DEV Community

Cover image for Let's review some techniques to harm privacy
jmau111
jmau111

Posted on • Updated on • Originally published at blog.julien-maury.dev

Let's review some techniques to harm privacy

Here are some of the most popular vs. unlikely techniques that can be used to identify people.

Disclaimers

  • My point is to explain why convenience should not prevail over basic security and privacy
  • It might look scary but it's not even an exhaustive list of all possible privacy intrusions

The power of JavaScript

JavaScript can defeat any VPN technology or proxy chains. It's extremely powerful and allows getting the finest details about your browser, your operating system, your configurations, and many more.

These techniques are quite misknown by users but massively used by companies, and you may have read terms such as browser fingerprinting or device fingerprinting.

Algorithms can generate a pretty unique fingerprint based on collected specs. It gets worse when you have non-standard configurations and devices. Go check amiunique.org.

Even Tor does not protect you by default, so if you use the famous privacy-focused browser, be aware that JavaScript is a major threat to your privacy. Go to settings > privacy & security and choose the safest level that will disable it.

Tor enables JavaScript by default for usability but JavaScript extends the attack surface "beyond the sky".

Non-js techniques

The IP address

Probably the most obvious one. ISP attribute IP addresses to their customers and have strict legal duties such as data retention (e.g., keeping logs), so that data never expire and authorities can inspect the entire traffic for a specific IP.

In most countries, it's impossible to get internet access without providing your real name and your personal address. As a result, your real IP is you.

You may visit this site or this one to get more details.

WiFi nearby

Google and Apple maintain and use a gigantic database of Wi-Fi routers and their matching location. Any Android or iOS device run passive scans for nearby routers.

It's a powerful mechanism that can locate anybody very accurately. There's no opt-out, even if you turn off the GPS.

DNS

Domain Name Systems are a fundamental mechanism of Internet. Browsers use them to find the IP for a specific service. For example, when you enter myfavoritesite.com, the browser queries a DNS service to reach the matching servers.

ISP provide DNS services by default for convenience, so you don't have to manually configure things but they can log absolutely everything. That's also what many authorities and governments like to use to block the access to some websites.

DNS services are prone to MITM attacks (Man In The Middle) by various threat actors. You might try private DNS services or even set your own DNS but, in my experience, the browser will still send unencrypted request in plain text, so it's a questionable mitigation.

Sneaky telemetry

All major operating systems and apps collect data using telemetry. If you don't disable data collection, it can be used to deanonymize you.

Remember that privacy is not anonymity.

Offline tracking

Popular devices such as MacBooks can be tracked even when you're offline. Your device can have some peer-to-peer Bluetooth communications (with nearby devices) thanks to Bluetooth Low-Energy.

As long as the battery is plugged, it's on.

Device IDs and IMSI

Manufacturers attribute IMEI (International Mobile Equipment Identity) to all mobile devices. Even privacy-focused manufacturers implement it.

Google, Apple, and many other actors collect that identifier and keep logs. There's no opt-out, and, in many countries (not all, though), modifying that number or buying a burner phone is illegal.

If it's required, it's possible to trace back the entire history of the device.

In addition, there is the IMSI (International Mobile Subscriber Identity), a unique number associated with the SIM card. IMSI catchers are relatively small devices used by authorities and threat actors to capture sensitive information, including your real identity (SIM card), messages, calls, etc.

If someone uses it against your phone for some reason, it's game over for your privacy.

RFID identification

Radio-frequency identification is widely used in contactless transactions (e.g, NFC payments).

I've never read about a direct identification but it's pretty efficient to approximate someone's location, and it's pretty hard to protect.

You have to buy expensive products that block RFID or get rid of all RFID chips, which are used in passports, IDs, or credits cards.

EXIF data

All electronic documents contain metadata that can disclose sensitive information. For example photos but also PDFs and MS documents.

Use EXIF removals to get rid of them before sharing your documents.

Invisible watermarking

Some organizations use invisible watermarks on documents to identify their creators but also their viewers. It's a built-in feature in many apps and printers, so it's not complicated to enable but, in contrast, quite difficult to detect by the victims.

It's a serious threat for whistleblowers but not only.

CSS fingerprinting

What??

CSS media queries can trigger when the browser size changes to a specific width.

External resources or assets can be downloaded with media queries, so every time you resize the window an HTTP request is fired, for example, to grab some background images. It gets worse if you have special habits like resizing the window to a particular size regularly (e.g., tiling Window).

It's very specific, and you might say pretty unlikely, but it's still possible.

Underestimated areas and techniques

Wireless vulnerabilities

Whether it's WiFi or Bluetooth, it's hard to secure such wireless connections. It's best if you can turn off such services when not in use.

Even the Bluetooth Special Interest Group acknowledges some flaws.

Besides, some devices lack security features to prevent unwanted pairing and information disclosure.

You can only mitigate the threat, and I strongly recommend updating your system regularly.

Wireless mouses and keyboards

Wireless devices are convenient but prone to attacks. While some manufacturers take security very seriously, others clearly don't, and you'd be surprised how easy it is to hack that with very cheap equipment.

These companies buy low-cost chips to build their products but they have to write the firmware themselves, which often leads to flawed or inexistent implementation of critical security features such as encryption.

Once you're tapped, everything can happen from stolen credentials to severe privacy intrusions.

Data recovery

Empty bin

Cute but not meant to erase documents securely. Besides, most built-in Recovery disk utilities are not allowed to perform secure erase.

There are various software that can recover the so-called "permanently removed data" in minutes.

I'm not even talking about advanced software used by authorities that can perform advanced scanning and filtering in seconds but simple free or cheap products anyone can install.

Tricked hardware

You may be familiar with the term "backdoor" but do you know it can be implemented at the hardware's level?
Fortunately, there are now YouTube videos that raise awareness about hardware backdoors but it remains quite unknown by the vast majority of the population.

Something that looks like a USB drive or even charging cables could contain backdoor that would allow a remote adversary to take full control of the system.

Unblur me

People and media sometimes share sensitive documents that contain revelations and may put some people at risk.

To prevent unwanted disclosures, they may blur some areas or use "overpixelated" images, but even Photoshop (or free open-source alternatives such as GIMP) can revert the operation, at least, partially, which can ultimately lead to deanonymize someone.

GitHub is full of free open-source tools that rely on Deep Learning to "unblur" or "depixelate" documents based on open-source datasets.

Biological signatures

Big companies such as Google sit on mountain of confidential data, which sometimes includes writing and typing styles. As nobody writes or types exactly the same way, these are biological signatures that can ultimately deanonymize anyone who hides behind a fake IP and an anonymous account.

Gmail has been collected and shared such data with its partners for years.

7 ways to protect

Of course, you can buy a faraday cage or become paranoid about technology, but here are practical measures you can take to improve your safety:

  • Use dedicated devices and operating systems for sensitive (not "illegal") activities and learn compartmentalization
  • Use full disk encryption and end-to-end encryption for your communications
  • If you don't trust the website, don't even go there
  • Define your threat model
  • Mask your real IP and your location
  • Don't plug anything unwisely to the USB ports (some even disable these ports but it looks a bit overkill)
  • You want to hide something in a document before sharing it publicly? Use a black pencil or just remove it

There are threats you can neither eliminate nor mitigate, so don't worry too much about them. Instead, use several layers of protection and don't sacrifice your privacy and safety for very little convenience and cheap equipment.

Photo by Dmitry Ratushny.

Discussion (7)

Collapse
wiseai profile image
Mahmoud Harmouch

Interestingly enough, you can still be tracked without any javascript involved.
A study shows that it is feasible to track you using only favicons. Fortunately, If you are using Brave, you are in good hands. Brave Browser for the win!

Collapse
jmau111 profile image
jmau111 Author • Edited on

very clever approach from the attacker side ^^

Collapse
vlajd profile image
Vlajd

Thanks for sharing! It was a very interesting read.

Collapse
jmau111 profile image
jmau111 Author

You're very welcome. My pleasure.

Collapse
rajeshroyal profile image
Rajesh Royal • Edited on

And I just published a browser fingerprint library - Broprint.js πŸ˜…

Collapse
khokon profile image
Khokon M.

Bruh πŸ₯΅πŸ˜°

Collapse
jmau111 profile image
jmau111 Author