With more than 1 billion global users, TikTok has become one of the most popular social media apps. In fact, it was the top downloaded app in the United States last year. As it continues to gain popularity, the app has come under fire for its ties to China and the security risks it imposes. In recent weeks, more than half of U.S. states have banned TikTok altogether from government devices.
While the ban is only happening on the government level, what does it mean for consumers and businesses? We sat down with Ken Barnhart, Founder & CEO of Highground Cyber (recognized as a 2022 Top Ten Cybersecurity Company from CIO Magazine) , and Jason Poll, Software Development Manager at CCI Systems, to discuss the potential impacts of this ban and how TikTok affects our safety online.
Why is TikTok Different?
It’s no secret that social media platforms are collecting our personal data and using it to generate targeted advertising toward the end user. When you sign up for any social platform, you typically read and accept a data-collection policy that allows that platform to collect your data. However, TikTok’s data collection seems to be going above and beyond what one should expect when they accept these policies.
So what data is TikTok actually collecting? Jason Poll conducted some additional research and discovered some potentially abusive (beyond typical social network) data collection is happening. The following was uncovered:
- Collection of sim card manufacturer and provider information
- Collection of fine-grain GPS location
- Remotely enable-able higher-grained detail data monitoring
- Collection of cell-network information
- Potential ability to detected rooted/jailbroken devices
Because they can track location and even keystrokes, information like login credentials and credit card data is exposed. Another particularly concerning data collection method is TikTok’s SMS service. According to HT Tech, TikTok has a feature where users can send an SMS from the desktop website to themselves to download the app via a link. Hackers were able to send an SMS from the TikTok domain to any phone number and can be sent with malicious links which would give hackers access to the user’s TikTok account. TikTok was made aware of the issue and it has been patched in the app’s latest version.
How does TikTok play into the national security threats?
The above security issues have been known for some time. In summer 2020, the National Security Agency (NSA) noticed patterns of data exfiltration and device behavior that was consistent with advanced persistent threats (APT), explains Barnhart. SMS geofencing and geotracking of a device is a very common tactic used by Chinese APTs to track persons of interest. Barnhart says that one of the events that triggered a more detailed investigation was a military officer’s device that had TikTok on it had been compromised and was being used to map military facilities.
There’s been a growing concern for the Chinese government using TikTok to control data collection on millions of users and manipulate what content the users are seeing. This concern has led to a ban that prohibits the use of TikTok on federally owned devices comes two years after a proposed ban by the Trump administration was stopped in court.
What’s next for TikTok
TikTok is currently facing three congressional bills that could result in its restriction or ban in the U.S. In an effort to be more transparent and help outsiders to understand how the app works, TikTok has opened a Transparency and Accountability Center in it’s Los Angeles headquarters. The center intends to answer questions about the app’s essential features and security practices for people like politicians, data privacy experts, and auditors.
TikTok is further taking issues into its own hands by launching Project Texas, a plan that includes a partnership with Oracle Corp. to store all its U.S. user data. Under the plan, there will be regular third-party audits and reviews to ensure the company is adhering to these measures. TikTok has previously stored U.S. user data on its own servers in Virginia, with backup capacity in Singapore, but aims to delete that data from their servers and move it over to Oracle.
What SMBs can do to protect their business
So do you need to ban TikTok in your business? Not necessarily. But you do need a solid cybersecurity plan in place. Cybersecurity starts at the strategic business level and it must be identified as a strategic business issue so that if problems do arise, there is a plan to mitigate any problems. What markets are you in? What products are you bringing to those markets? What data and software is required to deliver that service or product to your customer? These are all business model issues and 90% of the cybersecurity and privacy risk is embedded in the business model, says Barnhart.
You must have the insight to understand and realize what your risk is and utilize teams like Highground and Guide Star to help deliver solutions to mitigate those risks, as well as make you aware of future threats (like TikTok).
Companies, like Guide Star, can come in and help you make sure you have the infrastructure and technical capabilities in place to keep threats out of your system.