radomski.co.nz

Completely normal: Apps that spy on you and the companies that let it happen

Patrick4 min read
#Internet#Privacy#Security#Jaycar

In June this year I came across an excellent blog post by Australian Hacker, Haxrob about a common Bluetooth car battery monitor siphoning up your location data and sending it to mainland China. I'd highly recommend reading it - it's a four part story that goes into incredible detail on the how the app spys on you and the steps haxrob took to reverse engineer what was happening.

The battery monitor is sold by an Australian company, JayCar, which has stores in New Zealand. It's the type of device my dad (and I guess me too) would buy and the device is headless - it can't be used without the app, so I was concerned.

The device was still listed for sale on JayCar's website when I read the blog, so I initially emailed JayCar, sent them a link to Haxrob's blog and asked them a couple of questions - including if they knew about it, if they were actively informing customers and if they had processes to check other products for the same types of issues.

The response I got back from JayCar ignored all the questions and just said:

"We are aware of the situation and the matter has been raised with the appropriate department to resolve with the manufacturer. Our buying team and the manufacturer are working on a solution."
I wasn't massively impressed with the answer, so decided to email the Stuff.co.nz tip line. After a week or so a reporter reached out and I gave her all the information I had and a few quotes, and then I waited, expecting the article to appear any day on stuff.

After a few months of not really seeing anything, I assumed the story didn't go anywhere, but I was curious why. During this time, the blog post had been updated with new information - the apps had been updated in the app store, but location data is still being sent to servers in Hong Kong.  I went back to the reporter to ask what happened, and got the following response:

"I wrote it all up, but the company wouldn't comment directly on it and an expert said lots of apps do this so my boss decided we didn't have enough to go with. 
Sorry about that. All the best."
And that's it. Apparently JayCar gets away with it by not commenting, and people don't get to hear about it because it happens a lot. And people who bought the device are none the wiser that their location has been and continues to be siphoned off.  All I'm left with is more questions:
  • Does something happening a lot make it non-newsworthy?
  • Isn't the story now that this happens all the time and we shouldn't take it?
  • JayCar might be working with the manufacturer, but the fact that the application has been updated and location data is still being collected means I have to ask - what is JayCar actually doing?
  • Does JayCar have a responsibility to notify people who purchased this item that they are at risk and have had their data stolen?
  • Do they have a responsibility to stop selling the item until they can verify that the application no longer does this?
  • How do they verify this going forward?
  • If people aren't comfortable with JayCar's response, can they get a refund?
  • The device can not be used without an app - so do users have a case under New Zealand law to request a refund?
  • Does this really happen all the time?
  • What other apps are spying on me?
  • Am I in the minority for caring about this?

Replies

Reply on Mastodon →

Loading replies…