Hacked - Ticked Off
Episode Date: September 1, 2020Jordan Bloemen & Scott Francis Winder discuss Tik Tok, and what happens when data security and trade wars start getting all mixed up in each other. If you like the show and want to make sure we can k...eep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our loving sponsor Proton VPN. Visit protonVPN.com/hackedpodcast for 33% off a 2-year plan. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
I think we've got to go back to the end of our last episode.
If I am China and I'm looking for companies that could give me like a leg up in some future
sci-ops type situation, I'm going to be trying to build the next Instagram, not the next
Cisco, you know?
Yeah, well, we're just talking about TikTok.
Yeah, we're just talking about TikTok.
You see, this episode is going to have nothing to do with current events and specifically
nothing to do with China.
But in the last five minutes of our last episode, like Bloody Mary in front of the mirror, we evoked TikTok.
And then like four days after that episode went live, this happened.
President Trump has threatened to ban the Chinese own video streaming app TikTok if it's not bought by September 15th.
So now we got to pack our bags, throw on our headlamps, and go on a journey.
deep into the data mines. Let's imagine for a second that we live in China and we make socks.
We're sock workers. We got a sock factory and we want to sell our socks to Western feet.
So we've come here deep into the mildewy depths of the data mines to try and get some good
data about our Western consumers so we can sell them more socks. First steps first,
we got to go where our audience is, which are the ecosystem.
operated by Facebook and Google.
Now, Facebook and Google, they'll take your money to run SOC ads all day.
But what they won't do is sell you user data because privacy,
which is where companies called data brokers come in.
Because while Facebook and Google will not sell you user data because privacy,
they will effectively sell it to multi-million dollar data brokerages because money.
Sockmaker, you've got to find yourself a data broker.
Trouble is, you've got to find a data broker in China that works with Western companies with data on Western users.
Which brings us to a company you've probably never heard of called AdTiger.
Generally speaking, data brokerages keep the supply chain of how they get user data a secret.
But you see, AdTiger recently published this giant pile of information for investors interested in getting in on their multimillion dollar IPO.
providing our Humble Sox startup with a lot of insight into the flow of Western user data in China.
Based on these documents, we have learned that AdTiger can get information on Facebook and Instagram users
by buying it from another middleman company called Meet Social.
They can get information on Twitter users by buying it from a company called OneSight,
information on Google and YouTube users from a company called Vidoed.
Without ever contacting a Western TikTok,
firm, they can get millions of dollars worth of data on Western users by purchasing it through
a series of intermediaries, each collecting and reselling this data in an increasingly complex
supply chain. So if you, Chinese sock company, want to know the exact moment that Ricky and
Minneapolis expressed an interest in getting some ankle socks for a sporty new summer look,
you can buy it today and start advertising to him tomorrow.
Which brings us back to TikTok.
And really the fear at the heart of this proposed ban.
Central to any argument that we should ban Chinese tech is this law called a cybersecurity multi-level protection scheme.
Now, this law basically says that Chinese-based companies have an open-door policy with the Chinese government when it comes to data,
that the government has the right to access all information on or flowing through Chinese servers.
There are no warrants for user data, no subpoenas, what's mine is yours.
So if heaps of users in the West are using TikTok, and TikTok and its servers are based in China,
that means that the Chinese state has access to all of that data, resulting in a very real security threat.
As the logic of the ban goes, Western user data on Chinese servers is a security threat.
But what about SOX?
Because if it's a threat when TikTok does it, why SOC factory owner isn't it a threat when it's a threat when it's a threat?
Facebook data bought from meet social held on ad tiger servers in China, or Google data bought from
Vodod stored on servers in China, or Twitter data bought from one site stored on servers in
China. Why TikTok? Why ban specifically TikTok? We're going to try and answer that question
on this episode of hacked. I think that particular social networking app has had a
lot of conversations happening around it for the last little while here in the right communities.
Like, I believe Amazon had drafted a letter that got leaked out that was going to direct all
their staff to not install it, so to have TikTok removed from your devices and other things.
You know, there's been a lot of discussion about TikTok and what it's up to in certain circles.
You're definitely now seeing a lot happening, especially now with the Department of Justice and the White
house going after bite dance, kind of trying to force the sale of it so that the company is
owned and controlled by Americans, which is, I think, madness in today's kind of free market world.
But, yeah, I think there's some interesting, I think that the actions of the people around
it are very indicative of something very interesting that we don't know.
Does that make sense?
I think so, but you could explain further.
Well, you remember in the Hawaii episode where, you know, there was lots of significant moves happening at specific levels of government and nothing was really being told to the masses.
That's generally probably pretty indicative of something large going on behind the scenes.
I feel like we're seeing that now with TikTok.
You've got lots of huge public denouncements of it.
You've got the president of the United States trying to force its sale.
you've got talk about right banning it in North America or at least in the United States.
And I think that that's just very indicative to probably a larger problem that, you know, as normal people, we're not, you know, privy to.
Before we talk about the technical side of TikTok and kind of like the sort of types of data that TikTok could theoretically be harvesting,
I feel like it's not really being honest in talking about whether or not you should ban TikTok without talking about the popularity.
of TikTok. There's a reason that app is in all the headlines. There's a reason that's the app
that people who want to go after China on the grounds of technology companies are going after.
It's because it's the one everybody knows. It's like becoming this giant cultural phenomenon.
Do you think any of this would be happening if TikTok was not kind of the cultural force that it is?
Oh, I think we should open this discussion by giving credit to where credit is due. And, you know, Vine really
set the stage for what TikTok became. And I think Vine
compilations are still some of the funniest social media content ever made.
We did Vine so dirty as a society. Yeah. And now it's been essentially
reborn with the learnings of Instagram
and now is the most prevalent among
certain demographics. Yeah. If nothing else, TikTok proved the premise
of Vine. Yeah. RIP Vine. Rest of the piece, Vine.
Fucking Vine. Fucking Vine.
fucking vine
about a week ago
a story came out
about TikTok
harvesting a certain type of user data
that I guess
we except the premise that most apps
harvest user data
but there's the sense of like
whatever all of them are doing is okay
and if one does something that the rest aren't doing
it's not okay
and TikTok harvested a type of data
that they're not really supposed to
in 2020
yeah
Apple band
Mac address farming in 2013.
Google apparently did it two years later in 2015,
but there's an issue on the Android platform
that allows you to kind of bypass those security checks
and access it.
So the other thing I will note is that I don't think TikTok
is the only app maker that is using this workaround
or loophole to access this data.
So it's just that they're the most discussed
Chinese social media app that's accessing this data.
That's currently in the middle of a trade war purchase agreement involving the president and Microsoft.
Correct.
It's the only one that's all three of those things.
Yeah, yeah.
So I guess first and foremost, if they've been tracking a Mac address, what is a Mac address?
Sure.
So a Mac address is a physical ID.
So each device comes preset with a Mac address, which is a random address, same as your IP address.
But your IP address is granted to you by, you know,
routers and switches and other things when you access the internet, the IP address is literally
just a public moniker for your Mac address. So in the lower levels of the software and the
address and the address, all an IP address is is a pointer to a device's Mac address.
So really, your Mac address is your device's private ID, and then your IP address becomes your
public ID.
can't really change your Mac address. Like you just have the one. Yeah, you can change it on computers.
Like an easy way to bypass paywall Wi-Fi access is to quickly hack your Mac address to
somebody that has paid the paywall. So like if you're flying on an airplane and somebody's paid
for the $40 Wi-Fi access, you can just steal their Mac address and become them and the paywall
ignores you. Pro-tip. Pro-tip. That's pretty good. Yeah. But you need one
Rube to pay $25 for like 15 minutes worth of the slowest internet in the universe.
Because the other thing is the Mac addresses aren't hidden.
So if I'm sitting in an airplane with my laptop open, scanning the Wi-Fi, I'm seeing
the Mac addresses of all of the devices around me.
This is kind of an aside to what we're talking about.
But like you're saying that if a person wanted to connect to airplane Wi-Fi, all they would
have to do is spoof the Mac address of someone who's already connected and they would get through
pretty much no problem. Correct.
Dope. Good to know.
Yeah. Most paywalls, once you pay, they put your Mac address in a white list.
And so then if you take over that Mac address or have the exact same Mac address,
it has a hard time differentiating the traffic and adds you to the white list.
If that works on airplanes, does that work on anything else?
Well, it's mostly for network access because that's where your Mac address is most applicable,
because your device's physical ID is that Mac address.
So like when you connect your laptop to like a DHCP network,
like a standard router network that most of us have in our houses
with our, you know, cable internet or whatever,
it makes a request to the network.
We've covered this in a previous act episode where it says like,
hey, I'm here, give me an address,
and it takes your Mac address, throws it into a table,
and assigns you an IP address.
And then anything inbound to that IP address
gets converted to your Mac address and send you.
your Mac address and send to it. So it's a critical part of network traffic. And so a lot of network
based paywalls for Wi-Fi access, internet access, generally use Mac address, even inside of,
quote-unquote, secured public Wi-Fi. So there can be whitelists on guest networks and stuff.
The white list traffic is based off of Mac addresses. So if you know something that's on the
whitelist and you can access its Mac address, which is generally pretty accessible, you can
then just spoof your Mac address and kind of slide through any kind of security.
So in the middle of this episode about TikTok, you have just given the people the secret to free
Wi-Fi? Well, I don't think it works on all paywalls, especially like your Wall Street Journal
ones and stuff are probably related to accounts and or cookies, which would also be spoofable
if you really wanted to get into it.
But I think for most network access, this is.
And, you know, I don't think it's,
I don't think it's a master key,
but it's definitely another tool for the toolbox.
So it's 2013,
and Apple has just pushed out iOS 7.
It's the one where all the icons got flat.
But something interesting happens
behind the scenes when that beta goes live.
Mobile ad marketing company Fisku
reported in 2013 that as the first beta went up,
the millions of participating devices,
all started returning this exact same Mac address,
02,000,000, and so on.
So if, this got said,
the Mac address is kind of like your name tag for your device,
that update goes up and suddenly everyone is going kind of by the same name.
So fast forward to 2020,
and TikTok is in trouble for tracking Mac addresses,
even though Google and Apple prohibit it,
the sort of obvious question comes up.
Why did they ban tracking Mac addresses to begin with?
We're going to get to that right after this break.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late,
an alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem
by rebuilding security operations from the ground up for a world
where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
with fully agenetic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trustworthy.
And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week and over a decade of real-world incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform,
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to arcticwolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year.
year for major breaches, from sophisticated ransomware operators to AI-enabled attacks that
turned defenses on their head. Organizations around the world saw headlines they never expected
and cybersecurity teams were tested like never before. But here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to
walk away with real insights into how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fear mongering. It's practical,
actionable, intelligence from experts in the trenches. Register now at arcticwolf.com slash hacked.
Without even getting into like their connection to the Chinese government and the kind of trade war
that they're in the middle of, TikTok is in trouble for tracking.
Mac addresses. Why can't you track Mac addresses?
It's a good question. The reason why they would ban it with Mac addresses is because they are
the true device ID. So we have all this obfuscation and we talked about this a lot of previous
episodes where there's an advertiser ID, which is essentially a fake ID that kind of points to our
Mac address. Not really, but like essentially it's a way for them to track our ad traffic
but not know who we are. Then there's all these other layers of it.
Like we talked about this in the COVID tracking stuff where how can they obfuscate who we really are.
You know, you got all this soft Bluetooth pairing stuff and like all these different ways to do it rather than actually track our devices.
Mac address is literally the exact physical ID of our device.
So once they know that, if they have all the rest of the IDs, the obfuscation is gone.
So if they know our advertiser ID, our IP address, our, et cetera, et cetera, et cetera,
they can tie those all back to the Mac address.
So next time that Mac address requests or accesses one of their servers,
because as they control the servers,
inbound traffic from devices comes from a Mac address,
they can say, oh, that's actually Jordan Blumen requesting that Reddit thread
or that, whatever, that TikTok dance video.
So once you have, it's essentially a way to break the obfuscation.
So to reveal, you know, to remove the veils,
because that's the real core address of the device.
So anything that's done or any connections,
any inbound traffic, outbound traffic to that device
can then be associated with all the rest of your obfuscations.
So when Apple made that switch and they said,
okay, third-party apps, you can't track Mac addresses,
anymore. You have to track, you can use this other thing called an IDFA, which is, I think,
an identifier for advertisers, advertiser identifier. The fact that that is the alternative to this
suggests to me that the reason they were banning this track, and the reason that people wanted
to track Mac addresses to begin with didn't really have anything to do with like surveillance,
less than it had to do with marketing and advertising, less that it had to do with money.
Well, the location, so all of these things tie together, all of our,
like last episodes because they're all kind of about the similar theme of tying back and connecting
and breaking through the veil of privacy and that's a big thing like location-based advertising
now is associated with your advertiser ID was originally probably associated with your IP
and or Mac address so then all of a sudden if you're a social media company that also knows
the Mac address of the device and if say you also get data from three or four other third
apps that also have the Mac address, you can start to really build up a demographic and
psychographic profile of who that device is owned by. And, you know, that's better advertising,
but it's also better, you know, surveillance. Why would TikTok do this? Because my sense is that in
like the evolution of this, we had Mac addresses and then a lot of the platforms said, whether for
genuine reasons or for optics, some combination of the two, we're going to make us so you can't
track this anymore. And advertisers devise their own tools to be able to say, okay, now you're going to
have an ID that we associate with you. That's how we're going to do this. TikTok is of the
scale where they can institute any kind of system themselves. Like they, TikTok can track TikTok
users however they damn well please within the rules created by the app store. And that is significant.
That's like a big playground they're operating in. They can get a lot of information out of it,
their users. Why would they try and circumvent Google security systems in order to track this?
Why is it so, why do you think it would be so valuable to them?
this would have to be a think this would all be hypothetical but i think it's just
knowing the exact device id when you're a company as big as tick talk that does the integrations
and collaborations and you know whatever you want to say about the national state of china and
what they might have for third-party reasonings for it the more data the better you know it's
you're better armed and better equipped for whatever their outcome is if it's advertising if it's
surveillance, if it's, you know, et cetera, et cetera, the more data, the better. And if you know the exact
device ID and you can track that device ID every time it connects to any other related service,
third party that you collaborate with, that you integrate with, data sharing, like, I'm sure
in the world's behind closed doors, there's big data sharing agreements between certain
app makers and certain manufacturers. And, you know, having that as the base key to connect all of
the other data values is great.
Because then we really know that we're talking about Jordan Blumen's iPhone,
you know, XR in this specific location.
So TikTok right now,
I think the best reason most people would argue in favor of banning TikTok is because
TikTok's parent company operates out of China.
And we know that China has laws that entitled that government to access information
stored on servers in China.
therefore the Chinese government theoretically has access to the data of foreign users.
Yeah, theoretically.
The solution then within the idea of this ban is that, okay, force them to sell it to an American company.
And I guess I'm curious how that would solve the problem.
Because my understanding is that, so Microsoft, we're talking about.
about Microsoft buying TikTok. Microsoft has a huge footprint in Shanghai, where they operate attempting
to sell Bing-based user data to Chinese advertisers. Facebook does this, Google does this,
Microsoft who's talking about buying TikTok does this, they all do it and they do it legally.
They're selling this information to Chinese companies and then sell it to advertisers.
So if our root fear is that Western user data is that Western user data is,
is being sold to Chinese advertisers,
making it visible to the Chinese state,
isn't this just purely an optical win?
Isn't this we're going to find the biggest dude in the yard
and we're going to go sock him in the face?
I see your point.
I think it's a couple things.
I think it's A, it's the devil you know, not the devil you don't.
You know, it's an obvious one.
You know, we as North Americans,
understand the tech culture that we have.
And I think we're more comfortable with it.
And I think that we don't fully understand
the motivations and reasoning behind foreign tech.
And that, you know, it could be completely benevolent,
but we don't know.
And I think that that's just enough of a thing
to make people's stomach, you know, tingle a bit.
I think that's one of the things.
And then I think the second big, important piece of that is that the, you know, quote-unquote American tech, North American tech, the tech that we're comfortable with, answers to the governments that we're comfortable with.
So I think that if the American government didn't want Microsoft selling Bing user data, not that it really matters, or Facebook selling Facebook data, which does really matter,
to the Chinese government,
they could say, no, you can't do that.
You're under our policing,
under our controls, under our trade policy,
and you're violating our national security.
Stop that.
Where I think when it's fully third-party controlled and owned,
that makes the government's tummy tingle.
And I think that's really the two points of that.
Not to mention the third point that it's, you know,
politically advantageous for certain policies.
politicians to go after certain countries.
Sure.
Trade war.
Yeah, sure.
Everybody likes a wartime president, right?
Right.
So we just talked about the TikTok band as like a kind of a choice, motivated by, you know,
some sort of mix of politics and optics and trade.
And we've talked about how it maybe doesn't really get to the heart of securing domestic
data from foreign actors.
And I guess to give sort of the other side of this discussion at today.
earlier you answered my question about like why TikTok would even take this risk and it's that
mac addresses are like they're useful and we've talked about how they're useful to ad driven businesses
like TikTok how is it useful to a government if we accept the premise that like we should
be skeptical of TikTok because their parent company has potential ties to a foreign government that
engages in surveillance why does that foreign government even want this data why do they want
Mac addresses, why do they want data generated by a music-based video app?
Yeah, and I think just furthermore to, you know, what you were mentioning about, you know,
certain national governments having certain controls and demands on information from their
technology companies, something like the Mac address would be a very key part of telecommunications
traffic. You know, our smartphones and devices are connected to potentially national telco
infrastructure is made by other Chinese companies, that Mac address would be shared across.
So they would be able to then correlate the data from TikTok and anybody else that they bought it from
or any traffic to their inbound servers or through their proxies.
And every part of that would tie back to the Mac address.
And they would be able to then, you know, kind of congregate it and mine it.
I think I have a hard time with this one, a hard time not flip-flopping on it because I'm so
used to thinking of these tech companies as being kind of sovereign states.
Like intellectually, I know that the government is just a warrant away from being able to get
information from these big tech companies.
But I do think of them as autonomous.
And if anything, having kind of an adversarial relationship with the government,
regardless of how true that is.
And this just totally breaks that understanding.
Well, and you've got Mark Zuckerberg asking the American government to tell him what to do
because he shouldn't be making.
moral decisions on behalf of the country. And they're saying, well, you should be doing a better job of it.
And he's like, well, I'm not our moral compass. So help me. Yeah, I can see how it's pretty easy to
convince or to mistake the two. Yeah, it's easy to mistake Western tech as foreign states and
Chinese tech is almost like appendages of this one big single organism. And I'm super skeptical of that
binary, but it's certainly how it feels. Yeah, well, if you think about technology, the umbrella of all
technology companies is an Excel spreadsheet. And then each social network or technology company has
a sheet in it. And you put all of the information that they all hold on those sheets, and then you
have the ability to cross-reference them all. You'd probably be able to tell quite a bit about a lot of
people. Would you use TikTok? I don't use TikTok.
I've seen TikTok.
I get sent TikToks.
I don't like TikTok.
I think that TikTok is bad for people's well-being,
and they should go outside
instead of staring at their phone for four and a half hours.
So I don't think I'm going to be a very compelling target.
I don't think, you know,
I'd like to think of myself as somebody who's real important and influential.
I'm not.
So I don't think I'd have any major life concerns
if I was an average teenager.
I'm not too too worried about it.
I think that they're going to be able to mind just enough data.
They've got a statistically large enough data set
that I'm not going to be a marker in it.
Yeah, I wouldn't be too too concerned at this point.
I think it's more along the lines of what's happening at the mass scale.
And also, I think what we don't know is the more interesting thing
because I think in my lifetime,
I can't remember a U.S. president demanding the sale of a company.
so I'm not sure what else is going on.
That's more where I'm,
it's more where my ears perk up and I go,
oh, that's odd behavior.
What's behind that?
If you are interested in learning more
about the truly wild ecosystem
of Western data being sold and stored
on foreign servers,
I highly recommend you check out
Shoshana Wadinsky's wonderful Beeson Gizmodo
on AdTiger.
It was a huge source of information
with this episode.
It's been a hot sec,
but huge shout out to our patrons
on Patreon. You're everything. You're a world. You can follow us at Hacked podcast on Twitter.
And if you like it, rate and review the show. It means a lot to us. Thanks for listening.
Sorry for the delay on this episode. And we're going to catch you on the next one.