Full Report
Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. The tool was developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023
Analysis Summary
# Incident Report: Surveillance Exposure - Webloc Geolocation Tracking
## Executive Summary
Israeli firm Cobwebs Technologies (now Penlink) developed and distributed a global surveillance tool named "Webloc," which leverages real-time digital advertising data for precise geolocation tracking. Attributed users include Hungarian intelligence, El Salvadorian national police, and various U.S. law enforcement agencies. The system exploits the "AdTech" ecosystem to track individuals globally without traditional warrants or cellular provider cooperation.
## Incident Details
- **Discovery Date:** July 2023 (following firm merger and subsequent investigative reporting)
- **Incident Date:** Ongoing (Active use confirmed through 2023–2024)
- **Affected Organization:** Global civilian population (targets of monitored law enforcement agencies)
- **Sector:** Government / Law Enforcement / Intelligence
- **Geography:** Hungary, El Salvador, United States, and Israel
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately 2020–2023 (Operational period of Cobwebs Technologies)
- **Vector:** Exploitation of Real-Time Bidding (RTB) advertising protocols.
- **Details:** The tool accesses data streams generated when apps request ads, capturing unique device identifiers (ADIDs) and GPS coordinates.
### Lateral Movement
- **Details:** Not applicable in a traditional network sense; however, the tool allows "device bridging," where an analyst can link a mobile device to other digital personas or physical locations across different networks.
### Data Exfiltration/Impact
- **Details:** Massive harvesting of location telemetry. It allows retrospective tracking of individuals' movements, identifying "patterns of life," and pinpointing visits to sensitive locations.
### Detection & Response
- **How it was discovered:** Investigative journalism and corporate transparency reports following the July 2023 merger between Cobwebs Technologies and Penlink.
- **Response Actions Taken:** Public disclosure by privacy advocacy groups and tech-focused media outlets to alert the public to AdTech surveillance.
## Attack Methodology
- **Initial Access:** Procurement of "bidstream" data from ad brokers and exchanges.
- **Persistence:** Continuous monitoring via SDKs (Software Development Kits) embedded in thousands of legitimate mobile applications.
- **Defense Evasion:** Use of legitimate commercial data traffic to mask surveillance activities; data is purchased, not "hacked" in the traditional sense.
- **Discovery:** Mapping of "Patterns of Life" by aggregating historical location "pings."
- **Collection:** Bulk collection of ADIDs (Advertising IDs), IP addresses, and latitude/longitude coordinates.
- **Exfiltration:** Data is pulled from ad-exchange servers to the Webloc interface for law enforcement query.
- **Impact:** Total loss of location privacy for mobile users in monitored jurisdictions.
## Impact Assessment
- **Financial:** Multi-million dollar contracts between Penlink/Cobwebs and government entities.
- **Data Breach:** Exposure of sensitive movement data of millions of citizens to domestic and foreign intelligence services.
- **Operational:** Law enforcement bypasses the need for judicial oversight (warrants) by purchasing data commercially.
- **Reputational:** Significant scrutiny on the Israeli surveillance-for-hire industry and U.S. law enforcement transparency.
## Indicators of Compromise
- **Network Indicators:** Requests to known surveillance telemetry endpoints (e.g., hxxps[://]webloc[.]io - *hypothetical example for defanging*).
- **Behavioral Indicators:** Excessive battery drain or high data usage by non-essential mobile applications containing aggressive AdTech SDKs.
## Response Actions
- **Containment:** Implementation of "Limit Ad Tracking" (LAT) settings on mobile operating systems (iOS/Android).
- **Eradication:** Use of DNS-based ad blockers (e.g., Pi-hole, NextDNS) to prevent devices from communicating with ad exchanges.
- **Recovery:** Legislative efforts in various regions to regulate the sale of "bidstream" data to third parties.
## Lessons Learned
- **Key Takeaways:** The commercial digital advertising ecosystem is being weaponized for state-level surveillance.
- **Visibility Gaps:** Standard cybersecurity tools (EDR/AV) do not flag this activity because it occurs via "legitimate" app behavior and server-side data sales.
## Recommendations
- **Mobile Hardening:** Users should reset their Advertising Identifier (ADID) regularly or opt-out of ad personalization.
- **Systemic Change:** Organizations should advocate for "Data Privacy Acts" that specifically include the sale of location data derived from advertising.
- **Operational Security:** High-risk individuals should utilize hardened mobile OS versions and avoid installing apps with embedded third-party trackers.