Cox deletes ‘Active Listening’ ad pitch after boasting that it eavesdrops though our phones::undefined

    • GenderNeutralBro@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      11 months ago

      Sorry if this is a noob question, but…how?

      DNS will tell you the server name and address, which would just be some server owned by the company. Nothing weird there unless they have the chutzpah to name it something telling. They could even bypass DNS entirely with hardcoded IP addresses.

      Timing wouldn’t be a great indicator either if they aggregate requests.

      They could slide anything nefarious in with daily software update checks or whatever other phone-homing they normally do, and without deep packet inspection or reverse engineering the software, it would be very difficult to tell.

      I don’t think Wireshark can do deep packet inspection, can it? Assuming the client is using SSL and verifying certs, maybe even using cert pinning?

      Size would be a big indicator if they’re sending full voice recordings, but not if they’re doing voice recognition locally and only sending transcripts, metadata, or keywords.

      I’ve never actually done this kind of work in earnest, and my experience with Wireshark is at least a decade out of date. I’m just approaching this from the perspective of “if I were a corporate shitbag, how would I implement my shitbaggery?”

      • Encrypt-Keeper@lemmy.world
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        3
        ·
        11 months ago

        The answer is: it wouldn’t. You’re right on the money, you couldn’t do anything other than speculation.

        • BeardedGingerWonder@feddit.uk
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Just spitballing here but you might be able to try and correlate the amount of data sent with how much real life activity there was. Say, have silence for a week around the TV then play recorded speech near it for a week and see if that changes the frequency or size of the data being sent back home. Then do this for random 1/2/3 day periods. If offline text to speech is as crap as I’ve heard then the increased data transfer should stick out pretty clearly.

          • Encrypt-Keeper@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            11 months ago

            That’s a completely unhinged level effort for what would still ultimately boil down to speculation lmao. Smart TVs phone home frequently, semi randomly, with varying data amounts, both when used regularly and when off for months at a time, both when you’re walking and talking around it, and if you’re on vacation for two weeks. If despite all that you tried to control the environment around it you’d somehow need to… ensure absolute silence in the room that it’s in for DAYS at a time? Unless you live in the middle of the woods that’s not very likely, and even then, all it would be is guessing lmao

            • BeardedGingerWonder@feddit.uk
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              11 months ago

              Oh entirely, but it’s the best I could come up without disassembly. (And I’m fairly sure I’ve done worse debugging a prod environment)

        • Serinus@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          11 months ago

          First, someone would be able to prove that communication is happening. Second, if the keys are stored locally, and the original packets saved, the encryption can be reverse engineered.

          Encryption prevents man in the middle attacks. If you have one of the ends, you can usually get the data. If you have the device that’s doing the encryption of the data, and you have the encrypted data, you can decode the data. It’s just a matter of getting through obfuscation at that point.

          The reason this hasn’t been done yet is that it’s not happening yet. CMG was lying in their advertising.

      • Magical Thinker@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        11 months ago

        Try it out. Setup dnsmasq and connect your phone to the network. You’ll see a ton of requests initially, that gives you some idea of what apps/services/accounts are on the phone. Let the phone go to sleep, and watch what is sending requests in the background. Many services use very specific host names which indicate what is being processed.

        On the TV, it would be similar. You walk into the room and it starts sending packets? You say something unrelated to its trigger word yet Wireshark shows activity? Suspicious. If you can get a certificate onto the TV you can use mitmproxy to view the HTTPS traffic, but that’s probably kinda difficult.

        I do not use smart TVs but I have been doing stuff like the above for a while. If they are recording and storing stuff some engineer eventually figures out, it’s not an NSA backdoor.

        I’m not saying they are/aren’t, I do not know, it just seems very unlikely and improbable especially given smart phone ubiquity. What is known to be actually occuring is a complete violation of consumer privacy for marketing purposes, but OPs form of spying is so far unsubstantiated.

        Now, can that TV be hacked and used by your neighbor to spy on you? Or can your government access your mic/camera? That’s an entirely different question and field of expertise.

        More info