Your Phone Is Using TOR and Leaking Your PII

As part of our research, we identified a surprising amount of unencrypted, sensitive and confidential user data originating from mobile devices traversing the TOR network, which included: GPS coordinates, WiFi BSSID, and general keys typed by the user. In some cases, we were able to build a complete user profile from physical movements to purchasing habits.

There are multiple sources, without the user’s knowledge or consent, which consistently and purposely send personal information unencrypted over TOR. These include pre-designed Mobile Original Equipment Manufacturers (OEM) specifications, approved applications by known digital distribution platforms, such as Apple Appstore or Google Play Store, and advertisements in legitimate popular applications.

At the end of the day, how comfortable are you that anyone can track you?

Presenter: Adam Podgorski and Milind Bhargava