According to Adam Podgorski and Milind Bhargava, two researchers working for Deloitte Canada, there is a way to harvest unencrypted Tor network data from exit nodes, and then piece the data fragments together. The two claim to have managed to do just that and tapped into people’s PII (personally identifiable information). This is something that virtually all Tor users would consider impossible, but in the mobile space, things can be different. The data that the researchers managed to piece together include GPS coordinates, web addresses, browsing habits, phone numbers, IMEI numbers, IMSI numbers, and even keystrokes that can derive from any application on the phone.
As we said, all of this happens on mobile devices, including both Android (95%) and iOS (5%) systems. As the researchers point out, Tor code is somehow installed on these mobile phones, most probably by applications that have taken Orbot code and incorporated into their solutions. The developers of these apps probably maintain the idea that Tor traffic is automatically encrypted traffic, but that is not really the case with HTTP. For now, the researchers are not disclosing the names of the apps, OEMs, and advertisers who are responsible for these sensitive data leaks, but they are calling them “popular in both Asia and North America”.
As expected, the researchers reached out to these OEMs and developers to inform them of the issue, but they have not received any response yet. Still, it would be too dangerous to disclose many details at this point, as that would render a large number of users vulnerable. To make matters worse, there’s nothing that the users can do to protect themselves from this problem, especially in the cases of OEM-installed software tools, as these can’t be removed.
The researchers prepared a proof of what they could do in the form of user profiling, including GPS coordinates, keystroke data, and IMSI details, hoping to convince the entities responsible to do the right thing now. Those accountable for the situation will not stay on the safe side for much longer, as there are multiple GDPR violations involved in what is going on right now. That said, government and data protection organizations are bound to take action against these OEMs very soon.
Have something to comment on the above? Feel free to share your thoughts with us in the section down below, or on our socials, on Facebook and Twitter.