I was watching YouTube on my PlayStation 4 recently when suddenly, out of nowhere, a video featuring the Les Miserables cast started playing.
“Do you hear the people sing? Singing the songs of angry men? It is the music of the people who will not be slaves again!”
Why yes, yes YouTube. I do hear the people singing the songs of angry men, but I’m perplexed because 10 seconds ago I was hearing Hatsune Miku singing the songs of virtual pop idols. Excuse me?
Turns out my friend was trying to watch a Les Mis video on YouTube, but accidentally casted (read: remotely played) the video on my TV instead. This was particularly surprising because my friend lives in another town, but a quick investigation revealed that her iPad was saved on my YouTube’s list of linked/trusted devices since her last visit.
Ah, of course! The rules of casting via YouTube dictates that the source device and target TV need to be on the same WiFi network during the initial casting/connection, but afterwards both devices can be automatically linked as long as they’re both connected to YouTube’s servers.
That was certainly a funny incident, haha, but it got me thinking: wait, what other sorts of connections have I accidentally set up? And how many of them might serve as backdoors for security exploits?
The first thing I checked, of course, were my saved WiFi networks. Look, I’ve been to many cafes and libraries, and it’s often hard to resist the siren call of free WiFi when you’re too cheap to pay for 4G.
Using public WiFi networks has always been a calculated risk – on one hand, I have to always assume any public WiFi network is not secure and particularly vulnerable to man-in-the-middle attacks. (That’s when someone can read – and sometimes modify – what you send and get from the Internet.) And that’s assuming I’m even connected to a legit network – heaven knows if that free_library_wifi_1 network is coming from the library or some dude in a van parked outside.
On the other hand, I really, really need to watch that video of adorable kittens.
Usually, I try to play it smart – I avoid online banking while I’m on public networks, for example, but if I absolutely have to submit sensitive details like my logins/passwords or credit card details, I make sure the website is at least using HTTPS.
That seems secure, right? As long as I ensure the communication between my device and the Internet is encrypted, and I don’t leave other avenues of entry like open file-sharing, surely nobody can exploit my WiFi connections. Right?
Well, that depends on your definition of “exploit” – how do you feel about people knowing your movements and behaviour just because you have your WiFi switched on? Not connected to any network – just switched on.
London’s transport authority (TFL) actually does this with the free WiFi at the Tube stations, and you can find details at bit.ly/2XLkHFz, and even more technical details from their pilot programme at bit.ly/2S7u7Yr.
If you enter a Tube station with a WiFi-enabled device, it will basically just shout out, “Yo, are there any WiFi access points nearby? I want to show a list of networks my owner can connect to.”
It doesn’t matter whether you connect to any of the networks – the act of “shouting” (a WiFi probe request) is enough for TFL to know the device’s unique fingerprint, or MAC address. (Not to be confused with where a Scottish person lives.) With that in their database, TFL can now track your movement between Tube stations.
Thankfully, TFL is a fairly well-regulated government body, so it’s pretty upfront with the kind of data collection it does, and makes it a point to anonymise personal user information.
What it mainly wants to know is how crowds move through the Tubes during rush hour, not why I specifically got off at Tottenham Court Road station last Saturday.
What I tend to worry about is when other less scrupulous entities start to collect this easily-harvested connection data – it basically turns every one of my WiFi-enabled phones into a tracking device.
Here’s a simple and relatively benign example: when I signed up for free WiFi at a cafe, I used my email to login, so that means the cafe can now match my email address (an online identity) with my phone’s MAC address (a physical identity).
Any advertiser who purchases this data can now figure out where I regularly visit on the Web and in real life (remember, I don’t need to connect to a WiFi network they own – I just need to pass near them), which means the next few targeted ads I see online will inexplicably know the routes I take from home to work.
And also my regular routes for finding Pikachus in Pokemon Go, but I’m not sure how they’ll monetise that.
Good news is though, the sort of accidental connections I talked about here probably aren’t things most people need to worry about. Possibly.
I mean, these kinds of high-concept security worries are generally the domain of techies who have way too much free time to think of security exploits, and to also binge-watch Hatsune Miku during the coronavirus quarantine. After all, what’s the most damage that can happen if you leave a backdoor open and let someone remotely play videos on your screen?
Ask me tomorrow to find out, because I just noticed it’s 2am, another friend of mine is watching YouTube on a TV which I can cast to, and I have a video from The Ring that’s dying to be played.
Source: The Star