking (Samsung), forfeit your privacy (Tile, perhaps others), sell your soul (Apple).

[–] [email protected] 3 points 4 months ago

There's a few 3rd party solutions that are compatible with Google's find my device coming out this year. Pebblebee just released a few trackers, and iirc chipolo is working on one too.

[–] [email protected] 26 points 4 months ago

So can we now track the location of police? That sounds like valuable data that should be public

[–] [email protected] 13 points 4 months ago (1 children)

Authwall. Can't read. Please always copy and paste the article contents into Lemmy when you share it

[–] [email protected] 10 points 4 months ago (1 children)

I'm not OP but running it through Wayback Machine worked for me: https://web.archive.org/web/20240612133701/https://www.404media.co/hacker-accesses-internal-tile-tool-that-provides-location-data-to-cops/

If not here's the text of the article (but the link has a bunch of images too that might be useful):

A hacker has gained access to internal tools used by the location tracking company Tile, including one that processes location data requests for law enforcement, and stolen a large amount of customer data, such as their names, physical addresses, email addresses, and phone numbers, according to samples of the data and screenshots of the tools obtained by 404 Media.

The stolen data itself does not include the location of Tile devices, which are small pieces of hardware users attach to their keys or other items to monitor remotely. But it is still a significant breach that shows how tools intended for internal use by company workers can be accessed and then leveraged by hackers to collect sensitive data en masse. It also shows that this type of company, one which tracks peoples’ locations, can become a target for hackers.

“Basically I had access to everything,” the hacker told 404 Media in an online chat. The hacker says they also demanded payment from Tile but did not receive a response.

Tile sells various tracking devices which can be located through Tile’s accompanying app. Life360, another location data focused company, acquired Tile in November 2021.

The hacker says they obtained login credentials for a Tile system that they believe belonged to a former Tile employee. One tool specifically says it can be used to “initiate data access, location, or law enforcement requests.” Users can then lookup Tile customers by their phone number or another identifier, according to a screenshot of the tool.

A drop down menu which is selected in the screenshot tells users to select a request type: “DATA_ACCESS,” “LOCATION_HISTORY,” and “LAW_ENFORCEMENT.”

Hackers in recent years have repeatedly targeted tools used by tech companies to provide data to law enforcement or ones that are otherwise used by the company’s own staff to manage and access data. Sometimes, the hackers gain access to the tool itself, like when one used an internal Twitter system to take over accounts. In another case, a fraudster bribed an insider at Roblox to use that company’s tools for malicious purposes. Some hackers have even taken to installing malware inside U.S. telecoms so they can remotely control internal employee tools themselves.

Hackers also compromise email accounts used by police or other government officials, and then use those to demand sensitive data from tech companies and platforms by posing as the respective law enforcement officer. Targeted companies include Facebook, TikTok, and Apple.

Some of the other internal tools the hacker provided screenshots of include those for transferring Tile ownership from one email address to another; one for creating administrative users; and one for sending a push notification to Tile users. The hacker says they decided not to use this capability.

The hacker says they then accessed another system used by Tile which contained the customer data. The samples the hacker gave to 404 Media included names, addresses, phone numbers, as well as order and returns information and details on the payment method used.

From here, the hacker said they scraped the data. “I was able to enumerate through customer ids. Sent millions of requests to scrape the data.”

404 Media verified the data by randomly selecting a series of email addresses from the data, and then using them to create new accounts on Tile’s website. In most cases this was not possible because the email address was already in use by an existing customer. 404 Media also contacted multiple people inside the data via email.

“Yep, that would be me,” one person said when 404 Media sent all of the data related to their account.

Tile told 404 Media in a statement “Recently, an extortionist contacted us, claiming to have used compromised Tile admin credentials to access a Tile system and customer data. We promptly initiated an investigation into the potential incident. Our investigation detected that certain admin credentials were used by an unauthorized party to access a Tile customer support platform, but not our Tile service platform. The Tile customer support platform contains limited customer information, such as names, addresses, email addresses, phone numbers, and Tile device identification numbers. It does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers.”

“We disabled the credentials and took swift action designed to prevent any future unauthorized access to the Tile customer support platform and associated Tile customer data. At this time, we are confident there is no continued unauthorized access to the Tile customer support platform,” the statement continued.

Tile suggested in its statement that it was not aware of what data had been taken until 404 Media shared samples of the data for more verification. “Once you supplied us with additional data, we investigated further and determined that it is likely data from the impacted Tile customer support platform. We thank you for bringing this new information to our attention,” it read.

Tile also published a version of this statement on its website, but only after 404 Media contacted the company for comment and proved to it that the stolen data was accurate.

Tile did not respond directly when asked if the hacker had the required access to perform a location data request.

“This is a major breach,” the hacker said. But “it could have been much more major.”

[–] [email protected] 1 points 4 months ago (1 children)
[–] [email protected] 2 points 4 months ago

No worries!

[–] [email protected] 13 points 4 months ago

I always thought the surveillance state was stupid even for the powerful. The problem is exactly what happened. They surveil their own security forces out of necessity. But if that info leaks it makes those proxies 1000% more vulnerable than the public they're subjugating since way more people have a grudge against police and military personnel than some dweeb that watches Rick and Morty.

[–] [email protected] 13 points 4 months ago

I used to be a big user of tiles from their early days but when they sold to that shady company I threw them away and did the California privacy right action for them to delete my data

[–] [email protected] 1 points 4 months ago
[–] [email protected] -3 points 4 months ago (1 children)

They should have hired their own hackers like Thor from piratesoftwear to find their own weaknesses. There are a lot of hackers out there that run services like that, and these companies should take advantage of that.

[–] [email protected] 5 points 4 months ago (1 children)

I'm sure they do, likely have their own internal security team as well as contract security work out. The purpose of hiring hackers isn't to make the company unhackable, it's to make it harder, more time consuming and costly to hack the company.

[–] [email protected] 1 points 4 months ago* (last edited 4 months ago)

Aiming for a future in IT security, I find this branch of computer science somewhat ironic. You basically work to make your future work harder, i.e. you make things more secure, making your job of finding vulnerabilities even more difficult. Still a sucker for it, though

load more comments
view more: next ›