Strip 2: Sounds like a plan

This comics-based toolkit is designed to help journalists and other members of the media understand how the IoT may threaten their work through a hypothetical scenario. Please note, all the ways in which the IoT is depicted and used maliciously are based on real-world evidence and examples. Citations are at the bottom of the page.

Each page of this toolkit (start with strip 1) takes one strip from the Senses of Security comic to go into detail about the IoT threats the journalist-protagonist (J) is facing. The toolkit breaks down the strips into annotated panels, to help readers better understand threats that may be relevant to you, and how you could mitigate these dangers to protect yourself.

If you’re interested in bespoke training for yourself or your organisation, please get in touch!

J's source reveals he’s been fired, defamed, and it seems that his bank accounts have been drained - clear signs of a coordinated digital attack that weaponised interconnected IoT vulnerabilities.

What threats are in this panel?

Threat 1: Sensor-level attacks on data confidentiality or integrity

Sensor-level attacks likely enabled the Adversary to fabricate or manipulate audio and data from devices such as the source's smart watch or even smart refrigerator. [1]

These attacks could prevent journalists from feeling confident that they can effectively protect source information and that their work is founded in verifiable data.

Threat 2: Hijacking connected social media and communications accounts

Simultaneously, by hijacking communication accounts connected to the source’s IoT devices, the Adversary shared these fake audio clips publicly, damaging his reputation and severing professional ties.[2]

This threat could be enacted against anyone, but has particularly damaging implications for journalists due to their need for audience trust. The advent of global digital media platforms has created an environment with huge public influence and little regulation. Even democratic governments are using the disinformation crisis to pass more subversively restrictive laws on journalism with the pretext of inhibiting the spread of disinformation. This could be used as evidence to invoke laws that would then result in the prosecution of the journalist.

Threat 3: Data Linkage and Aggregation

The heterogeneity of IoT devices and their capabilities means that far more than was previously possible can be revealed. Behind the scenes, data linkage and aggregation from multiple IoT sources, including wearables and smart home devices, allowed the construction of a highly detailed behavioural profile, and allowed access to the source's phone and any linked accounts, including bank accounts.[3]

This can cause identity theft and financial damage,[4] which could affect journalists by embroiling them in complex legal cases that leave little time available for them to focus on work and tie up resources.

What can you do about this?

  1. Make sure that IoT devices have their own Wi-Fi networks, so that adversaries cannot hop so easily between your devices.

  2. Don't forget to also employ VPNs, VLANs and firewalls when connecting your devices to the Internet!

  3. Automatically install updates for IoT devices.

  4. Create strong, distinct passwords across all accounts, and use Multi-Factor Authentication.

Like many journalists, J is aware of the risks posed by mobile phones,[5] but has not considered that these risks extend to newer connected devices as well.

J is correct that a Faraday bag is a useful tool for limiting the powers of connected devices. She should have ensured all other portable connected devices were also enclosed in that bag - and that they had all been left out of earshot of any conversations she wanted to keep private (like her colleague’s smartwatch).

Although the news team was savvy enough to put opaque tape over the camera of the smart TV that they use as a presentation screen during meetings, they have forgotten that the TV also contains a microphone. Exploiting poor security and publicly available Wi-Fi or device information, the Adversary can covertly access the TV’s voice interface and capture their discussion. 

What additional threats are in this panel?

Threat 4: Voice Stealing

Due to the poor inbuilt security of IoT devices, there have already been recorded instances of accidental malfunction, such as when voice assistants have recorded more audio data than intended and have sent this to members of the user’s contacts list.[6] If this occurs in a space where an editorial team is discussing an as-yet unbroken story, the subject of the story could be directly or indirectly alerted.

Further, intentional rerouting attacks such as voice stealing manipulate the data received by either end of a communications channel, and would be particularly problematic for journalist-source communication, or even for different members of a newsroom team discussing a sensitive story.[7]

What can you do about these threats?

  1. In this situation, using an audio jamming technology or a white noise emitter may have helped mitigate the threat of eavesdropping devices.

  2. News organisations should invest in IoT-specific risk assessments and risk management strategies, and should avoid having IoT devices as permanent fixtures in rooms where confidential information is discussed.

Keep Going to Strip 3: A Bitter Taste!

Citations

[1]Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660

[2]  Agence France-Presse (AFP) (2014) Hackers use ‘smart’ refrigerator to send 750,000 virus-laced emails. Raw Story, 17 January. Available at: https://www.rawstory.com/2014/01/hackers-use-smart-refrigerator-to-send-750000-virus-laced-emails/ (accessed 23 October 2020).

Benjakob O (2022) This ‘Dystopian’ Cyber Firm Could Have Saved Mossad Assassins From Exposure - National Security & Cyber - Haaretz.com. Haaretz, 26 December. Available at: https://www.haaretz.com/israel-news/security-aviation/2022-12-26/ty-article-magazine/.premium/this-dystopian-cyber-firm-could-have-saved-mossad-assassins-from-exposure/00000185-0bc6-d26d-a1b7-dbd739100000 (accessed 12 January 2023).

Greenberg, A.: Hackers Broke Into Real News Sites to Plant Fake Stories, https://www.wired.com/story/hackers-broke-into-real-news-sites-to-plant-fake-stories-anti-nato/, (2020)

Hamilton, E.: Eric Hamilton on Twitter: ‘Here’s a thing that happened today. I was recently -- and falsely -- linked to an article I didn’t write, because the author who DID write it happens to share the same name/byline as I do. I’m not going to link to it because it’s complete garbage.’, https://twitter.com/OnetheycallEric/status/1270857748092239872

Honeywell, L.: Leigh Honeywell @ 🏡 on Twitter: ‘Btw this Eric Hamilton is _not_ the author of the shitty stalker article, just has the misfortune of the same name and profession’, https://twitter.com/hypatiadotca/status/1270978645327110145.

Schwedel, S., Palus, H.: A Ranking of the Weirdest Appliances That You Can Technically Tweet From, https://slate.com/technology/2019/08/twitter-electronics-ranked-list-which-is-best.html.

[3]Chhetri C and Genaro Motti V (2022) User-Centric Privacy Controls for Smart Homes. Proceedings of the ACM on Human-Computer Interaction 6(CSCW2): 349:1-349:36. DOI: 10.1145/3555769.

Sturgess J, Nurse JRC, Zhao J. A capability-oriented approach to assessing privacy risk in smart home ecosystems. In: 2018 IET PETRAS Living in the Internet of Things: Cybersecurity of the IoT - 2018 [Internet]. London, UK: Institution of Engineering and Technology; 2018 [cited 2020 Sep 11]. p. 37 (8 pp.)-37 (8 pp.). Available from: https://digital-library.theiet.org/content/conferences/10.1049/cp.2018.0037.

[4]Anell S, Grober L and Krombholz K (2020) End User and Expert Perceptions of Threats and Potential Countermeasures. In: The 5th European Workshop on Usable Security, Genova, Italy, 7 September 2020, p. 10. IEEE. Available at: https://eusec20.cs.uchicago.edu/eusec20-Anell.pdf.

[5] Middleton L (2020) Woman ‘hacked into ex-boyfriend’s Alexa and told his new girlfriend to leave’. Metro, 12 October. Available at: https://metro.co.uk/2020/10/12/woman-hacked-into-ex-boyfriends-alexa-and-told-his-new-girlfriend-to-leave-13407458/ (accessed 19 October 2020)

Moody G (2020) The enemy within: welcome to the Internet of gaslighting. Available at: https://www.privateinternetaccess.com/blog/the-enemy-within-welcome-to-the-internet-of-gaslighting/ (accessed 11 September 2020).

[6] Rory Peck Trust, “Digital Risk Assessment,” 2019, URL: https://rorypecktrust.org/freelance-resources/digital-security/ digital-risk-assessment/.

UNESCO and Reporters without borders, “Safety guide for journalists: a handbook for reporters in high-risk environments,” 2017, URL: https://unesdoc.unesco.org/ark:/48223/pf0000243986.

[7]Edu JS, Such JM and Suarez-Tangil G (2019) Smart Home Personal Assistants: A Security and Privacy Review. arXiv:1903.05593 [cs]. Available at: http://arxiv.org/abs/1903.05593 (accessed 21 August 2020)

Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660

Shaban H (2018) An Amazon Echo recorded a family’s conversation, then sent it to a random person in their contacts, report says - The Washington Post. The Washington Post, 24 May. Available at: https://www.washingtonpost.com/news/the-switch/wp/2018/05/24/an-amazon-echo-recorded-a-familys-conversation-then-sent-it-to-a-random-person-in-their-contacts-report-says/ (accessed 13 September 2020).

[8]Gulzar M, Abbas G. Internet of Things Security: A Survey and Taxonomy. In: 2019 International Conference on Engineering and Emerging Technologies (ICEET) [Internet]. Lahore, Pakistan: IEEE; 2019. p. 1–6. Available from: https://ieeexplore.ieee.org/document/8711834. p. 2; Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660