Africa Roundup: Canal+ acquires ROK, Flutterwave and Alipay partner, OPay raises $50M

in July, French television company Canal+ acquired the ROK film studio from VOD company IROKOtv.

Canal+ would not disclose the acquisition price, but confirmed there was a cash component of the deal.

Founded by Jason Njoku  in 2010 — and backed by $45 million  in VC — IROKOtv boasts the world’s largest online catalog of Nollywood: a Nigerian movie genre that has become Africa’s de facto film industry and one of the largest globally (by production volume).

Based in Lagos, ROK film studios was incubated to create original content for IROKOtv, which can be accessed digitally anywhere in the world.

ROK studio founder and producer Mary Njoku  will stay on as director general under the Canal+ acquisition.

With the ROK deal, Canal+ looks to bring the Nollywood production ethos to other African countries and regions. The new organization plans to send Nigerian production teams to French speaking African countries starting this year.

The ability to reach a larger advertising network of African consumers on the continent and internationally was a big acquisition play for Canal+.

San Francisco and Lagos-based fintech  startup Flutterwave  partnered with Chinese e-commerce company Alibaba’s Alipay to offer digital payments between Africa and China.

Flutterwave is a Nigerian-founded B2B payments service (primarily) for companies in Africa to pay other companies on the continent and abroad.

Alipay is Alibaba’s digital wallet and payments platform. In 2013, Alipay surpassed PayPal in payments volume and currently claims a global network of more than 1 billion active users, per Alibaba’s latest earnings report.

A large portion of Alipay’s network is in China, which makes the Flutterwave integration significant to capturing payments activity around the estimated $200 billion in China-Africa trade.

Flutterwave will earn revenue from the partnership by charging its standard 3.8% on international transactions. The company currently has more than 60,000 merchants on its platform, according to CEO Olugbenga Agboola.

In a recent Extra Crunch feature, TechCrunch tracked Flutterwave as one of several Africa-focused fintech companies that have established headquarters in San Francisco and operations in Africa to tap the best of both worlds in VC, developers, clients and digital finance.

Flutterwave’s Alipay collaboration also tracks a trend of increased presence of Chinese companies in African tech. July saw Chinese owned Opera raise $50 million in venture spending to support its growing West African digital commercial network, which includes browser, payments and ride-hail services. The funds are predominately for OPay, an Opera owned, Africa-focused mobile payments startup.

Lead investors included Sequoia China, IDG Capital  and Source Code Capital. Opera  also joined the round in the payments venture it created.

OPay will use the capital (which wasn’t given a stage designation) primarily to grow its digital finance business in Nigeria — Africa’s most populous nation and largest economy.

OPay will also support Opera’s growing commercial network in Nigeria, which includes motorcycle ride-hail app ORide and OFood delivery service.

Opera founded OPay in 2018 on the popularity of its internet search engine. Opera’s web-browser has ranked No. 2 in usage in Africa, after Chrome, the last four years.

July also saw transit tech news in East Africa. Global ride-hail startup InDriver launched its app-based service in Kampala (Uganda), bringing its Africa operating countries to four: Kenya,  Uganda, South Africa and Tanzania. InDriver’s mobile app allows passengers to name their own fare for nearby drivers to accept, decline or counter.

Nairobi-based internet hardware and service startup BRCK and Egyptian ride-hail venture Swvl are partnering to bring Wi-Fi and online entertainment to on-demand bus service in Kenya.

Swvl BRCK Moja KenyaBRCK is installing its routers on Swvl vehicles in Kenya  to run its Moja service, which offers free public Wi-Fi — internet, music and entertainment — subsidized by commercial partners.

Founded in Cairo in 2017, Swvl is a mass transit service that has positioned itself as an Uber  for shared buses.

The company raised a $42 million Series B round in June, with intent to expand in Africa, Swvl CEO Mostafa Kandil said in an interview.

BRCK and Swvl wouldn’t confirm plans on expanding their mobile internet partnership to additional countries outside of Kenya .

Africa’s ride-hail markets are becoming a multi-wheeled and global affair making the continent home to a number of fresh mobility use cases, including the BRCK and Swvl Wi-Fi partnership.

More Africa-related stories @TechCrunch

African tech around the ‘net

The PureCam Connected Car Security System is a dashcam with extras

Thanks to a rash of YouTube videos of traffic stops, wild crashes, and wacky antics, dashcams are becoming more and more popular with drivers. But does the world need one that shoots at 1080p and beams every minute of your drive back to a central storage device and can work as a Wi-Fi hotspot?

PureGear thinks so.

Their latest camera, the PureCam Connected Car Security System, shown at CES 2019, features front and back-facing cameras and 4G LTE connected. In the unit we tested, it used T-Mobile for data transfer.

The device connects to your car’s OBD port, a diagnostics port that sends data to the camera and powers it. It has a full 1080p camera in front, a small VGA screen, and a 720p rear-facing camera. It mounts to the window via a suction cup. It also can shoot in the dark and will sense when someone is breaking into your vehicle and begin recording.

This last part is critical. Because it is always connected, the PureCam will send footage of crashes and break-ins to the cloud. In this way, you have a video record inside and outside of the car.

The system requires a data plan so you’ll have to head down to the cellphone shop to pick up a spare SIM card, but it can also record footage to the included 16GB card.

The kit costs $249.99 and includes three months of wireless data and 7GB of cloud storage for 12 months. Because it has its data provider, you can connect up to three devices to the Purecam’s hotspot.

This camera is mostly designed for peace of mind. Because the screen is relatively small and automatically dims while driving, you won’t notice the system until you need it. Because it uses the OBD port you don’t have to run cables to a cigarette lighter power port or USB port, thereby freeing things up for phones and the like. Finally, because it wakes up when your car is parked, it adds an extra layer of security.

The PureCam is surprisingly easy to install – you have to find your OBD port – but you do need a modern car and be willing to spend a bit on the data plan. While it’s not a perfect system, it’s one of the cleverest and most useful dashcams we’ve tried.

How autonomous vehicles and hyperloop are scooting along

Two years ago, Lime was a great addition to guacamole, rather than a sidewalk. The market wasn’t sure about car sharing and whether it had long-term viability. Now, with the acquisition of Drivy, Getaround is the largest car-sharing platform with partnerships the likes of Uber and Toyota. Uber and Lyft were (and are) a phenomenon, but there were still pundits who weren’t sure if Uber would ever overcome the adversity of its culture.

At the same time, I wrote a series of four articles on the latest transport technologies, and the waves they would create with perspectives focused on the impact on retail, commercial real-estate, short-haul travel and hyperloop. Among those predictions was the impact hyperloop and autonomous vehicle technology would have on commuting, short-haul air travel and the retail industry.

Since then, these technologies have continued to develop and evolve, and it’s worthwhile to revisit assumptions and assertions. Some of the more optimistic expectations put upon them by their proponents have so far failed to be realized, and they are no closer to becoming a reality in our day-to-day lives.

This begs the question as to whether they will still become the industry disruptors many pundits, including me, suggested they would, or if expectations have become more tempered.

Both hyperloop and autonomous vehicle technology have had their ups and downs over the past two years, but they’re still set to change the way we (and the things we need) travel.

Delayed promotion to the back seat

When people think about transport innovation, we often think of self-driving cars or, maybe, flying cars.

Many believed that we’d be relegated (or promoted) to the back seat as soon as 2020. We would be sitting comfortably while fleets of autonomous cars chauffeured us along. Over the past two years the landscape has consolidated and the players are arguing what’s possible.

Driverless cars haven’t managed to achieve some of the targets that were being set for the technology two years ago. For instance, as we discussed, Tesla CEO Elon Musk claimed in 2015 that the company’s cars would be fully autonomous by 2017 — a prediction that, of course, didn’t and still hasn’t come to pass as of mid 2019. And in January this year, Nissan — one of the main proponents of autonomous vehicle technology — said “true autonomous cars will not happen within the next decade.”

But it would be overly pessimistic to suggest the technology isn’t coming at all. The progress has been incredible.

Disruptive leaps forward often result in a net gain in employment.

Ford CEO Jim Hackett said that “[w]e overestimated the arrival of autonomous vehicles,” at an April 2019 Detroit Economic Club event. Ford believes its fully driverless cars will be in commercial operation by 2021, and the technology has remained a major and consistent talking point in the media. At the annual WSJ conference, D.Live, Waymo CEO John Krafcik said that “autonomy will always have constraints,” to communicate his belief that fully autonomous Level 5 transport is not coming anytime soon.

Industry pundits like the Boston Consulting Group (BCG) would argue that Waymo is leading the pack on unlocking the promise of autonomous technology. Tesla’s founder and chief, Elon Musk, feels that Teslas will leapfrog Waymo with an upgrade in 2020 that will make more than a million cars fully autonomous. “By the middle of next year, we’ll have over a million Tesla cars on the road with full self-driving hardware, feature complete, at a reliability level that we would consider that no one needs to pay attention.” My excitement is tempered by the fact that Musk said before that Teslas would be fully autonomous by 2017. That said, I wouldn’t slight him for being audacious, as I do believe he was just being overly optimistic rather than scamming the market.

We shouldn’t forget everyone’s favorite punching bag, Uber, which entered the race in 2015 when they first partnered, then acquired, an entire Carnegie Mellon autonomy lab. Their foray into self-driving abruptly stopped after a tragic accident that killed a pedestrian in Arizona. At this point, it would seem more likely they are going to use the technology rather than develop it themselves.

Driverless cars will create more jobs than they will destroy

In my piece titled “Transport’s coming upheaval,” published in the original series on TechCrunch, I suggested that new modes of transport, such as autonomous vehicles and hyperloop, would end up creating more jobs than they would eliminate. They, coupled with improvements in remote work technologies, should contribute to lowering the cost of human capital by allowing them to comfortably move outside of urban centers to lower-cost housing.

Job loss has been one of the common themes in the discussion around the innovative transport technologies. Some reports have suggested that autonomous vehicle technology could destroy 300,000 jobs a year, and that hyperloop would have a devastating effect on the trucking industry. But as I previously posited, history shows us that, more often than not, disruptive leaps forward often result in a net gain in employment.

Take, for instance, the introduction of the personal computer in the 1970s. It initially destroyed 3.5 million jobs in total, including those in typewriter manufacturing, secretarial work and bookkeeping. But it went on to help create 19.3 million jobs, in the U.S. alone, across a wide range of industries and occupations, according to McKinsey estimates.

New transport innovations will have a similar effect, creating many new jobs. Even though driverless cars aren’t yet available for commercial purchase, there have been developments with the technology that give us a better idea as to how it will likely affect global workforces.

Rather than be a disaster for the world of work, autonomous vehicles and hyperloop could be a boon for employees.

As a whole host of companies, including Waymo, Tesla, Cruise and Ford, strive to make a breakthrough with autonomous vehicle technology, more workers are required to make the driverless car dream a reality. According to the online talent platform ZipRecruiter, the number of job listings related to driverless cars increased 27% year over year in January 2018, and the amount of job postings in the autonomous vehicle sector rose by 250% from the second quarter in 2017 to the second quarter in 2018 due to a hiring spree at the beginning of the year. Indeed, a report from Boston Consulting Group and Detroit Mobility Lab released in January estimated that self-driving and electric cars would create more than 100,000 jobs in the U.S. over the next decade.

In fact, the trucking industry seems ripe for change, and not just because of the benefits that autonomous vehicle technology would bring. There is a shortage of truck drivers in the U.S., according to CNBC. The unemployment rate fell to 3.9% percent in July of last year, meaning companies are struggling to recruit for a job that has long, demanding hours.

Drivers for both trucking and autonomous taxis won’t be irrelevant for some time. For trucking, there is a need for a human to secure the cargo and manage the many checkpoints. For taxis, if Waymo’s CEO is correct, there will still be routes where the driver may be needed, especially in high traffic cities with variability in routes, road quality, construction and traffic conditions.

As the new transport technologies are slowly introduced, they will indeed eliminate existing jobs after, first, making them much more enjoyable for the workers. But evidence suggests that those jobs will be replaced by new ones that require different experiences and levels of education. Rather than be a disaster for the world of work, autonomous vehicles and hyperloop could be a boon for employees everywhere.

What happened to hyperloop?

Two years ago, there was a ton of buzz around what Elon Musk once deemed a “fifth mode of transport.” Hyperloop — a form of terrestrial travel where pod-like vehicles travel in near-vacuum tubes at more than 700 mph — was set to be up-and-running by 2020, with plans to create routes between San Francisco and LA, and Washington and New York.

The impact of this, as I discussed in my original transport series, would be huge for commuting and real estate, and would be a devastating disruptor for short-haul air travel and some trucking routes. Even though hyperloop isn’t being talked about in the same way it was, the promising global projects are far from dead. There are still plenty of developments that suggest hyperloop could be a major form of transport in the future.

Virgin Hyperloop One is now testing empty pods along its 1,640-foot-long, 11-foot-high tube just north of Las Vegas; and in October last year, Hyperloop Transportation Technologies (HTT) unveiled its first full-scale capsules, which it believes will be passenger-ready by the end of 2019. However, many of the widely publicized Hyperloop routes — LA to San Francisco, and Washington to New York — have gone cold in recent years. As have plans to create a high-speed rail across California. In February, California Governor Gavin Newsom said that plans for the new track had been scaled back from the previous grand ambition to connect north to south, saying that, “The project, as currently planned, would cost too much and take too long.”

Efficiency isn’t the only factor that would put self-driving in good stead against airline competitors.

The financial problems the California high-speed rail track has come up against could be an ominous sign for hyperloop technology in the U.S. These types of transport systems are often vastly expensive (the California high-speed rail project was set to cost $68 billion, if completed), and there’s no guarantee they’ll return the investment. Taiwan’s high-speed rail, for instance, suffered heavy losses due to depreciation charges, interest burdens and lower-than-expected demand. And while Elon Musk claimed the LA to SF hyperloop track would cost as little as $6 billion, the SpaceX founder’s estimates have been largely rebuked, with some critics claiming the track would actually cost closer to $100 billion.

Hyperloop is becoming a commercial reality as soon as 2021, just not in the United States. HTT will be building a 10 km track to connect Abu Dhabi to Al Ain and Riyadh, Saudi Arabia. The hope is to be operational by the universal exposition, Expo 2020, on October 20th, 2020.

Clearly, hyperloop still has a lot of questions to answer if it is to fulfill the expectations placed on it, but leaving the technology by the wayside without further testing would be foolish when taking into consideration the environmental and commuting benefits hyperloop would bring. If the technology proves to be cost efficient and as effective as its proponents have previously claimed, it will still have a huge impact on how we and our cargo travel.

A new way to travel and commute

I continue to believe that self-driving technology will disrupt short-haul air travel in a massive way. Why would you go through the hassle of airport security when a terrestrial mode of transport could get you to your destination even quicker?

Efficiency isn’t the only factor that would put self-driving in good stead against airline competitors. Commuting would be easier, too. In all likelihood, traveling by car would be more comfortable and spacious than air travel, but it would also be more amenable to good Wi-Fi connection. In the two years since writing the original series on innovations in transport, in-flight Wi-Fi has improved, but it’s often costly and leaves much to be desired.

Autonomous vehicles will be the next step in brick-and-mortar retail innovation.

Volvo, for instance, released an autonomous car concept in September last year of an electric vehicle that can double up as a living room, bedroom and office. The car, named the 360c, benefits from a larger interior thanks to its lack of a bulky combustion engine and steering wheel. The 360c can be configured in four different ways, with spacious seating, a table and a fold-away bed.

This type of travel would revolutionize how we commute. Workers traveling long distances would surely choose to spend more time in a spacious, work-friendly driverless car than by air travel, if it meant they could comfortably work en route. And it’s a vision that automotive companies with an eye to autonomous vehicle technology are considering seriously.

Mobile retail

As we’ve already seen, the claim that new transport innovations such as driverless cars and hyperloop will destroy more jobs than they’ll create is specious at best. But that doesn’t mean the technology won’t change certain roles in the sector.

Already, the role of driver in ridesharing companies is beginning to change and become more enterprising. In July last year, in-car commerce startup Cargo partnered with Uber. The deal allows drivers to sell passengers candy, cosmetics and electronics during the journey. And, according to Cargo’s estimates, drivers using its service can earn between $1,500 to $3,000 in extra income per year.

As cars become more autonomous and the form-factors evolve, it will allow the drivers to provide more services to passengers.

This type of new mobile retail could go on to sell far more than just a few select products in an Uber, though, and it may have a knock-on effect on the retail industry as a whole — an assertion I made in the original series.

Two years ago, retail was suffering badly and, in large part, that trend continues as many fail to adapt. Today, it’s still in a state of flux, with constant disruptions threatening the future of brick-and-mortar stores. Those stores that are surviving the onslaught are adapting and improving with the latest technology. For instance, many companies, such as Ikea, are using augmented and virtual reality to make the shopping experience more immersive.

The reality is that scooters, e-bikes and other modalities will continue to infiltrate our cities.

Autonomous vehicles will be the next step in brick-and-mortar retail innovation. The technology could allow fleets of stores on wheels to come to consumers on demand straight to their location. When I made the claim two years ago, it may have seemed a bit far-fetched, but since then, plenty of businesses have started utilizing the concept.

Walmart, Ford and Postmates are reportedly collaborating on a pilot program in Miami where goods will be delivered to consumers’ doors in a driverless vehicle. They aren’t the only ones exploring how to use the technology in retail. In mid-2017, Swedish company Wheelys launched Moby Mart — a fully autonomous, staffless supermarket on wheels. The service currently operates in Shanghai, China, and is available 24/7.

Consumers have shown an increasing appetite for on-demand food delivery services since I wrote the original series. Uber Eats is only three years old, but it’s already valued at $20 billion; and one of its main rival, Postmates, made more than 35 million deliveries in 2018. As autonomous vehicle technology becomes more widely adopted, more businesses will see the advantage in using it to deliver efficient services to a growing customer base.

New kids on the block

E-bikes have been a steadily growing market since the end of the 20th century, but with the help of on-demand bike sharing they’ve exploded in major cities. Meanwhile, another form of transport left the playground and moved mainstream. Scooters have long been a staple, but since 2017, they’ve changed the landscape of short city commutes.

According to a report released by the National Association of City Transportation Officials, riders took nearly 39 million trips on shared electric scooters in 2018. For the first time they surpassed e-bikes by nearly 10%.

The biggest names behind the scooter boom in the U.S. are Lime, Bird and Scoot. Ironically, their scooters are powered by inventor Dean Kamen’s technology that was at the heart of the Segway. It only took nearly two decades for his future to be realized with a slight design change.

Although I’m not clear that the scooter rental companies are as big a financial opportunity as their investors are hoping, I do believe they aren’t going anywhere. The reality is that scooters, e-bikes and other modalities will continue to infiltrate our cities as urban planners move away from designs centered around automobiles.

The future of innovation in transport

With the setbacks and failed predictions that have been made of autonomous vehicles and hyperloop technology, it would be easy to be skeptical if they will come at all. But, as is often the case with innovation and change, adoption can be slow, and there are often unforeseeable delays. However, with so many startups and major global businesses — from Waymo to Virgin — betting heavily on the future of hyperloop and autonomous vehicles, it’s surely a question of when rather than if they come to pass.

As we’ve seen, these technologies have made huge strides in the two years since I wrote the original series, and the applications of them are starting to be realized. And those applications go far beyond faster, more convenient travel. As more businesses sit up and take notice of the potential driverless cars and hyperloop have to offer, they will continue to shape the future of transport, retail, work and much more.

Flaws in hospital anesthesia and respiratory devices allow remote tampering

Security researchers have found a vulnerability in a networking protocol used in popular hospital anesthesia and respiratory machines, which they say if exploited could be used to maliciously tamper with the devices.

Researchers at healthcare security firm CyberMDX said that the protocol used in the GE Aestiva and GE Aespire devices can be used to send commands if they are connected to a terminal server on the hospital network. Those commands can silence alarms, alter records — and can be abused to change the composition of aspirated gases used in both the respirator and the anesthesia devices, the researchers say.

Homeland Security released an advisory on Tuesday, saying the flaws required “low skill level” to exploit.

“The devices use a proprietary protocol,” said Elad Luz, CyberMDX’s head of research. “It’s pretty straightforward to figure out the commands.”

One of those commands forces the device to use an older version of the protocol — which is still present in the devices to ensure backwards compatibility, said Luz. Worse, none of the commands requires any authentication, he said.

“On every version, you can first send a command to request to change the protocol version to the earliest one, and then send a request to change gas composition,” he said.

“As long as the device is ported to the network through a terminal server, anyone familiar with the communication protocol can force a revert and send a variety of illegitimate commands to the machine,” he said.

In other words, the devices are far safer if they’re not connected to the network.

CyberMDX disclosed the vulnerabilities to GE in late October 2018. GE said versions 7100 and 7900 of the Aestiva and Aespire models are affected. Both models are deployed in hospitals and medical facilities across the U.S.

GE spokesperson Amy Sarosiek told TechCrunch: “After a formal risk investigation, we have determined that this potential implementation scenario does not introduce clinical hazard or direct patient risk, and there is no vulnerability with the anesthesia device itself.”

GE said it based its assessment of no risk to patient care on international healthcare safety standards and testing maximum variation in parameter modification from the disclosed concern. “Our assessment does not lead us to believe there are patient safety issues,” the spokesperson said.

The company declined to say how many devices are affected but that the ability to modify gas composition is no longer available on systems sold after 2009.

It’s the second set of vulnerabilities in as many months released by CyberMDX. In June the research firm found vulnerabilities in a widely used medical infusion pump.

American Airlines now offers satellite-based Wi-Fi access across its mainline fleet

American Airlines, the world’s largest airline by fleet size and passenger traffic, has finished rolling out satellite-based broadband Wi-Fi to its entire mainline narrowbody fleet of over 700 aircraft (that is, the Boing 737s and Airbus A319 and 320 that typically fly the company’s domestic routes). All of these satellite-equipped planes also offer access to 12 free channels of live TV that you can stream to your personal device, including on international flights where this hasn’t traditionally been an option.

Unless you are comfortably sitting in business class and sipping on your pre-departure champagne, modern air travel isn’t exactly a fun or relaxing experience, no matter the reason for your travel. If you need to get work done on a flight, though, having access to fast and reliable Wi-Fi can often make a huge difference.

Today’s announcement from American follows a similar announcement from last year, after the airline finishing bringing the same system to all of its widebody fleet. At this time last year, though, American had only brought this same system to a meager 13 percent of its narrowbody planes.

One thing worth noting is that it’s my understanding is that American isn’t counting some of its oldest MD-83s in this count. These will never get a Wi-Fi upgrade because they are currently being phased out for more modern jets.

As for the technology that powers all of this, American Airlines is betting on satellite-based systems that use either Gogo 2Ku or ViaSat Ka. Unlike some of the earlier ground-based systems, satellite systems have the obvious advantage of offering a larger coverage area (including over oceans) and more consistent connectivity. These new satellite-based systems also allow for significantly faster connections. Among American’s competitors, Delta is currently in the process of updating most of its fleet to satellite-based systems, too, while the situation at United remains a bit complicated.

“Elevating the travel experience is one of our top goals at American and we’ve been working hard to provide our customers with the same level of entertainment and connectivity options they enjoy in their own living rooms,” said Kurt Stache, Senior Vice President for Marketing, Loyalty and Sales for American. “In less than two years, we completed broadband internet installation on our entire mainline fleet and we will continue setting new standards in the industry to show our customers we value the time they spend with us.”

Soon, American will also bring power outlets to every seat in its mainline fleet, as well as its two-class regional fleet. Since American, just like most of its competitors, is also removing most of its in-seat entertainment systems in favor of personal device entertainment that is streamed to your phone or tablet, it is also now bringing tablet holders to most of its narrowbody fleet as well.

Unlike some of its competitors, American doesn’t offer free Wi-Fi access to chat apps — or even free Wi-Fi in general. Still, if you are an American loyalist, you’ll be happy to see that the airline now offers a consistent Wi-Fi product that is clearly a step up from some of the legacy systems that are still in use by some of the other carriers.

London’s Tube network to switch on wi-fi tracking by default in July

Transport for London will roll out default wi-fi device tracking on the London Underground this summer, following a trial back in 2016.

In a press release announcing the move, TfL writes that “secure, privacy-protected data collection will begin on July 8” — while touting additional services, such as improved alerts about delays and congestion, which it frames as “customer benefits”, as expected to launch “later in the year”.

As well as offering additional alerts-based services to passengers via its own website/apps, TfL says it could incorporate crowding data into its free open-data API — to allow app developers, academics and businesses to expand the utility of the data by baking it into their own products and services.

It’s not all just added utility though; TfL says it will also use the information to enhance its in-station marketing analytics — and, it hopes, top up its revenues — by tracking footfall around ad units and billboards.

Commuters using the UK capital’s publicly funded transport network who do not want their movements being tracked will have to switch off their wi-fi, or else put their phone in airplane mode when using the network.

To deliver data of the required detail, TfL says detailed digital mapping of all London Underground stations was undertaken to identify where wi-fi routers are located so it can understand how commuters move across the network and through stations.

It says it will erect signs at stations informing passengers that using the wi-fi will result in connection data being collected “to better understand journey patterns and improve our services” — and explaining that to opt out they have to switch off their device’s wi-fi.

Attempts in recent years by smartphone OSes to use MAC address randomization to try to defeat persistent device tracking have been shown to be vulnerable to reverse engineering via flaws in wi-fi set-up protocols. So, er, switch off to be sure.

We covered TfL’s wi-fi tracking beta back in 2017, when we reported that despite claiming the harvested wi-fi data was “de-personalised”, and claiming individuals using the Tube network could not be identified, TfL nonetheless declined to release the “anonymized” data-set after a Freedom of Information request — saying there remains a risk of individuals being re-identified.

As has been shown many times before, reversing ‘anonymization’ of personal data can be frighteningly easy.

It’s not immediately clear from the press release or TfL’s website exactly how it will be encrypting the location data gathered from devices that authenticate to use the free wi-fi at the circa 260 wi-fi enabled London Underground stations.

Its explainer about the data collection does not go into any real detail about the encryption and security being used. (We’ve asked for more technical details.)

“If the device has been signed up for free Wi-Fi on the London Underground network, the device will disclose its genuine MAC address. This is known as an authenticated device,” TfL writes generally of how the tracking will work.

“We process authenticated device MAC address connections (along with the date and time the device authenticated with the Wi-Fi network and the location of each router the device connected to). This helps us to better understand how customers move through and between stations — we look at how long it took for a device to travel between stations, the routes the device took and waiting times at busy periods.”

“We do not collect any other data generated by your device. This includes web browsing data and data from website cookies,” it adds, saying also that “individual customer data will never be shared and customers will not be personally identified from the data collected by TfL”.

In a section entitled “keeping information secure” TfL further writes: “Each MAC address is automatically depersonalised (pseudonymised) and encrypted to prevent the identification of the original MAC address and associated device. The data is stored in a restricted area of a secure location and it will not be linked to any other data at a device level.  At no time does TfL store a device’s original MAC address.”

Privacy and security concerns were raised about the location tracking around the time of the 2016 trial — such as why TfL had used a monthly salt key to encrypt the data rather than daily salts, which would have decreased the risk of data being re-identifiable should it leak out.

Such concerns persist — and security experts are now calling for full technical details to be released, given TfL is going full steam ahead with a rollout.

 

A report in Wired suggests TfL has switched from hashing to a system of tokenisation – “fully replacing the MAC address with an identifier that cannot be tied back to any personal information”, which TfL billed as as a “more sophisticated mechanism” than it had used before. We’ll update as and when we get more from TfL.

Another question over the deployment at the time of the trial was what legal basis it would use for pervasively collecting people’s location data — since the system requires an active opt-out by commuters a consent-based legal basis would not be appropriate.

In a section on the legal basis for processing the Wi-Fi connection data, TfL writes now that its ‘legal ground’ is two-fold:

  • Our statutory and public functions
  • to undertake activities to promote and encourage safe, integrated, efficient and economic transport facilities and services, and to deliver the Mayor’s Transport Strategy

So, presumably, you can file ‘increasing revenue around adverts in stations by being able to track nearby footfall’ under ‘helping to deliver (read: fund) the mayor’s transport strategy’.

(Or as TfL puts it: “[T]he data will also allow TfL to better understand customer flows throughout stations, highlighting the effectiveness and accountability of its advertising estate based on actual customer volumes. Being able to reliably demonstrate this should improve commercial revenue, which can then be reinvested back into the transport network.”)

On data retention it specifies that it will hold “depersonalised Wi-Fi connection data” for two years — after which it will aggregate the data and retain those non-individual insights (presumably indefinitely, or per its standard data retention policies).

“The exact parameters of the aggregation are still to be confirmed, but will result in the individual Wi-Fi connection data being removed. Instead, we will retain counts of activities grouped into specific time periods and locations,” it writes on that.

It further notes that aggregated data “developed by combining depersonalised data from many devices” may also be shared with other TfL departments and external bodies. So that processed data could certainly travel.

Of the “individual depersonalised device Wi-Fi connection data”, TfL claims it is accessible only to “a controlled group of TfL employees” — without specifying how large this group of staff is; and what sort of controls and processes will be in place to prevent the risk of A) data being hacked and/or leaking out or B) data being re-identified by a staff member.

A TfL employee with intimate knowledge of a partner’s daily travel routine might, for example, have access to enough information via the system to be able to reverse the depersonalization.

Without more technical details we just don’t know. Though TfL says it worked with the UK’s data protection watchdog in designing the data collection with privacy front of mind.

“We take the privacy of our customers very seriously. A range of policies, processes and technical measures are in place to control and safeguard access to, and use of, Wi-Fi connection data. Anyone with access to this data must complete TfL’s privacy and data protection training every year,” it also notes elsewhere.

Despite holding individual level location data for two years, TfL is also claiming that it will not respond to requests from individuals to delete or rectify any personal location data it holds, i.e. if people seek to exercise their information rights under EU law.

“We use a one-way pseudonymisation process to depersonalise the data immediately after it is collected. This means we will not be able to single out a specific person’s device, or identify you and the data generated by your device,” it claims.

“This means that we are unable to respond to any requests to access the Wi-Fi data generated by your device, or for data to be deleted, rectified or restricted from further processing.”

Again, the distinctions it is making there are raising some eyebrows.

What’s amply clear is that the volume of data that will be generated as a result of a full rollout of wi-fi tracking across the lion’s share of the London Underground will be staggeringly massive.

More than 509 million “depersonalised” pieces of data, were collected from 5.6 million mobile devices during the four-week 2016 trial alone — comprising some 42 million journeys. And that was a very brief trial which covered a much smaller sub-set of the network.

As big data giants go, TfL is clearly gunning to be right up there.

Google says some G Suite user passwords were stored in plaintext since 2005

Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No consumer Gmail accounts were affected by the security lapse, said Frey.

“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google has more than 5 million enterprise customers using G Suite.

Google said it also discovered a second security lapse earlier this month as it was troubleshooting new G Suite customer sign-ups. The company said since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. Those systems, Google said, were only accessible to a limited number of authorized Google staff, the company said.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.

Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change.

A spokesperson confirmed Google has informed data protection regulators of the exposure.

Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. Facebook said in March that “hundreds of millions” of Facebook and Instagram passwords were stored in plaintext. Twitter and GitHub also admitted similar security lapses last year.

Read more:

Job recruitment site Ladders exposed 13 million user profiles

Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records following a security lapse.

The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a nonprofit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.

Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.

Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.

TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.

Each record included names, email addresses and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

A partial record (redacted) including a person’s name, address, phone number, job description and details of their security clearance (Image: supplied)

Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.

Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.

The database contained years’ worth of records.

Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.

More than 379,000 recruiters’ information was also exposed, though the data wasn’t as sensitive.

Security researcher Jain recently found a leaking Wi-Fi password database and an exposed back-end database for a family-tracking app, including the real-time location data of children.

Read more:

A hotspot finder app exposed 2 million Wi-Fi network passwords

A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.

The app, downloaded by thousands of users, allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.

But that database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.

Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.

We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took the database down within a day of reaching out.

“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.

Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID), and network password stored in plaintext.

Although the app developer claims the app only provides passwords for public hotspots, a review of the data showed countless home Wi-Fi networks. The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist.

The app doesn’t require users to obtain the permission from the network owner, exposing Wi-Fi networks to unauthorized access. With access to a network, an attacker may be able to modify router settings to point unsuspecting users to malicious websites by changing the DNS server, a vital system used to convert web addresses into the IP addresses used to locate web servers on the internet. When on a network, an attacker can also read the unencrypted traffic that goes across the wireless network, allowing them to steal passwords and secrets.

Tens of thousands of the exposed Wi-Fi passwords are for networks based in the U.S.

Researcher shows how popular app ES File Explorer exposes Android device data

Why is one of the most popular Android apps running a hidden web server in the background?

ES File Explorer claims it has over 500 million downloads under its belt since 2014, making it one of the most used apps to date. It’s simplicity makes it what it is: a simple file explorer that lets you browse through your Android phone or tablet’s file system for files, data, documents and more.

But behind the scenes, the app is running a slimmed-down web server on the device. In doing so, it opens up the entire Android device to a whole host of attacks — including data theft.

Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, found the exposed port last week, and disclosed his findings in several tweets on Wednesday. Prior to tweeting, he showed TechCrunch how the exposed port could be used to silently exfiltrate data from the device.

“All connected devices on the local network can get [data] installed on the device,” he said.

Using a simple script he wrote, Robert demonstrated how he could pull pictures, videos, and app names — or even grab a file from the memory card — from another device on the same network. The script even allows an attacker to remotely launch an app on the victim’s device.

He sent over his script for us to test, and we verified his findings using a spare Android phone. Robert said app versions 4.1.9.5.2 and below have the open port.

“It’s clearly not good,” he said.

A script, developed by security researcher , to obtain data on the same network as an Android device running ES File Explorer. (Image: supplied)

We contacted the makers of ES File Explorer but did not hear back prior to publication. If that changes, we’ll update.

The obvious caveat is that the chances of exploitation are slim, given that this isn’t an attack that anyone on the internet can perform. Any would-be attacker has to be on the same network as the victim. Typically that would mean the same Wi-Fi network. But that also means that any malicious app on any device on the network that knows how to exploit the vulnerability could pull data from a device running ES File Explorer and send it along to another server, so long as it has network permissions.

Of the reasonable explanations, some have suggested that it’s used to stream video to other apps using the HTTP protocol. Others who historically found the same exposed port found it alarming. The app even says it allows you to “manage files on your phone from your computer… when this feature is enabled.”

But most probably don’t realize that the open port leaves them exposed from the moment that they open the app.