TikTok warning for students

2023-03-29

Dear Students,

on 8th March 2023 The National Cyber and Information Security Agency (NÚKIB) has issued Warning against a cybersecurity threat consisting of installing and using the TikTok app.

What exactly does this threat consist of? What exactly does this threat consist of? From the point of view of cybersecurity, it is primarily the case that TikTok collects excessive amounts of user data, in particular:

• gathers information about other running and installed applications on your device (phone, tablet, notebook…)
• periodically checks device location
• collects device information including Wi-Fi SSID, previous Wi-Fi configuration, device serial number and SIM card, device ID, IMEI device, MAC address, phone number, list of all user accounts used on the device
• has access to your calendar, can read and change it
• has access to contacts
• has complete access to clipboard
• enforces the use of its own built-in web browser, which can track almost all user activity
• stores the content of private communications on the servers of the Chinese company ByteDance

In more detail:

• the app wants to access your contacts to find out which of your friends is also using TikTok. This is a logical reason. But by allowing the app to do this, you are also giving the app access to all the information stored in your contacts. Names, phone numbers, e-mail, home addresses. Do you have the birth dates of your loved ones in your contacts? The app learns them.
• access to the calendar - once again, the app gets access to your personal data. Do you share a planning calendar with your family? Then it has access to it.
• forced use of the web browser from the app - if you click on a link in the app, the page will not open in the system web browser, but in the built-in app. The app can then track your activities on the page, what you click on, what you write.

All the information collected may be used against you in the future, e.g. for very good lazy phishing or for blackmail.

Consider these risks yourself. We recommend that you do not use this application and do not connect to the University Study Information System from the device on which this application is installed.

If you are already using the app and want to continue using it despite warnings, then strongly recommend:

• do not use the built-in web browser to work with pages where you need to enter sensitive data (e.g. log in to webmail, the Study Information System, Gmail, m365 services, banking…)
• do not log in to the university information systems from the device (phone) on which the app is installed

If you decide to try and install the app over the warning (or because of it), we recommend:

• when installing the app, allow it only the most necessary rights, it is better to disable more and then enable it, if necessary, than the other way around, e.g. do not allow access to the calendar when you do not want to use the features of the app dependent on it.

Is TikTok the only application that wants access to contacts or collects personal data?

No! There are a lot of applications that collect personal data. For example, there are a number of communication systems where the user is identified by their phone number and that want access to your contacts during installation. Likewise, there are applications with a web browser. When using these applications, we recommend the same caution and consideration of what personal data to provide.

So what makes the TikTok application different?

1. the amount of data collected
2. it is a platform developed and operated by the Chinese company ByteDance. The company has access to the data collected and to your communication within the platform. The company is an entity within the scope of Chinese national legislation, which imposes on all Chinese citizens and organizations relatively large obligations in providing information to state authorities. The perk is the obligation to report identified security vulnerabilities to the Chinese Ministry of Industry and IT and not to foreign organizations and individuals affected by the vulnerability - this is even forbidden. The possibility of your personal data getting outside the company and being misused for something is great in such an environment.

Why now?

Why was the warning issued now, when TikTok has existed and been popular for a long time? NÚKIB refers to the annual report of the Security Information Service (BIS) for the year 2021, according to which the PRC represents a growing complex intelligence threat.