Weaponizing the GDPR: how to use “Right of Access” to steal identities

Social engineers have learned how to exploit the GDPR’s “Right of Access”

 

1 July 2019 (Paris, France) – To be an informed citizen is a daunting task. To try and understand the digital technologies associated with Silicon Valley — social media platforms, big data, mobile technology and artificial intelligence that are increasingly dominating economic, political and social life – has been an even more daunting task that brought me to interview scores of advertising mavens, data scientists, data engineers, psychologists, etc. Plus reading reams of white papers and books tracking the evolving thinking and development of this technology. I needed to dust off some classic tomes that have been sitting in my library for years, from authors such as James Beniger, Marshall McLuhan and Alvin Toffler … all of them so prescient in where technology would lead us, their predictions spot on to where we are today.

It’s why I make sure my crew and I are out there attending an esoteric collection of law and technology conferences, quizzing regulators, doing our own research. I feel my role is to “DJ the internet”, to do deep dives into all subjects and to deliver to my readers daily mixes of fresh ideas. My team and I search each day to find different angles and points of view that lead to deeper understanding. Industry insights, stories from the “dark side”, etc.

So when it comes to events and workshops about the EU’s new General Data Protection Regulation (GDPR) … really any data privacy event … we steer clear of legal-orientated tech events and try to attend only conferences that have a healthy interdisciplinary team of legal scholars, business mavens, computer scientists, cognitive scientists, and tech geeks. The legal tech orientated events tend to be top-heavy with people who don’t actually “do” GDPR but just recite the law, say “you must comply as follows” because … well, they are just there to put the fear of God in you and just sell their services. Not tell you the full story. Because there is no money in that. I understand that. Besides, there are plenty of law firms out there advising companies on how to finesse/game the process.

It’s why, during the course of the GDPR negotiations, I noted there were so many cases where the lobbyists for the tech community were able to get so much of the connective tissue between numerous sections deleted or modified, leaving a shell of a GDPR where many of the key points will only be settled in court years from now. Such is certainly the case with the Data Subject Access Request (DSAR), the subject of this post.

The “Right of Access”

As we all know, the GDPR has a provision called “Right of Access”. It makes it so clear, so easy. Individuals have the right to access their personal data. Individuals can make a subject access request verbally or in writing. Companies have one month to respond to a request. Easy peasy.

Well, ok, maybe not so easy peasy. Just for fun, I had my staff file multiple Data Subject Access Requests. Hilarity ensued. And, yes, I know. The GDPR is clear: the controller shall upon request provide a copy of all personal data they have plus information about the processing. But the devil, dear reader, is in the details. If there is a system, it can be gamed. To read about the corporate obfuscation, corporate trickery, and the enforcement blues we encountered in that horrendous process click here.

But hold on .. what happens when companies holding this data DO NOT properly verify identities before handing it over? 

After we completed the process we did a “Lessons Learned” and during the course of that discussion we noted a big point: many corporations requested information to “verify” you, but it was information they could not verify themselves. The most common:

– Requesting a scan of our passport when we knew the receiver is completely unable to verify what we look like (not important) or the data in the passport

– Requesting proof of address for services that don’t know your address

The use of a DSAR to steal identities is not a new subject. As I wrote over the weekend, it was discussed during the negotiations on the GDPR, and a universal “robust identity process” was going to be put in place. But it was not. Gee, I mean, next thing you’ll tell me is Facebook will turn into a monster.

And we are not the first to write about this area. This entire concept (“How to weaponise the GDPR”) will be the subject of several sessions at BlackHat and DEF CON – combined, the two events are the Super Bowl of black hat and white hat hacker conferences. The following is a composite of our research, plus that of several black hats we know. More on DEF CON at the end of this post.

We went back into our files and submitted more DSARs but not for us – for people we knew. And with their permission. But we extended the subject and nature of the requests: we submitted requests to businesses across different sizes and industries to obtain a range of sensitive data, from typical sensitive information like addresses and credit card numbers, to more esoteric data like travel itineraries.

We were careful to obtain the information we needed independent of our co-conspirator. We obtained zero information from our co-conspirators other than their name. We used a common off-the-shelf social media scraping technology all hackers use, and we also went onto the Dark Web to see if we could find information on our co-conspirators. (We did, much to their consternation. Subject for another post).

So we started with several pieces of basic, public information that any “social engineer” could find: full name, an old phone number found online, and added a generic email address ([email protected]). In hacker parlance “the threshold for starting the attack was very low”. But then we added bits and pieces as the process proceeded, depending on how companies responded. We just tailored the response.

Side note: before you ask, yes. We built profiles on 188 companies so we know how they will respond (as of 15 June) to a DSAR.

A brief summary of key points because I am saving the firepower for Black Hat and DEF CON:

1. Lots of companies are getting better at the process but most are still in panic mode.

2. Responses are incredibly varied, and there is no consistent way anybody responds to a DSAR. And that is probably due to the fact that a very detailed process I noted above was scrubbed from the GDPR early on.

3. One of my Black Hats told me “You’d think companies would try to verify the identity by using something they already know. For example, they might only accept an email address linked to a registered account. That is probably the best mechanism for verifying accounts. But they don’t. So that means I can create and backdate a social media account and email account and, like the Russians do, and create any persona I want.”

4. The means of verifying varied by industry: retail companies asked what your last purchase was; travel companies and airlines asked for passport information.

5. The massive stupidity: in one case we were asked for a copy of a passport (as I noted above, a common request). This time our response was “I have several. Did I use one for you? Can you tell me which?” A photocopy of the passport cover page was sent.

6. The incredible ease by which companies revealed some sort of sensitive information with little/no real verification: biographical info, passport number, a history of dates for hotels/airlines, credit card numbers, etc.

7. Sometimes a push-back helped (many companies are simply swamped with requests, and understaffed) and want to quickly resolve them).  One company (again) asked for a passport number to verify identity; when we refused, they accepted a postmarked envelope from the post office in the city we “resided”.

There is quite a bit more but it will need to wait until after Black Hat and DEF CON. Now, just a few points on those events.

BLACK HAT AND DEFCON

The people at Black Hat and DEF CON (more the folks at the latter event) have a completely different relationship to the world around them. Because hackers understand how technology works, they understand how the world works, And because they know how the world works, they can use this understanding to shape it, and influence it. Reality has become a sort of playground that, with enough talent, skill and in many cases bloody-minded obsession, will answer to their commands.

And if you take a big view, classes within societies have often been divided by their relationship to the fundamental resources of the age. The primary source of wealth in agrarian societies came from cultivating crops and farmland. Land was its fundamental resource, and when it was organised – as often it was – into a small number of large estates owned and protected by a small number of powerful families, they sat atop that society’s economic and social pyramid. They were a group who spoke a different language, maintained different customs, and whose rank, honour and privileges directly related to how much land they controlled. Within industrial society, there was a new class that, through not only land, but also capital, owned the mills, factories and mines, the means of production that now produced wealth.

Owning a fundamental resource makes you different; it puts you at the very centre of how your society works and what it does. Today it is the control and manipulation of information.

To these hackers, there are no black boxes. They can crack everything. They have kept on pulling things apart, refusing to let technology become the black box that it is to everyone else. “BORN TO HUNT” is my favourite tee shirt. Their presence in Las Vegas alone causes the world to change around them:

– The electronic bus timetable is now only a blue screen of errors, locked down by the City Fathers because it has been hacked so many times before.

– The digital menus at restaurants have disappeared. Too easy access to restaurant control systems.

– Numerous stores have stopped accepting credit cards. Past experience: hackers were cracking point-of-sale terminals.

The DEF CON regulars are known as Jericho, Shaggy, Suggy, Cybersulu, Crypto. You don’t tell anyone your real name, and no one wants to know it. You just want to trade information.

In the years I have attended, I have learned several things:

– Get a burner phone, keep bluetooth off and don’t bring any electronic gear with you. If you do, turn it off and stick it in your hotel closet.

– Get cash before you go. Do not use cash machines in Las Vegas that week.

– I learned how to hack my hotel television using an infrared remote control.

– I learned how to reset my minibar bill, log into my neighbour’s television and watch them surf the internet, setting their wake-up call for 5:30 a.m. And then check them out.

– And the Las Vegas police always has a high-tech SWAT team waiting around the corner from one of the conferences, waiting to go in, for serious stuff (not my mini bar manipulation).

Both events attract tens of thousands of attendees. It is a party, it is shopping mall, it is a conference, it is a technical play park … all happening at the same time.

It is a trade fair where thronging crowds press five-deep around vendors to buy all manner of cheerfully branded hacking hardware … “for research purposes”. But it is in the “villages” (how the DEF CON event is divided up) where hackers get their hands dirty. There are large, open rooms, full of people soldering circuit boards, mangling gadgets, peering at code.

– In the “car hacking village”, hackers learn how to send specific commands to electrical components, and fool braking systems.

– At the IoT (Internet of Things) village is an array of hacked children’s toys, routers, thermostats — almost anything that can be connected to the internet.

– There are villages for social engineering, wifi, cryptography, reconnaissance, lock picking, etc., etc.

Note: if you were at Legaltech in New York earlier this year you may have met with my cyber team who showed you how vulnerable the Hilton Hotel wi-fi can be.

Yes, hacking has gone global. It’s now about superstars, big money, sky-high stakes and tragic falls. Computers will remain the portal into a new reality for its devotees. But as computers and technology have spread all over the world, hacking has changed how the world can be shaped.

And the presentations are mind boggling. To the whoops and cheers of ten thousand assembled hackers, each person hits the stage and proves mastery of the arcane and technical: a new route through some defense or the identification of a new vulnerability.

And so, so, so much to learn:

– I learned about an intricate hack. The hacker had built something called a tunnelling algorithm to comb (hacker lingo: “to fuzz”) an Intel microprocessor. Baked on the chip itself were instructions that allow the microprocessor to work. And the hacker was now revealing what he found: hidden instructions that WERE NOT in the manual and for which there is no explanation. Flaws? Bugs? Or worse. Secrets.

– Hackers do help build and protect cybersecurity, so they also demonstrated their capacity to protect us. The very fact that these hackers were making their discoveries public implied, usually, that they were on the right side of the law – but you never know.

– And backdoors. On the screen, the hacker demonstrated how a hidden instruction locked the microprocessor and any computer using it. What about computers not connected to the internet? The convential wisdom is that the most secure systems are deliberately cut off from the internet … “air-gapped” .. to keep them out of the clutches of attackers. But hackers don’t need the internet. Nope. Light! Hack with light. I saw how to send instructions through the air using light, and into the ambient light sensors of the computer, the things that adjust the screen to different light conditions. The huge screens around the room cut to a live video on the stage. A laptop and a bulb, connected to a small circuit board by a few wires, stood in front of a normal laptop, not connected to the internet. The bulb started to flash, an impossibly fast Morse code. Then – to rising applause – the laptop, not connected to the internet, opened the calculator program. In hacker lingo, this is called “popping cal”‘. It means that the hacker has achieved the Holy Grail: remotely programmable code. If you can get it to open the calculator, you can get it to open anything. The laptop, through the bulb, responded to his commands. He could make it run things, drag data out of it, do whatever he wanted.

– I have seen how easy it is to seize control of cameras, printers, routers and doorbells. Earlier this year I wrote about a shadowy Chinese group that can receive calls and texts meant for your mobile phone, and send calls as if you’d made them.

NOTE: this is how the U.S. intelligence services believe the Chinese spy on Trump when he is at Mar-a-Lago.  

– But for me, the most alarming hack wasn’t a set-piece revelation during one of the big talks, but one that happened almost casually in one of the hands-on villages. It was three years ago. The village was small, by the scale of DEF CON, and when I walked in there were around fifty people milling around. Some were sitting in front of laptops full of code. Some were hunched over circuit boards, and some were grouped around the twenty tall, grey machines that were spread over the room. For the first time, DEF CON was hacking voting machines. A voting machine had been wirelessly hacked. After that, they all started falling. Punchcard voting machines. Optical scan paper ballot systems. Direct recording electronic systems. All were quickly “owned” in one way or another. Some needed direct, physical contact. Others could be hacked remotely. Hackers found how to change the vote logs, lock access to the device, stop people voting and completely cover their tracks. I was stunned,  but the hackers seemed almost bored.

Computers are everywhere. We trust our lives to them. Everyone relies upon technology, but hardly any of us understand it. It just works – we don’t need to understand how. Yet hackers have made it their business, their identity, to question how technology works and why. They do not accept, nor do they trust, locked doors, black boxes, hidden code or anything else that might be used to control them, and they go to extraordinary lengths to break them open. To them, the technologies that surround us actually make sense. They are open: chips understandably arranged on circuit boards, obeying programmatic instructions that they can interpret, and throwing out data, wifi, radio frequencies

As I said, people at DEF CON have a completely different relationship to the world around them. Because hackers understand how technology works, they understand how the world works, And because they know how the world works, they can use this understanding to shape it, and influence it. Reality has become a sort of playground that, with enough talent, skill and in many cases bloody-minded obsession, will answer to their commands.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

scroll to top