In the previous series opener, we discussed phishing and social engineering attacks, highlighting how this cybersecurity concern remains at the top of the list of threats and attack types employed by threat actors as they attempt to compromise devices, users and data across the modern threat landscape.
Switching gears ever so slightly, we continue to draw from Jamf’s Security 360: Annual Threat Trends Report as we dive into a growing trend that is not an attack type but rather the target of various threats: user privacy data. In this entry, we go into detail as we discuss:
- What exactly does “user privacy” mean?
- Why is protecting user privacy critical?
- What types of data fall under the banner of user privacy?
- How is privacy data used to target users?
- User privacy is endpoint security
Without further ado, let’s start with something easy!
What exactly does "user privacy" mean?
“User privacy” is a term used to refer to the data types that contain personally identifiable information, or PII for short. When thinking of data, like a Word document or email attachment, those files in and of themselves are labeled as data. However, by drilling down further to determine the contents of this general data and peering into what the data contains (or rather, what the data’s about), do we get a better idea as to whether or not it contains any information that could reveal the identity of the user that created or modified it.
Privacy data can come in various forms, whether it explicitly states information in plain text like a spreadsheet, depicts the user in question in a photograph or uses metadata to clue in on a user’s identity – whether in whole or in part – these and many more examples can potentially expose users while simultaneously violating their right(s) to privacy if not secured properly (a more detailed listing of user privacy examples will be provided later in this article.)
Why is protecting user privacy critical?
When discussing the criticality of data protection, the data in question often fall into two buckets: regulated and non-regulated. Regardless of data type, keeping data safe is tantamount to ensuring that the utmost security controls are in place to keep unauthorized actors from accessing it. The critical difference is that regulated data types, like patient records or financial transactional information, are governed by local, state, federal, country and/or regional agencies to make sure that these data types are protected at all times. Failure to do so could result in breaking laws, leading to civil and/or criminal penalties – including the forced shuttering of business operations – if found in violation of these regulations.
“0.2% of users / 5% of organizations had a potentially unwanted application installed within their devices fleet in 2022.”
Conversely, while any of the agencies mentioned above does not govern non-regulated data violations, organizations found to be liable for failing to protect user privacy data—especially if harm comes to users because of this negligence—could still find themselves culpable and face civil and/or criminal penalties.
That said, there is one overarching reason above all others detailing why it is critical to protect user privacy data: threat actors are actively (and increasingly) targeting this type of data in attacks against users. The goal isn’t always to simply obtain this data. The impact of these attacks can extend to crimes ranging from blackmail and extortion to stalking and far more violent offenses. Sadly, it doesn’t end there, as threat actors may also sell the privacy data they’ve obtained to other criminal organizations. This extends the impact against targeted users and can be leveraged against them to perform illegal acts against other victims, businesses and government entities.
What types of data fall under the banner of user privacy?
There’s no specific file type associated with user privacy but rather relates to a quality of the data. More specifically, the quality of the data refers to it containing any information that can identify users in whole or in part. As the National Institute for Standards and Technology defines PII as “Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”
When considering the data qualities, it’s important to note that while some pieces of information can clearly identify users, such as full names or some form of unique identification number, like social security numbers in the U.S. Other bits of information may seem innocent enough on its own – but when combined with other attributes – presents a larger picture that reveals personal, private and even intimate details that could impose any manner of physical, mental, medical and financial threats to users, including impacting their reputation – both personally and professionally.
Below is a listing of the types of data classified as PII:
- Full name
- IDs (passport, social security and driver’s or ID card, school ID numbers)
- Home address
- Communication information (telephone, email address, social media accounts)
- Registration numbers (vehicle, certification IDs, permits)
- Sexual orientation
- Records (medical and criminal)
- Financial (debit/credit card, taxpayer identification and bank account numbers)
- Place of employment
- Digital fingerprint (credentials, web history, social media posts and devices used)
While the list is far from exhaustive, it does highlight some of the more common types of PII. Within PII, there exist two types of classifications: sensitive and non-sensitive. The former is categorized by information that can directly identify a user; the latter however is qualified by information that, while not being suitable to directly identify a user, can be used indirectly along with other forms of data to build a profile about the user.
How is privacy data used to target users?
“0.4% of Android devices had a potentially unwanted app installed in 2022 compared to 0.1% of iOS devices.”
By now you should understand what user’s privacy data is and why it is sensitive. However, in this section, we’ll talk about some of the ways in which threat actors are gaining access to privacy data, in turn using it against users themselves to target and victimize them.
- Location services: This poses one of the biggest concerns for the physical safety of end-users as gaining access to a user’s location allows threat actors to know exactly where they are at any given time. This is especially dangerous for victims of stalking and those targeted by nation-state groups, like tracking journalists, political dissidents and government officials.
- Contacts: An example of non-sensitive privacy data, obtaining access to a user’s contacts lists can provide additional targets while furthering the efforts in victimizing others through intimidation and harassment.
- Calendars: Similar to the services above, accessing calendaring data could potentially yield a treasure trove of sensitive and non-sensitive PII alike. Appointments with doctors (medical), reminders to pay bills (financial) and critical meetings (business), including account information, meeting details with links and so forth are readily available in user’s calendars, giving away crucial information about where users are (or will be) and when.
- Photos: With the proliferation of smartphones, it’s never been easier to carry a high-end camera with you to capture any and all moments. In fact, it’s become so ubiquitous, that usage has morphed by users relying on taking photos to remind them of well, everything. Items they like, important contact details, passwords and credentials – all alongside pictures of loved ones in private and public moments. Accessing this data and the EXIF metadata stored within the photos reveals a wealth of personal details about a user. Details ranging from private, personal moments to circumstances that may impact their professional life to even intimate moments captured digitally that were never intended to be shared in any capacity.
- Bluetooth: All network connections pose a threat of leaking data if the communication is not secured properly. But unlike the other forms where only what is accessed at a given time is what’s communicated, Bluetooth is utilized for a number of near-field connectivity means. Sharing contacts, data and even transmissions made from externally connected devices, like mice movements or keystrokes entered into a keyboard. And once a connection is made successfully, the paired devices do not need to authorize access again in order to communicate – simply establish connectivity and access is restored. Potentially leaving users unaware that unknown devices could be gathering their PII.
- Microphone: Another one of the biggest concerns is microphone access. With the growth of voice-controlled apps and services, the reliance on the mic is critical. Threat actors know this, which is why tapping the mic is one of the sources of obtaining PII. Additionally, since this is controlled as a part of the subsystem of the OS, there is no way to tell if a device has been compromised to eavesdrop on a user’s private conversations – during phone calls and while not in use – unless users are actively looking at their phone.
- Camera: The third of the biggest concerns is camera access. Like the mic above, this provides a similar risk except that it is capable of recording not just audio but also video. Tapping into this feed can provide threat actors with privacy data that is both invasive and dangerous for personal and professional users alike. Recording screens during presentations of confidential information or turning on the camera at random times, such as spying on users at night or in the privacy of their rooms all lend themselves to compromising situations that could be used to extort or coerce victims into paying blackmail demands or even into committing crimes to prevent leakage of sensitive information.
- Internet of Things (IoT): A relative newcomer to the list but one that is most alarming as reliance on Internet-connected homes, or “smart homes” continues to grow in popularity. Driven heavily by the adoption of IoT, compromising user devices may also mean gaining access to the apps/services that control their home and the things in it. Lights, door locks, and even major appliances, like ovens could be used to harass and intimidate while also providing key details about users, such as where they live, what their daily habits are and how many inhabitants there are, among other bits of data that can be used to spy on them and intrude into their lives further.
- Files and Folders: The tried and true method of obtaining PII – through files and folders contained on devices and systems. Medical records, financial documents, password lists, details relating to hobbies, habits and generally anything that could be used to directly or indirectly piece together a profile on a victim can be contained within a file and read in plain text.
- Input Monitoring: Similar to Bluetooth above, the digital age has brought with it other means of monitoring input besides hijacked communications and malware. For example, the range of swappable keyboards that are available for installation on smartphones carries with it the risk that the developer of the keyboard is being granted access to your keystrokes when users install their software keyboards and enable them. This means that users are handing away their right to protection by using these third-party keyboards. And while not all are malicious, some certainly are, while others may simply not take the appropriate steps to secure this data, leading to a data leak or vulnerability that could be exploited by threat actors just the same.
- Screen Recording: Similar to the Camera above, modern OS’s have built-in software to record your screen. The ease of use in sharing tutorials or quickly grabbing the relevant bits of data needed in a pinch is beneficial to users. But they also serve threat actors as well, relying on this technology to record the actions being performed by their victims – often without their knowledge – and reporting it back for analysis to aggregate to their profile on the user. Like input monitoring, this could be a hidden “feature” of an app that is undisclosed to the user when they install a third-party app, granting it permission to record the screen whenever the threat actor wishes and placing the user at potentially grave risk for violating their PII.
- Web History/Bookmarks: As discussed previously, PII falls into two categories. Web data, such as usage history, bookmarks and saved passwords, settings and extensions straddle the line between sensitive and non-sensitive. Meaning that depending on the context of the PII contained, it could either directly identify the user or indirectly be used to profile them. For example, a bookmark for a bank website – when paired with a randomly generated email account – could be used to indirectly build a profile on a user but doesn’t identify them outright. However, finding a website in the browser history that is linked to a cookie that contains the username of the account that last logged in and utilizes the user’s full name does identify the user directly. Depending on the sensitivity of the website visited, more PII could be gathered related to other factors, like gender, birth date and age among the more common bits to further crystalize the user’s identity.
User privacy is endpoint security
It doesn’t take a soothsayer to read the tea leaves surrounding the inclusion of user privacy within holistic security strategies. In fact, it’s been occurring for some time now with the legislature and regional laws, such as GDPR in Europe and numerous states in the U.S. drafting laws to protect user privacy with much the same priority as existing forms of data security.
And with the increased adoption of varying device ownership models, like BYOD support for personally owned devices, “the criticality to uphold user privacy requires that strategies to keep PII protected are prioritized and built into an organization's defense-in-depth security strategy to ensure that company data stays safe without compromising user privacy – and potentially – ensuring compliance is maintained.”
Learn more about these and other growing threat trends impacting cybersecurity!
Have market trends, Apple updates and Jamf news delivered directly to your inbox.