Bose headphone apps collect and send user data

[Homer J Simpson]

More IOT goodness.

https://www.bleepingcomputer.com/news/technology/lawsuit-claims-headphones-maker-bose-is-secretly-collecting-user-data/

[Rick Law]

Not to miss is that Yahoo news has the more ominous tidbit:

Direct quote from Yahoo news with bold added:
But the Illinois resident said he was surprised to learn that Bose sent "all available media information" from his smartphone to third parties such as Segment.io, whose website promises to collect customer data and "send it anywhere."

_{Quoted from this article: https://www.yahoo.com/tech/bose-headphones-spy-listeners-lawsuit-174749975--finance.html}

[Red Squirrel]

It's ridiculous how everything wants to spy on us these days.   That stuff needs to be illegal, but considering the government is spying on us too, that's never going to happen.

It's one of the reasons I got interested in electronics.  There will come a point where the only way to stay safe is to design your own stuff, or reverse engineer existing products to strip out anything that is there to spy on you.

[edpalmer42]

It's ridiculous how everything wants to spy on us these days.   That stuff needs to be illegal, but considering the government is spying on us too, that's never going to happen.

It's one of the reasons I got interested in electronics.  There will come a point where the only way to stay safe is to design your own stuff, or reverse engineer existing products to strip out anything that is there to spy on you.

Tell me about it!  The first thing I do after building a new computer system is install a good firewall program.  I use my router firewall to keep bad things out and the software firewall to ....uh.... keep bad things in!    What a world!  Actually, the software firewall keeps anyone from phoning home which minimizes the privacy leaks.

I had to smile when I found out that the firewall I use (Comodo) is hated by the NSA because they haven't been able to hack it.  Maybe.

Ed

[Rick Law]

It's ridiculous how everything wants to spy on us these days.   That stuff needs to be illegal, but considering the government is spying on us too, that's never going to happen.
...
...

Yet a good number of people want "internet of things."

The refrigerator is going to talk to the dish washer how much you took out, and the dish washer is going to log that fact that you didn't eat your broccoli.  Your mom can buy a list of all the junk food you ate, and the government can increase your insurance premium because you are a walking heart attack waiting to happen...

Yeah, it is getting ridiculous.

Add to that, hacking.  Just last week, Internal Revenue Service (IRS) commissioner told the Senate the federal student loan program was hacked and information from that database may have been stolen.

^{https://www.rt.com/usa/384001-irs-fafsa-100k-hack/}

Is internet really making our life easier, or just more risky?

[cat87]

It's ridiculous how everything wants to spy on us these days.   That stuff needs to be illegal, but considering the government is spying on us too, that's never going to happen.

It's one of the reasons I got interested in electronics.  There will come a point where the only way to stay safe is to design your own stuff, or reverse engineer existing products to strip out anything that is there to spy on you.

Tell me about it!  The first thing I do after building a new computer system is install a good firewall program.  I use my router firewall to keep bad things out and the software firewall to ....uh.... keep bad things in!    What a world!  Actually, the software firewall keeps anyone from phoning home which minimizes the privacy leaks.




I had to smile when I found out that the firewall I use (Comodo) is hated by the NSA because they haven't been able to hack it.  Maybe.

Ed

Would you be willing to disclose what router firewall you're using? I'm starting to get a bit paranoid about things in my house talking "behind my back" so I want to do something about it.

[R005T3r]

It's ridiculous how everything wants to spy on us these days.   That stuff needs to be illegal, but considering the government is spying on us too, that's never going to happen.

It's one of the reasons I got interested in electronics.  There will come a point where the only way to stay safe is to design your own stuff, or reverse engineer existing products to strip out anything that is there to spy on you.

Designing my own stuff is also my line: you have a better quality control over your products and in the end it works better and in the end it costs less. Government spying is a no go because I don't approve it, but they at least can be trusted: you won't expect bad surprises like you bank account drained in 2 days, because they don't care about it... But companies who sells data to anyone, it's radically different because who knows who is the "final consumer" of the datas... Reguarding the IoT, I think that the worst aspect of it is that anyone can exploit it and recover informations about everything in a device, because the company line on internet security is sell first and security after a scandal arise.

Not to mention the headphones market is getting too ridiculous for my tastes: wireless headphones, the "sound quality" joke, if you want something decent you are going to spend as much as $200 which increases if the product is reviewed.... 4 pole headphones are replacing 3 poles ones: it's becoming harder and harder to find them at local stores and I have to buy online, currently an open design headphone starts at $250....

[slicendice]

Lol, can anyone confirm this data mining is 100% real and accurate, or is this yet another American ridiculous lawsuit that is just intended to hurt other businesses and rip companies of their money or trying to get rich quick scheme?

Please provide screenshots of the application network activity etc...

[edpalmer42]

Tell me about it!  The first thing I do after building a new computer system is install a good firewall program.  I use my router firewall to keep bad things out and the software firewall to ....uh.... keep bad things in!    What a world!  Actually, the software firewall keeps anyone from phoning home which minimizes the privacy leaks.

I had to smile when I found out that the firewall I use (Comodo) is hated by the NSA because they haven't been able to hack it.  Maybe.

Would you be willing to disclose what router firewall you're using? I'm starting to get a bit paranoid about things in my house talking "behind my back" so I want to do something about it.

Where possible, I use any of the open-source router programs like DD-WRT or OpenWRT.  I've recently found out that my router has been orphaned by the group maintaining the only software fork available so I've been forced to reload the OEM software due to a bug.     I haven't decided what to do about that.

If your router allows it, define an IP address range that has no Internet access and assign devices to that range that have no reason to go to the 'net.  Or do it the other way around and only allow devices in a restricted range to access the 'net.  Maybe set it up so that DHCP addresses are blocked and only static addresses can get through.  There are lots of ways to lock your network down.

Ed

[Red Squirrel]

At home I run pfsense.  You can get quite granular with rules.  I also have separate vlans for different purposes.  "untrusted" devices and wifi go on a separate vlan.  So for example game consoles.  If it was every found out that they sweep your network to spy on you, they won't get much on my network.   If I pickup a trojan on my phone then go on my wifi, it also won't have much to look at.

I need to start doing outbound port blocking too though.  But I presume a lot of that spy stuff probably uses port 80 or 443 or other common ports to get around that.

[Rick Law]

Firewall works if all the connected machines there never travel outside.  Otherwise, I can imagine individual machines self-snoop and store the data on itself or on the network, then a smart phone collects the snooped data and burst it out to whoever once the phone leaves home and get connected elsewhere.

[helius]

Please provide screenshots of the application network activity etc...

The great thing about smartphones is that they try pretty hard to lock the "owner" out of his own device and make it hard to monitor what's happening. iOS obviously is very serious about this and Android is not much better in practice with the proprietary Play Store interfaces.

I need to start doing outbound port blocking too though.  But I presume a lot of that spy stuff probably uses port 80 or 443 or other common ports to get around that.

Ports are worth fuck-all against deliberate surveillance. Either mirror the vlan into Wireshark or find your router's options for bulk connection dumps and grep them for unfamiliar DNS queries and packets

[Red Squirrel]

Yeah one thing I'd like to do is found a source of "Bad" dns hosts that gets updated then have it so I have a script that generates records in my DNS server to redirect to an internal web server.  Would also need to do the same with IP addresses as some spy stuff might just be connecting straight to an IP vs using DNS.

For what it's worth I could perhaps setup a local web proxy then only allow the proxy to go out through the firewall (and any other specific stuff I may need like game servers), but I presume spy stuff would be smart enough to do a local network scan to try to find any proxy so it can use it.

[Cyberdragon]

I think it would be even funnier to not only hack stuff to stop unwanted monitoring, but to intercept it and replace the data with hilarious garbage. Like "YOU ARE AN ID-I-OT, HA HA-HA HA HA-HA-HA HA-HA HA-HA HAAAAA!"

[helius]

You can just map undesired DNS entries to a machine without open ports (hosts.txt is great for that). There is no real purpose to accepting these connections: if the spyware is written to keep itself hidden, then it must not cause problems when unable to connect to its home base. If it does connect to a server, but without the expected resources, then it isn't going to somehow work better than no response at all.

but I presume spy stuff would be smart enough to do a local network scan to try to find any proxy so it can use it.

Proxies accept passwords, you know.

I think it would be even funnier to not only hack stuff to stop unwanted monitoring, but to intercept it and replace the data with hilarious garbage. Like "YOU ARE AN ID-I-OT, HA HA-HA HA HA-HA-HA HA-HA HA-HA HAAAAA!"

The simple fact that a connection to the Internet took place means that your use of the software has been monitored.

[rdl]

I have found that Steam, even when in "offline mode" will still download updates. It also continues sniffing your balls and saving data non-stop, presumably for future upload. I now have Steam on a separate drive that is only booted when necessary and is isolated on its own VLAN.

[AndyC_772]

There has to be a commercial opportunity here.

I'd happily pay for a hardware firewall, which plugs in between my router and my cable modem.

The firewall contains rules to block access for devices that are known to 'phone home', unless explicitly authorised by me on a case-by-case basis.

The rules are updated by the firewall manufacturer. They charge a reasonable subscription fee for this service, which I'd be happy to pay.

Does a box like this already exist? Is there a good reason why they've NOT yet become standard equipment for anyone who cares about privacy and/or security?

[amyk]

"In Soviet Russia, headphones listen to you."

Hardware firewalls exist, although not with the subscription services you're talking about (which you could find for free --- just search for "HOSTS blocking"), but they are expensive. You could just block everything except your computer from even connecting to the network, by setting up appropriate passwords and access rules even in consumer routers.

[Cyberdragon]

I think it would be even funnier to not only hack stuff to stop unwanted monitoring, but to intercept it and replace the data with hilarious garbage. Like "YOU ARE AN ID-I-OT, HA HA-HA HA HA-HA-HA HA-HA HA-HA HAAAAA!"

The simple fact that a connection to the Internet took place means that your use of the software has been monitored.
[/quote]

It doesn't matter if they know you are using it, of course you are since you installed it. If you screw up the data, it screws up their algorithms that look for patterns. This has the hilarious result of screwing up targeted ads to rediculous nonsense.

Case in point...I've already ruined youtube ads to the point it's willing to spew literally anything it finds at me. I've gotten everything from "free calls to jail" to birth control pills for prostitutes. I watch so much random crap that it's probably just given up and put "sex, drugs, and rock n roll".

[AndyC_772]

Hardware firewalls exist, although not with the subscription services you're talking about (which you could find for free --- just search for "HOSTS blocking"), but they are expensive.

That sounds like a commercial opportunity. Personal, consumer grade firewalls, configured to allow common services through but to block any connection whose only function is to sniff personal data.

You could even bundle them with copies of Windows 10.

[helius]

Case in point...I've already ruined youtube ads to the point it's willing to spew literally anything it finds at me. I've gotten everything from "free calls to jail" to birth control pills for prostitutes. I watch so much random crap that it's probably just given up and put "sex, drugs, and rock n roll".

You may find this amusing. In my case, I haven't seen any ads from youtube in over 5 years. echo "googleadsyndication.com 127.0.0.1">>/etc/hosts.txt

[rdl]

You may find this amusing. In my case, I haven't seen any ads from youtube in over 5 years. echo "googleadsyndication.com 127.0.0.1">>/etc/hosts.txt

I've been using a comprehensive hosts file since 2009. Between that and NoScript I rarely see ads anywhere.

Recently I added uBlock Origin and Crush Those Cookies to the arsenal.

[rdl]

The hardware exists for sale but I haven't seen a service offered. I think it might be better just to build a device yourself and run pfSense on it. Some examples:

https://www.netgate.com/products/pfsense-appliances.html

This does not seem too unreasonable for the price:

https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Intel/dp/B01JHJGG5M/

I haven't really done much research, there may better better alternatives.

There has to be a commercial opportunity here.

I'd happily pay for a hardware firewall, which plugs in between my router and my cable modem.

The firewall contains rules to block access for devices that are known to 'phone home', unless explicitly authorised by me on a case-by-case basis.

The rules are updated by the firewall manufacturer. They charge a reasonable subscription fee for this service, which I'd be happy to pay.

Does a box like this already exist? Is there a good reason why they've NOT yet become standard equipment for anyone who cares about privacy and/or security?

[boffin]

Case in point...I've already ruined youtube ads to the point it's willing to spew literally anything it finds at me. I've gotten everything from "free calls to jail" to birth control pills for prostitutes. I watch so much random crap that it's probably just given up and put "sex, drugs, and rock n roll".

You may find this amusing. In my case, I haven't seen any ads from youtube in over 5 years. echo "googleadsyndication.com 127.0.0.1">>/etc/hosts.txt

Other than the fact that wouldn't work because you have the hostname and ip backwards ?

[Rick Law]

Hardware firewalls exist, although not with the subscription services you're talking about (which you could find for free --- just search for "HOSTS blocking"), but they are expensive.

That sounds like a commercial opportunity. Personal, consumer grade firewalls, configured to allow common services through but to block any connection whose only function is to sniff personal data.

You could even bundle them with copies of Windows 10.

[ bold added to quote ]

There are tons of such opportunity out there but I am not sure they are profitable opportunities.

I for one would look very favorably towards a new eco-system where internet connection is only on request rather than application just doing it and assumed it has the right to do so.  If I fire up a machine in this eco-system, there is no internet connection.  Each IP session would be explicitly permitted by the user...  That sounds crazy, it would be like "back to the stone ages."  But, studies has shown that all these social media and internet connections are making people more isolated rather than social.

   _{Reference Article: Alone in the Crowd from American Psychological Association
   http://www.apa.org/monitor/2011/06/social-networking.aspx}


I don't really want to be back in the stone ages, but I want applications and systems not to assume there is an internet for it to use.  And if it need a connection, it requires additional permission in order to do so.