In part 1, we discussed a red team engagement that went south when the Google SOC joined forces with the SOC of a customer leading to the dismantling of all our compromised accounts, throw-away accounts, and even my work account. My daily work life was impacted significantly that week and my home internet-connected devices that had Google sessions were regularly reset. I learned that I should probably reconsider how my own personal life consolidated all facets with Google and how I could be impacted by the technology giant in the event we didn’t see eye to eye in the future. While their actions were absolutely merited and I agree the response taken was the safest risk reducer for the incident they encountered, it left a lingering and troublesome feeling in me.
Most people that have known me for any length of time can tell you I’ve been a die-hard Google fanboy for over 15 years. Every smart-phone I’ve owned ran Android, almost every smart-device in my home ran Android or was owned by Google, and I was a heavy G Suite user. All my files were backed up to Google Drive, most of my online accounts used SSO with my Google account as primary, all my TOTP 2FA relied on Google Authenticator, and my phone number was even Google Voice. Needless to say, it was a lot to think about.
I needed a goal. Breaking free from Google-related services and devices was a lofty goal but would it be achievable. I decided to also include migrating away from a GSM-based cell phone so I could avoid the attack surface of sim-swapping. Quick note, while there are lots of links to services and products, none of them are referral links and are only used to provide options.
My goals were:
- No Google Services
- No GSM Phone
- Quality Cell-phone Coverage
Mobile Device Selection
This was much more difficult than I previously considered. While there were a number of different mobile OS’s around, some were no longer supported or just purely bad. While some of these are dead or no longer supported, I listed them so you don’t have to waste time researching. The ones I looked into were:
- FireOS (Amazon’s FirePhone but seems dead)
- PureOS (Purism)
- Firefox OS (died a while back)
- KaiOS (integrated with Google Assistant)
- Ubuntu Touch (pretty good alternative)
- LightPhone 2 (wasn’t released but would have been my 1st pick)
- Windows 10 Mobile (end of life this year)
- Blackberry/SilentPhone/Cryptophone (all run Android now)
- iOS (I was vehemently against Apple at the time)
After being extremely discontent with all of the available options, I ended up buying an iPhone which combined with a Macbook Pro, has truly revolutionized my entire digital life. My opposition to Apple wasn’t because of its technology, I just didn’t want to go from one giant to another.
While selecting a TOTP 2FA solution is fairly straight forward, I wanted to take it a step further and also create a completely separate phone line for SMS-based 2FA. While some might consider it in the same category as prepper-level status, it definitely creates an extra step for an attacker when targeting backup SMS 2FA implementations. There are a number of TOTP options, as well as, VOIP providers that integrate additional phone numbers using apps. I didn’t see much difference between most of the options but here are a few I considered:
Choosing a new mail provider was a big concern. I set out desiring full alias support because I wanted to create unique email addresses for separate categories. Communicating with people? New Email. Social profiles? New Email. Smart-phone apps? New email. iCloud? New email. Banking? New email. Security-related accounts? New email. Software licenses? New email. It probably sounds pretty crazy but using aliases you get the convenience of email consolidation with reduced risk of cross-contamination. It helps create isolation for people attempting to connect you and your social accounts and since I don’t like my personal data being sold (and hate ads) I opted to pay for email. Could anything be as awesome as Gmail and the G Suite line of products? Maybe not but we could definitely satisfy our needs.
There are a number of mail providers available, some I considered are:
The email provider I decided to go with was FastMail. They have multiple plans available and you can even bring your own domain. It has built-in support for syncing contacts and calendars while at the same time file support similar to Google Drive. I did have a concern with my mail clients leaking my source IP address in each email header which typically happens when you aren’t using a webmail client. A friend of mine at a fruit company pointed out that FastMail has an undisclosed SMTP port of 565 that strips the source IP address from all outbound email! They also have a decent mobile application which seems to be feature-full.
Making the Migration
There are a number of areas I overlooked when I began the journey so in an effort to create somewhat of a checklist for readers, here are some areas to remember:
- Update all site profiles with new email address
- Update Slack and other social apps
- Update other profiles using the email as a backup
- Migrate phone files and images
- Reinstall apps on new phone
- Backup G Suite data
- Backup Google Drive files
- Import contacts
- Import calendar events
- Re-sync TOTP/Push 2FA token sessions
- Update profiles using SMS 2FA
There were a few tricks I used to expedite most of this process. The first major win was by using my password manager to maintain track of the accounts I’ve updated with my new email addresses. This was convenient because it helped me make sure I covered all the accounts while also updating the password manager directly. Be careful though, sometimes password managers don’t update email addresses automatically which can get tricky if you are using the family subscription for shared passwords. A very few sites didn’t allow me to actually update my email address. You might want to also consider regenerating API tokens that you rely on for the accounts you updated the email address on. I ran into an instance where an API token I used heavily no longer worked after I updated my profile email.
This was probably one of the most straight-forward migrations. I made a simple list of the applications I had on my Android phone and made sure I reinstalled them on my new phone. Too bad there isn’t an app that would have done this automatically, I really liked how Android would automatically sync apps on new devices I purchased. I didn’t worry about syncing my files to my new phone since they are already backed up and I don’t actively need them, plus as you will read next, I found a new solution for data storage.
Google makes it really easy to download all your account data by visiting https://google.com/takeout but I strongly suggest syncing Google Drive separately. Large files create major head-aches and if you are a heavy user, the longer this process will take. The good thing about using Google Takeout is all of your Gmail will be downloaded too. The only problem I couldn’t find a solution for was exporting my Google Books. Most of the books on my bookshelf were uploaded and for some reason, the download/export feature wasn’t available for them anymore.
For storage, I opted to replace my home NAS with a Synology DS218play NAS and Seagate SATA drives then just stored everything locally instead of the cloud. I ended up purchasing double the space and running an SHR raid configuration. This is similar to a raid 1 configuration except it’s a custom Synology raid type that allows mix and match of disk sizes while maintaining typical mirror redundancy in case of disk failure. There were numerous reasons for the selection of Synology but this Linux-based OS has a simplified user-interface with some really cool built-in applications from collaboration tools to drop-in replacements for my Google Photos and Google Drive needs (Moments and Drive apps). You can even backup your Google Drive directly! This beast is powerful and full of all kinds of useful applications for syncing data to and from cloud providers for the ultra-paranoid or downloading YouTube videos or Torrents.
Obviously, if you want to still play in the cloud for data, there are solutions:
Don’t forget to import your contacts and calendars to your new provider. Most contact apps rely on vCard or have import capabilities so it’s fairly simple to do. The same with most calendars adopting the vCalendar standard so events universally work between providers. I used this opportunity to clear out my old contacts.
Finally, let’s not forget all of those pesky TOTP token sessions in Google Authenticator and changing your phone number for all the profiles that poorly implement 2FA solutions by only offering SMS. You do use 2FA for all your accounts, right?
I opted to go with 2 separate TOTP applications but they are all relatively the same. As a pentester and red teamer, I regularly encounter scenarios where I have to enroll 2FA during customer engagements. Something to consider is separating work and personal TOTP apps for 2FA. It’s probably not that big of a deal unless you have OCD and prefer things in isolation, like me.
Regarding SMS based 2FA, I’ve heard all the pro-SMS 2FA and anti-SMS 2FA infosec Twitterverse arguments and while some might consider SMS better than nothing, I strongly disagree. I am extremely against SMS-based 2FA for primary and even backup 2FA. In the event you have a profile with only SMS 2FA enabled, be sure to update the profiles with your new phone number. There is no obvious way to identify which profiles use SMS 2FA unless the SMS messages in your messaging app contain what the code is actually for. Google and Microsoft provide a nice little message stating “G-xxxxxx is your Google verification code” and “xxxxxx Use this code for Microsoft verification” but it seems a lot of others are just a random SMS with a code. *shrug* If you are interested in a discussion on why I think SMS 2FA is insecure, unhealthy, and should be eliminated altogether — feel free to reach out! 🙂
Wiping and Starting Over
Now it’s time to delete the Google account since everything is set up, migrated, and working properly. I didn’t do this immediately because I was worried I might have missed something. Keeping the account for a few weeks but not actively using it turned out to be a great choice because there were a few instances where I needed to access my email which was configured as a backup for other profiles. It also gave me peace of mind knowing that I hadn’t been actively using it and my transition away from Google was a success. While there are a number of Google devices that you may need to wipe, I will provide instructions for the ones I used:
- Delete Google Account
- Factory Reset Android devices
- Factory Reset Nest Thermostat
- Factory Reset Google Home
- Factory Reset Fire TV/Fire Stick
- Factory Reset Moto 360 Watch
- Remove Google Account from Sony TV
For some, avoiding Google services is going to be impossible. For instance, I have to use it for work so how do I get around intentionally giving up my data to Google? I decided that isolating where and how I use Google would require compartmentalizing authenticated Google sessions to my work laptop only. It creates a little head-ache not having work available on my cell phone but it creates a healthy work-life balance. For internet searches, I’ve switched over to DuckDuckGo which happens to be a pretty good alternative.
Don’t forget to notify friends and family of your new contact number! I actually skipped this step because I figured there are plenty of ways to get a hold of me in an emergency and in most cases I talk to people frequent enough that they will get my new information eventually.
Disposable Credit Cards
Since diversifying my digital life across emails, phone numbers, and service providers has proven to be very productive, I also started using Privacy.com for online purchases. It allows me to connect my bank account then I generate single-use credit cards for each purchase. You can also generate merchant-specific cards that have a preset limit for monthly payments. This way, if a merchant gets breached the stolen credit card is useless. If selected, you can also spoof the transaction name on your bank statement to avoid your spouse seeing those gift purchases!
Aside from the reality that technology giants have inadvertently turned into puppeteers with the power to control behavior and literally listen to every area of our lives, there is actually another shadow creeping in the clouds that people know about but often overlook: the personal data brokering business. This arena is huge and the data they have been collecting, buying, selling, giving, and trading is staggering in size despite it being public information. By compartmentalizing your digital life, you can at least make it much more difficult for those targeting you. Oh, and I’ll just leave this here https://www.thecreepyline.com, it’s worth the watch. 🙂
One last thing, an interesting provision in article 17 of the EU GDPR forces technology companies to erase your data when requested. They are also required to notify the third-parties they provided your data to, so they can follow suit as well. If you are a US citizen reading this and were hoping to leverage GDPR then check out the Estonia eResidency program. 🙂
In the meantime, US citizens can leverage some recent laws passed in Vermont to identify most of the data brokers selling their data by accessing the Vermont business page, selecting the Business Type of Data Broker and searching, then selecting the Filing History and Filing Type for opt-out instructions. Maybe someone reading this will go through each one and track how to opt-out and make it easily accessible to everyone (thanks Bronwen!).
That’s it! I hope this blog series was useful to you and that your journey at taking back control of your digital life goes smoothly.