Get new posts by email:

Researcher Discovers That Old Tesla Media Control Units Are Full Of Owner’s Private Data Even After A Factory Reset

There’s a hacker/security researcher with the Twitter handle GreenTheOnly that has been doing some interesting work with used Tesla parts. This time specifically, he’s acquired three Tesla Model 3 integrated media control units (MCU) and Autopilot (HW) units (known as the ICE computer, just for Models 3 and Y), and a…

Read more…

How to Keep the Fun (And Work, Ugh) Going During a Power Outage

In today’s world, a power outage is like a death knell for your sanity. Many of us are working from home for the foreseeable future, and even those who decided being a couch potato is a more noble living, what are you going to do when the power goes out? Nothing—everything’s closed! That’s why we’ll prepare ahead of…

Read more…

A passwordless server run by NSO Group sparks contact-tracing privacy concerns

As countries work to reopen after weeks of lockdown, contact-tracing apps help to understand the spread of the deadly coronavirus strain, COVID-19.

While most governments lean toward privacy-focused apps that use Bluetooth signals to create an anonymous profile of a person’s whereabouts, others, like Israel, use location and cell phone data to track the spread of the virus.

Israel-based private security firm NSO Group, known for making mobile hacking tools, is leading one of Israel’s contact-tracing efforts.

Security researcher Bob Diachenko discovered one of NSO’s contact-tracing systems on the internet, unprotected and without a password, for anyone to access. After he contacted the company, NSO pulled the unprotected database offline. Diachenko said he believes the database contains dummy data.

NSO told TechCrunch that the system was only for demonstrating its technology and denied it was exposed because of a security lapse. NSO is still waiting for the Israeli government’s approval to feed cell records into the system. But experts say the system should not have been open to begin with, and that centralized databases of citizens’ location data pose a security and privacy risk.

Codename ‘Fleming’

NSO began work on its contact-tracing system codenamed Fleming in March.

Fleming is designed to “pour” in confirmed coronavirus test data from the health authorities and phone location data from the cell networks to identify people who may have been exposed to a person with the virus. Anyone who came into close proximity to a person diagnosed with coronavirus would be notified.

The unprotected database was hosted on an Amazon Web Services server in Frankfurt, where the data protection regime is one of the strictest in the world.

It contained about six weeks of location data, spanning around March 10 to April 23. It also included specific dates, times and the location of a “target” — a term that NSO used in the database to describe people — that may have come into contact with a potentially infected person.

The data also included the duration of the encounter to help score the likelihood of a transmitted infection.

The login page for NSO’s Fleming is protected with a password. Its backend database was unprotected. (Image: TechCrunch)

“NSO Group has successfully developed ‘Fleming’, an innovative, unique and purely analytical system designed to respond to the coronavirus pandemic,” said Oren Ganz, a director at NSO Group. “Fleming has been designed for the benefit of government decision-makers, without compromising individual privacy. This system has been demonstrated worldwide with great transparency to media organizations, and approximately 100 individual countries,” he said.

TechCrunch was also given a demonstration of how the system works.

“This transparent demo, the same shown to individual countries and media organizations, was the one located on the open random server in question, and the very same demo observed today by TechCrunch. All other speculation about this overt, open system is not correct, and does not align with the basic fact this transparent demonstration has been seen by hundreds of people in media and government worldwide,” said Ganz.

John Scott-Railton, a senior researcher at the Citizen Lab, part of the Munk School at the University of Toronto, said that any database storing location data poses a privacy risk.

“Not securing a server would be an embarrassment for a school project,” said Scott-Railton. “For a billion-dollar company to not password protect a secretive project that hopes to handle location and health data suggest a quick and sloppy roll out.”

“NSO’s case is the precedent that proves the problem: rushed COVID-19 tracking efforts will imperil our privacy and online safety,” he said.

Israel’s two tracing systems

As global coronavirus infections began to spike in March, the Israeli government passed an emergency law giving its domestic security service Shin Bet “unprecedented access” to collect vast amounts of cell data from the phone companies to help identify possible infections.

By the end of March, Israeli defense minister Naftali Bennett said the government was working on a new contact tracing system, separate from the one used by Shin Bet.

It was later revealed that NSO was building the second contact-tracing system.

Tehilla Shwartz Altshuler, a privacy expert and a senior fellow at the Israel Democracy Institute, told TechCrunch that she too was given a demonstration of Fleming over a Zoom call in the early days of the outbreak.

Without the authority to obtain cell records, NSO told her that it used location data gathered from advertising platforms, or so-called data brokers. Israeli media also reported that NSO used advertising data for “training” the system.

Data brokers amass and sell vast troves of location data collected from the apps installed on millions of phones. The apps that track your movements and whereabouts are often also selling those locations to data brokers, which then resell the data to advertisers to serve more targeted ads.

NSO denied it used location data from a data broker for its Fleming demo.

“The Fleming demo is not based on real and genuine data,” said Ganz. “The demo is rather an illustration of public obfuscated data. It does not contain any personal identifying information of any sort.”

Since governments began to outline their plans for contact-tracing systems, experts warned that location data is not accurate and can lead to both false positives and false negatives. Currently, NSO’s system appears to rely on this data for its core functions.

“This kind of location data will not get you a reliable measure of whether two people came into close contact,” said Scott-Railton.

NSO’s connection to the Middle East

Israel is not the only government interested in Fleming. Bloomberg reported in March that a dozen nations were allegedly testing NSO’s contact-tracing technology.

A review of the unprotected database showed large amounts of location data points in Israel, but also Rwanda, Saudi Arabia and the United Arab Emirates.

Spokespeople for the Saudi, Rwandan and Emirati consulates in New York did not respond to our emails. NSO did not answer our questions about its relationship — if any — with these governments.

A map showing a sample of about 20,000 location data points across Israel (top-left); Abu Dhabi and Dubai, United Arab Emirates (top-right); Riyadh, Saudi Arabia (bottom-left) and Rwanda (bottom-right). (Image: TechCrunch)

Saudi Arabia is a known customer of NSO Group. United Nations experts have called for an investigation into allegations that the Saudi government used NSO’s Pegasus spyware to hack into the phone of Amazon chief executive Jeff Bezos. NSO has denied the claims.

NSO is also embroiled in a legal battle with Facebook-owned WhatsApp for allegedly building a hacking tool designed to be delivered over WhatsApp, which was used to hack into the cell phones of 1,400 users, including government officials, journalists and human rights activists, using AWS servers based in the U.S. and Frankfurt. NSO also rebuffed the claims.

Privacy concerns

Experts have expressed concerns over the use of centralized data, fearing that it could become a target for hackers.

Most countries are favoring decentralized efforts, like the joint project between Apple and Google, which uses anonymized Bluetooth signals picked up from phones in near proximity, instead of collecting cell location data into a single database. Bluetooth contact tracing has won the support of academics and security researchers over location-based contact-tracing efforts, which they say would enable large-scale surveillance.

Shwartz Altshuler told TechCrunch that location-based contact tracing is a “huge infringement” of privacy.

“It means that you can’t have any secrets,” she said. “You can’t have any meetings if you’re a journalist, and you can’t go to places where people want to know where you are.”

Favoring their own contact-tracing efforts, Apple and Google have already banned governments building contact-tracing apps utilizing their joint API from using location tracking, fearing that data stored on a centralized server could be breached.

Alan Woodward, a professor at the University of Surrey. said location data makes it “possible to build social graphs and to begin identifying who met who, when and where.”

“Even if it is just trial data, it’s still sensitive if it’s real people,” he said.

Just this week, the U.S. and U.K. governments warned that nation-state hackers are targeting organizations involved in the coronavirus response.

Uber may use its selfie tech to verify drivers are wearing masks

When Uber rolled out its selfie system for drivers in 2016, the ride-hailing company was focused on preventing fraud. In the future, it could be used to ensure drivers are wearing a mask.

Uber said earlier this week — CEO Dara Khosrowshahi reiterated today — that it is working through plans to require drivers and riders to wear face masks or face coverings as it prepares to ramp its ride-hailing business back up after being hobbled by the COVID-19 pandemic. The mask requirement will be issued in certain countries, including the United States.

Uber is leaning on a combination of logistics and technology to ensure when rides do ramp up that drivers are properly protected, Khosrowshahi said during Thursday’s earnings call.

“We’re shipping millions of PPE and masks, cleaning supplies etc., to our drivers to make sure that first drive, and the second, and the continuing drives, that our riders are safe and they feel safe,” he said.

Some gig workers, including those who work for Shipt, Uber, Lyft and Instacart have complained that they are struggling to get masks, gloves and other personal protective equipment. Supply chains, which are stretched as hospitals and healthcare facilities as well as companies gearing up to bring workers back to the office, compete for this equipment.

On the technology front, Khosrowshahi honed in on its existing products.

“We are looking at technologies such as, for example, our selfie technology where we make sure that the driver who signed up is the actual driver who is driving,” Khosrowshahi said. “We can use that technology, for example potentially, to make sure that the driver is wearing a mask where appropriate.”

Khosrowshahi didn’t provide further details of when the mask requirement would begin, and when the selfie technology might be used for mask verification.

The driver selfie technology, officially known as Real-Time ID Check, is a security feature that uses Microsoft Cognitive Services. Real-Time ID Check prompts drivers periodically to share a selfie before being allowed to accept fares. The account is temporarily locked if the selfie doesn’t match the photo that Uber has on file. The aim of technology is to prevent fraud and protect riders and drivers.

Health APIs usher in the patient revolution we have been waiting for

If you’ve ever been stuck using a health provider’s clunky online patient portal or had to make multiple calls to transfer medical records, you know how difficult it is to access your health data.

In an era when control over personal data is more important than ever before, the healthcare industry has notably lagged behind — but that’s about to change. This past month, the U.S. Department of Health and Human Services (HHS) published two final rules around patient data access and interoperability that will require providers and payers to create APIs that can be used by third-party applications to let patients access their health data.

This means you will soon have consumer apps that will plug into your clinic’s health records and make them viewable to you on your smartphone.

Critics of the new rulings have voiced privacy concerns over patient health data leaving internal electronic health record (EHR) systems and being surfaced to the front lines of smartphone apps. Vendors such as Epic and many health providers have publicly opposed the HHS rulings, while others, such as Cerner, have been supportive.

While that debate has been heated, the new HHS rulings represent a final decision that follows initial rules proposed a year ago. It’s a multi-year win for advocates of greater data access and control by patients.

The scope of what this could lead to — more control over your health records, and apps on top of it — is immense. Apple has been making progress with its Health Records app for some time now, and other technology companies, including Microsoft and Amazon, have undertaken healthcare initiatives with both new apps and cloud services.

It’s not just big tech that is getting in on the action: startups are emerging as well, such as Commure and Particle Health, which help developers work with patient health data. The unlocking of patient health data could be as influential as the unlocking of banking data by Plaid, which powered the growth of multiple fintech startups, including Robinhood, Venmo and Betterment.

What’s clear is that the HHS rulings are here to stay. In fact, many of the provisions require providers and payers to provide partial data access within the next 6-12 months. With this new market opening up, though, it’s time for more health entrepreneurs to take a deeper look at what patient data may offer in terms of clinical and consumer innovation.

The incredible complexity of today’s patient data systems

Original Content podcast: Waco offers a surprising look at a real-world tragedy

“Waco,” a Paramount Network series that recently started streaming on Netflix, dramatizes the tragic real-life standoff between the FBI, the ATF and the Branch Davidians.

A couple of your Original Content podcast hosts only had a fuzzy idea of what actually went down in Waco, Texas in 1993. And all of us were  surprised by the depiction of the Branch Davidian cult as creepy and delusional, but not particularly dangerous.

Instead, the show puts much of the blame for what transpired on law enforcement agencies that were becoming increasingly militarized — not to mention eager for positive publicity. While the depiction of law enforcement bungling and brutality was pretty persuasive, we argued about whether the show ended up soft-pedaling the troubling aspects of the Branch Davidians and their leader David Koresh (played by Taylor Kitsch) in the process.

And while we all agreed that it was a compelling story, we were also disappointed that the stellar cast (Michael Shannon, Melissa Benoist, Andrea Riseborough, Shea Whigham, John Leguizamo, Julia Garner and others) weren’t given more memorable characters to portray.

You can listen to our review in the player below, subscribe using Apple Podcasts or find us in your podcast player of choice. If you like the show, please let us know by leaving a review on Apple. You can also send us feedback directly. (Or suggest shows and movies for us to review!)

And if you’d like to skip ahead, here’s how the episode breaks down:
0:00 Intro
1:50 “Waco” review (mild real-life spoilers)
25:56 “Waco” spoiler discussion

With movie theaters closed, Alamo Drafthouse gets into on demand movie streaming

Back when movie theaters were a thing we could go to, Alamo Drafthouse was my one and only. Known for actively insisting that audience members shut the hell up during the movie and for having a damned fine beer selection, it’s like my personal paradise. If it was a movie I was excited to see, I’d drive an hour-plus to see it at Alamo rather than go anywhere else.

Like most other theater operations, Alamo’s theaters are sadly — but understandably! — shuttered until we beat this pandemic. In the meantime, they’re launching a streaming service: Alamo On Demand.

Building an on-demand video platform is quite the technical challenge… and, well, not exactly something that a relatively small theater chain (roughly around 40 locations) should probably tackle on its own. So Alamo is building this in partnership with ScreenPlus.

Alamo will be handling the curation and movie selection, while ScreenPlus is handling most of the technical stuff – things like DRM, geoblocking, etc. Most films on the platform are available to rent or buy, with prices varying by title.

Alamo isn’t looking to take on the Google Plays and Amazons of the world here by striving for a daunting, bottomless selection of movies; instead, each film they’re offering is personally nominated by at least one member of their team. If it’s on there, it’s got Alamo’s stamp of approval.

The current selection is eclectic and worth perusing, from award winners like Apocalypse Now or Parasite to lesser known cult flicks you’d probably pass up unless someone suggested it… which, well, is exactly the point of this shop.

Alamo notes that while the first build is live now, they’ve got more in the works: iOS and Android apps are on the way, and theyre aiming to tie-in the Alamo Victory loyalty program (allowing for things like discounts when purchasing movies you previously saw in the theater) at some point down the road.