Strip 1: Seeing Red

This comics-based toolkit is designed to help journalists and other members of the media understand how the IoT may threaten their work through a hypothetical scenario. Please note, all the ways in which the IoT is depicted and used maliciously are based on real-world evidence and examples. Citations are at the bottom of the page.

Each page of this toolkit (start with strip 1) takes one strip from the Senses of Security comic to go into detail about the IoT threats the journalist-protagonist (J) is facing. The toolkit breaks down the strips into annotated panels, to help readers better understand threats that may be relevant to you, and how you could mitigate these dangers to protect yourself.

If you’re interested in bespoke training for yourself or your organisation, please get in touch!

J passes her smart doorbell, without considering that it is capable of continuous surveillance. These devices can allow those who have access to the feed to see when people enter and leave J’s house, what they’re wearing and carrying, and often to hear what they’re saying. This allows the Adversary to identify any patterns in J’s behaviour when she goes to meet a source. Some doorbells now also allow law enforcement to use facial recognition software on footage.

As J walks down a crowded street, she's surrounded by a web of CCTV cameras, many privately-owned but often accessible to law enforcement. Additionally, some of the devices on the street (even those that are just passing through) are connected to poorly secured or publicly available Wi-Fi, enabling them to form an informal surveillance network, where data from public and consumer IoT devices can be quietly centralised, making it easier for the Adversary to access and track J’s movements.

What threats are in these panels?

Threat 1: Continuous surveillance from personal devices

IoT systems are designed to be constantly on and processing information.The ability to identify IoT devices present in an individual’s home through open-source investigations is the first step to many different attacks. Accessing this information, including from microphones and cameras can enable adversaries to compile and analyse so much data that doxxing and stalking, even beyond the reach of IoT devices, can be enabled, through the patterns detected from the IoT systems.[1]

For instance, fitness trackers or GPS keychain finders can make it easy to know when and where someone will be likely to have just finished a tiring run, or where their bag might be left while using the gym.[2] Microphones also pick up the sounds of nearby typing patterns, which can allow adversaries to reconstruct otherwise private messages.[3]

All of these threats have immediate impacts and longer-term concerns for mental health, financial security, and professional reputation.[4]

Threat 2: Informal additions to state surveillance networks

Consumer IoT networks (for instance of business’ security cameras) can become informal features of smart cities, particularly when easily accessible by law enforcement and intelligence agencies.[5] Many IoT camera-equipped doorbells have built-in police access, effectively making them an extension of state surveillance networks.[6]

This centralisation of data could easily facilitate the tracking of journalists by governments without transparent oversight.

What can you do about these threats?

  1. Follow our heroine’s example: wear identity-obfuscating clothes/accessories!

  2. Remain vigilant to devices that might be able to track your pattern of life.

  3. Vary your routes and routines.

J’s source is wearing a smart watch, which collects real-time audio and location data. Meanwhile, the sneaky drone footage is helping the Adversary identify the source, enabling the Adversary to know whose smart watch to target. The Adversary can then track the source’s precise movements, reconstruct past encounters, and even predict future meetings. The source's watch, likely synced to a phone, Cloud accounts, and background apps, becomes a silent informant.

In the park, J meets with a confidential source, both unaware that a nearby drone’s camera is streaming footage live. Though the drone may appear harmless, its data flows through a long line of supply chain and maintenance actors, some of whom may be compromised or cooperate with the Adversary. The convoluted chains of data access may allow the drone to leak footage without the pilot’s knowledge, allowing the Adversary to tap into this stream in real time to view his targets. For journalists, this shows that even being a bystander rather than a device owner can expose meetings and source identities with no clear legal recourse or warning.

What additional threats are in this panel?

Threat 3: Third party supply chain actors accessing data

IoT device manufacturers can legally ensure that devices continually upload data to networks that they coordinate to keep track of performance and maintenance needs.[7] Data collected by consumer devices is therefore made accessible to an indeterminate number of parties, regardless of the knowledge or active consent of device owners.[8] 

This supply chain risk means that journalists could have their technology and data compromised because they – necessarily or inadvertently – agreed to information sharing with third party actors in this chain.

What can you do about these threats?

  1. Like J, keep meetings analog where possible, using a pen, paper, or an offline recorder.

  2. Treat them as potential sources of risk, not shiny baubles. Slip portable IoT devices into a Faraday pouch or leave them at home.

  3. Identify the sensors that might be in your location, even if they don’t belong to you. Plan as if each one could be compromised.

Keep Going to Strip 2: Sounds Like a Plan!

Citations

[1] Benjakob O (2022) This ‘Dystopian’ Cyber Firm Could Have Saved Mossad Assassins From Exposure - National Security & Cyber - Haaretz.com. Haaretz, 26 December. Available at: https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.premium/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000 (accessed 12 January 2023).

Cha S-C, Hsu T-Y, Xiang Y, et al. (2019) Privacy Enhancing Technologies in the Internet of Things: Perspectives and Challenges. IEEE Internet of Things Journal 6(2): 2159–2187. DOI: 10.1109/JIOT.2018.2878658

Edu JS, Such JM and Suarez-Tangil G (2019) Smart Home Personal Assistants: A Security and Privacy Review. arXiv:1903.05593 [cs]. Available at: http://arxiv.org/abs/1903.05593 (accessed 21 August 2020); Di Salvo P (2021) “We Have to act Like our Devices are Already Infected”: Investigative Journalists and Internet Surveillance. Journalism Practice 0(0). Routledge: 1–18. DOI: 10.1080/17512786.2021.2014346.

Gulzar M and Abbas G (2019) Internet of Things Security: A Survey and Taxonomy. In: 2019 International Conference on Engineering and Emerging Technologies (ICEET), Lahore, Pakistan, February 2019, pp. 1–6. IEEE. DOI: 10.1109/CEET1.2019.8711834

Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660

Sturgess J, Nurse JRC and Zhao J (2018) A capability-oriented approach to assessing privacy risk in smart home ecosystems. In: 2018 IET PETRAS Living in the Internet of Things: Cybersecurity of the IoT - 2018, London, UK, 2018, p. 37 (8 pp.)-37 (8 pp.). Institution of Engineering and Technology. DOI: 10.1049/cp.2018.0037.

[2] Alqhatani A and Lipford HR (2019) ‘There is nothing that i need to keep secret’: sharing practices and concerns of wearable fitness data. In: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, USA, 12 August 2019, pp. 421–434. SOUPS’19. USENIX Association

Clayton J and Dyer J (2022) Apple AirTags - ‘A perfect tool for stalking’. BBC News, 20 January. Available at: https://www.bbc.com/news/technology-60004257 (accessed 5 December 2022).

[3] Liverpool L (2020) Voice assistant recordings could reveal what someone nearby is typing. New Scientist, 4 December. Available at: https://www.newscientist.com/article/2261844-voice-assistant-recordings-could-reveal-what-someone-nearby-is-typing/ (accessed 1 January 2021).

[4]Anell S, Grober L and Krombholz K (2020) End User and Expert Perceptions of Threats and Potential Countermeasures. In: The 5th European Workshop on Usable Security, Genova, Italy, 7 September 2020, p. 10. IEEE. Available at: https://eusec20.cs.uchicago.edu/eusec20-Anell.pdf.

[5] Dooley B and Ueno H (2022) Where a Thousand Digital Eyes Keep Watch Over the Elderly. The New York Times, 2 February. Available at: https://www.nytimes.com/2022/02/02/business/japan-elderly-surveillance.html (accessed 5 December 2022).

[6]Calacci D, Shen JJ and Pentland A (2022) The Cop In Your Neighbor’s Doorbell: Amazon Ring and the Spread of Participatory Mass Surveillance. Proceedings of the ACM on Human-Computer Interaction 6(CSCW2): 400:1-400:47. DOI: 10.1145/3555125.

Wakefield J (2020) Ring doorbells to send live video to Mississippi police. BBC News, 5 November. Available at: https://www.bbc.com/news/technology-54809228 (accessed 7 November 2020); Guariglia JK and M (2022) Ring Reveals They Give Videos to Police Without User Consent or a Warrant. Available at: https://www.eff.org/deeplinks/2022/07/ring-reveals-they-give-videos-police-without-user-consent-or-warrant (accessed 5 December 2022)

[7]Krebs B (2016) This is Why People Fear the ‘Internet of Things’. In: Krebs on Security. Available at: https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/comment-page-1/comments (accessed 31 December 2020).

[8]Tabassum M, Kosiński T and Lipford HR (2019) ‘I don’t own the data’: end user perceptions of smart home device data practices and risks. In: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, USA, 12 August 2019, pp. 435–450. SOUPS’19. USENIX Association.