Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.
Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.
Yesterday, Gizmodo reported that Uber had been granted an entitlement for their iOS app that allowed them to capture an image of an iPhone’s screen at any time, even when the Uber app was not the active app on the phone. This is a big deal, because users don’t typically expect than an iPhone app that is not active might have the ability to eavesdrop on anything they are doing.
I have long felt that the sandboxing infrastructure on both iOS and Mac should be used to more accurately convey to users specifically what the apps they install are capable of doing. Currently the sandboxing system is used primarily to identify to Apple what a specific app’s privileges are. The requested entitlements are used to inform Apple’s decision to approve or reject an app, but the specific list of entitlements is not easily available to users, whose security is actually on the line.
This is absolutely fucking ridiculous. Fuck Uber. Apple should be ashamed for working with them at any level. Allowing an app to covertly record your screen without any prompting is exactly the kind of thing that Apple’s iOS app review process should prevent.
Uber claims they didn’t do anything wrong with this ability, the security researchers told Gizmodo that they didn’t detect anything going on with this code.
There are companies that are less trustworthy than Uber, but few have the opportunity to be as evil on such a large scale. Enabling them to do anything more than operate at a basic level on your platform is a mistake. At this point Apple should block them entirely and attempt to help the Taxi industry to reform and compete with Uber. Not that Apple would ever would, but still that would be the best thing to come out of this. The next best thing would be the improvements to the entitlement system that Jalkut suggests.
I wouldn’t even bother to wonder what Uber are doing on Android, where security is a fucking joke and carriers are still selling devices running ancient versions of that operating system that are affected by dozens of security vulnerabilities. This is especially true for pay-as-you-go phones sold cheaply at places like Walmart, Target, and so on. Those carriers and stores are endangering their customers by continuing to sell these devices.
Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was being resisted by law enforcement or, in some instances, had been outright banned.
The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials. Uber used these methods to evade the authorities in cities such as Boston, Paris and Las Vegas, and in countries like Australia, China, Italy and South Korea.
If users were identified as being connected to law enforcement, Uber Greyballed them by tagging them with a small piece of code that read “Greyball” followed by a string of numbers.
When someone tagged this way called a car, Uber could scramble a set of ghost cars inside a fake version of the app for that person to see, or show that no cars were available.
Intentionally obstructing local authorities from using their service probably isn’t illegal, but it isn’t something you would have to do if you were proud of your product and thought it was defensible in a court of law.
Could you imagine if Apple checked if users were government agents and shut off their laptop or desktop computers? Not that our government would worry, the president only uses devices that are designed in Korea.
Nick Heer has this round-up of Uber in the news for the past 3 years. It includes this gem, from Buzzfeed:
Early this November, one of the reporters of this story, Johana Bhuiyan, arrived to Uber’s New York headquarters in Long Island City for an interview with Josh Mohrer, the general manager of Uber New York. Stepping out of her vehicle — an Uber car — she found Mohrer waiting for her. “There you are,” he said, holding his iPhone and gesturing at it. “I was tracking you.”
Mohrer never asked for permission to track her.
Susan Fowler writing about a year working for the illegal taxi service, Uber, and describing what happened after reporting sexual harassment:
I was then told that I had to make a choice: (i) I could either go and find another team and then never have to interact with this man again, or (ii) I could stay on the team, but I would have to understand that he would most likely give me a poor performance review when review time came around, and there was nothing they could do about that. I remarked that this didn’t seem like much of a choice, and that I wanted to stay on the team because I had significant expertise in the exact project that the team was struggling to complete (it was genuinely in the company’s best interest to have me on that team), but they told me the same thing again and again. One HR rep even explicitly told me that it wouldn’t be retaliation if I received a negative review later because I had been “given an option”. I tried to escalate the situation but got nowhere with either HR or with my own management chain (who continued to insist that they had given him a stern-talking to and didn’t want to ruin his career over his “first offense”).
Don’t worry, you weren’t there and nothing anyone ever reported has happened:
Myself and a few of the women who had reported him in the past decided to all schedule meetings with HR to insist that something be done. In my meeting, the rep I spoke with told me that he had never been reported before, he had only ever committed one offense (in his chats with me), and that none of the other women who they met with had anything bad to say about him, so no further action could or would be taken. It was such a blatant lie that there was really nothing I could do. There was nothing any of us could do. We all gave up on Uber HR and our managers after that. Eventually he “left” the company. I don’t know what he did that finally convinced them to fire him.
This kind of harassment happens at every company in SF and the valley. The men are allowed to threaten and cajole women until the women either give in or get fed up and leave because human resources refuses to do anything.