Why You Don’t Want TikTok to Connect to Your Network through Wi-Fi
During a recent congressional hearing, members of the US Congress’ House Energy and Commerce Committee questioned TikTok CEO Shou Chew over his company’s behavior and policies. TikTok has been under global scrutiny for the last few years. The last two presidential administrations have seen bipartisan efforts put forth to change how TikTok operates within the US.
There have been calls for ByteDance, the Chinese parent company of TikTok, to fully sell their US operations to a US company. This has not happened, nor have the outright calls for banning the app within the US been met. Instead, TikTok has continued to grow, gaining over 150 million US users as of March 21, 2023. The explosive growth of the company paired with missteps in adhering to US requirements to protect and store data within the States has led to a call, and answer of investigations of the company.
While the recent congressional hearing lasted over five hours, internet users were quick to clip and share a few sub-minute videos highlighting the perceived incompetence of members of Congress. A viral question came when North Carolina representative Richard Hudson asked “So if I have TikTok on my phone and my phone is on my home WiFi network… does TikTok access that network?”
Was this question as uninformed as the algorithmically spread clip would make it seem? Are members of Congress this out of touch with technology and ill fit for legislation? While there are potential issues with how future legislation handles AI, self-driving cars, and smart health, networking is not that new of a domain. Instead of making fun of a perceived poor question, we should be asking why we would not want TikTok to connect to our network through WiFi.
What is the prompt “X Service would like to connect to devices on your local network”
One issue Apple tackles well is protecting users from 3rd party apps and websites. If you have an iPhone running iOS 14 or higher then you have probably seen this popup at some point:
This is a security prompt informing the user that the app in use would like to access their local network and scan for other devices. With so many apps asking for different permissions, it is easy to just tap “Allow” and continue watching viral videos.
Before we do that, consider what a recent Apple blog post said this prompt allows:
Apps that access your local network can collect information about nearby devices to determine which networks you join and when. This information could be used to create a profile of you.
By clicking “Allow,” the app has access to identify every device on your network, and further to scan any other network you may join (friend’s Wi-Fi, work, public spaces). Isn’t this how devices on networks usually work and a required behavior to get all functionality? Not really. Let’s talk about a typical home network setup and what this prompt is doing.
Unmasking Your Network
If you’ve moved into a new apartment or home you’ve dealt with getting internet set up. This probably hasn’t required you to run wires through the backyard and alley to be able to connect back to your Internet Service Provider (ISP). More likely someone showed up with a black box, plugged some cords into it, and gave you a password for connecting devices to the Wi-Fi.
The full hardware package that allows you to have a home network is a gateway, which consists of a modem, router, and wireless access point. For this article, we will simplify this and just talk about the router, or the machine that talks to your devices.
When you connect to your Wi-Fi on your home network, your phone sees this:
Here we can see that your phone knows what the router is and can send and receive messages to it. These messages are requests for content like YouTube or TikTok videos, emails, or web pages. Other devices may be talking to the router, but your phone does not know what they are. All it cares about is thoughtful conversations with the router.
However, if we give your device access to scan the network, it can make the rounds and learn what other devices are also connected:
With this access, your device can map out exactly who else is on the network. This is done through a question-answer process in which the device asks each device for its media access control address (MAC) to be able to identify it. It may get the device’s internet protocol address (IP) as well. The network becomes clear to your phone after it has finished scanning:
Knowing the other devices on the network can be good if you are trying to sync devices for multimedia use. A phone needs to be able to find a smart tv to cast to and a smart tv needs to be able to find a soundbar to use external audio.
This network knowledge can be constructive, but is unnecessary for every device and further every app to have. Why would an accounting app need access to the network? Does your email app need to talk to your smart fridge? For our example of TikTok, how many of these common smart devices does it need access to:
- Smart TV
- Smart Fridge
- Smart Thermostat
- Smart Photoframe
- Smart Baby Monitor
- Security Systems
- Doorbells (including Ring)
- Voice Assistants (Google Home, Alexa, etc.)
- Video Game Systems
- Computers
- Tables
- Smart Phones
The answer is almost none of them. TikTok is not an audio app, that’s Spotify. TikTok is not a video app, that’s YouTube. Sure, you may want to show your grandparents TikTok on a TV, but you can bypass allowing them access to your network by simply downloading the smart tv app.
Letting apps unnecessarily connect to your network and scrape your device and network footprints is irresponsible and potentially dangerous. Let’s talk about why you don’t want this information floating around the internet.
What Can I do with this Information?
The Internet of Things (IoT) refers to all devices connected to the internet from smart thermostats to televisions. It is not intrinsically secure because no one ever asked for it to be secure. Prominent devices like phones, tablets, and cars have decent security features because they are such high-value targets for hacking and the companies have to respond to threats to keep customers. But what about a smart fridge or thermostat? The less prominent the device, the more likely it is to have default or no password and poor security in general.
As of May 2022, there were an estimated 14.4 billion internet-enabled devices in active use. Trying to guess the IP address (the string of numbers identifying the online address of a device) would be nearly impossible. However, already having access to your network, a company or group doesn’t need to guess. Allowing access to your network is like giving your home’s address (IP address) to someone along with a list of all the doors and windows (MAC addresses and IP addresses). What could go wrong?
The chances of a multinational company using this information illegally are low, however, if any other group (nation state, cybercrime group, solo actor) gains access to this information, they now have a list of all potential vulnerabilities on your network. At a bare minimum, they will have your network’s IP address along with a list of the MAC addresses and IP addresses for all the devices on your network. With these MAC addresses they can look up the exact hardware and version of the device. A few Google searches later and you can compile a list of all known vulnerabilities and potential patches for that device.
The dirty secret of IoT devices is that they often aren’t up to date on software patches. This turns every device on your network into an attack vector for someone to enter your network and perform a man-in-the-middle attack or even just target you with DDOS attacks. With the MAC address saying what the device is, and the IP address saying exactly where it is online, this information is a dream for anyone looking to break into your network to spy or even just disrupt your online day-to-day activities.
You don’t want to have this information floating around the web, or even reproduced and scattered across different companies’ “secure” databases.
Conclusion
Before we move to ridicule Congress for soundbites edited and propagated on an app that is threatened by their questions, let’s look deeper into the questions being asked. Sure, Congress has moved slowly and will likely always move slowly when creating legislation for technology. There is history of them falling short on legislation for issues both foreign and domestic. While the outcome of the hearings is far from certain, I hope you now understand the weight of the much-maligned network question and will think twice before you let any and everyone into your home network.
