Strip 3: A Bitter Taste
This comics-based toolkit is designed to help journalists and other members of the media understand how the IoT may threaten their work through a hypothetical scenario. Please note, all the ways in which the IoT is depicted and used maliciously are based on real-world evidence and examples. Citations are at the bottom of the page.
Each page of this toolkit (start with strip 1) takes one strip from the Senses of Security comic to go into detail about the IoT threats the journalist-protagonist (J) is facing. The toolkit breaks down the strips into annotated panels, to help readers better understand threats that may be relevant to you, and how you could mitigate these dangers to protect yourself.
If you’re interested in bespoke training for yourself or your organisation, please get in touch!
As J eats food from her smart fridge, she trusts the screen’s readout showing everything is safely chilled.
She is unaware that the Adversary has manipulated both the internal temperature and the data displayed to her, thereby making the risk invisible to the unsuspecting, and soon-to-be-sick J.[1]
For a journalist under pressure, this kind of gaslighting through smart devices not only risks physical harm but also chips away at her confidence in her tools, her environment, and her own judgment.
It’s a subtle but potent form of sabotage that could derail her work, undermine deadlines, and harm her health.
What threats are in this panel?
Threat 1: Altering User-Facing Device and Data Attributes
Attacks used to alter user-facing information displayed on IoT devices could create psychological pressures that derail and undermine journalistic work, compromising journalists' reputations.
Spoofing data packets would cause devices to stop, start, or modify actions. As a result, a journalist using a smart watch, for example, could be left unaware of messages that have been urgently sent to their phone by a source. Journalists often receive threatening messages, which could also be delivered through their devices, such as a voice assistant.[2]
Threat 2: Manipulation of devices’ physical activities
Malware may change device settings and alter the behaviour or functionality of a device without the device owner’s recognition. This can facilitate both clandestine surveillance and kinetic attacks in technologies from small consumer IoT devices to core national infrastructure, as happened with the Stuxnet hack.[3]
Examples range from large-scale kinetic attacks against IoT devices that control public goods in an urban area where lots of news organisations are concentrated,[4]to attacks on individual targets, such as remote takeovers of internet-connected vehicles resulting in adversaries gaining control of vital functions such as steering and braking, which could be used to physically harm journalists and sources.[5]
J is beginning to identify the dangers of the IoT, only after falling prey to physical effects. Our hope for this research and this comic is to raise awareness of IoT threats - virtual, legal, and physical - so that high-risk individuals have an early (and pain-free!) warning about what these risks are and how to counter them.
The Adversary stares at a bank of screens displaying data pulled from J’s compromised smart fridge - this could include internal temperature logs showing unsafe levels, a time-stamped alert of the fridge door opening and food being removed, and synced calendar data showing the cancellation of J's meeting with a new source. This confirms the Adversary's success at disrupting J’s investigation.
The fridge, like many smart appliances, could also be linked to social media and communication accounts, which could have been used to spread disinformation in J's name while she was too sick to be aware of this. Information from these devices can show the Adversary when J is feeling too weak to continue with her investigation, giving him an advantage in both time and motivation, and lowering J’s defences to further manipulation.
What additional threats are in this panel?
Threat 3: Abusing health and biometric information
While J doesn’t wear health-tracking devices, many people sport sleep and health monitoring technologies that collect biometric or medical data. These can be exploited to cause physical or psychological harm, from blackmail to tampering with diagnosis-related inputs.[6] Insecurity of wearable fitness or medical devices, including those that collect health information, can contribute to inaccurate diagnoses and prescriptions, or even altered test results.
These flaws could be fatal and could be used to put psychological, financial, or physical pressure on journalists. A feasible but unlikely example is a diabetic journalist having a wearable blood sugar tracker that can be hacked, enabling adversaries to identify vulnerable moments.[7]
What can you do about these threats?
Trust your senses and have contingency plans for essential activities (such as eating!) that do not rely on IoT devices.
Make sure that IoT devices have their own Wi-Fi networks, so that adversaries cannot hop so easily between your devices. Don't forget to also employ VPNs, VLANs and firewalls when connecting your devices to the Internet!
Automatically install updates for IoT devices.
Create strong, distinct passwords across all accounts, and use Multi-Factor Authentication.
J sits on her sofa, with her eyes freshly open to the invisible web of surveillance surrounding her, and begins to connect the dots. She starts to notice not just her own devices, like her smart fridge and TV, but even her neighbours' doorbells, beaming back at her.
Could all of the IoT devices in the environments she lives in and passes through have quietly recorded and relayed fragments of her daily routine? Could their cyberphysical properties have nudged her, misled her, and now poisoned her?
She realises that her pattern of life may have been exposed, allowing the Adversary to predict her behaviour, infer sensitive information like stress or illness, and ruin her source's credibility. At the same time as she has been profiled, her every move has been tracked.
What additional threats are in this panel?
Threat 4: Profiling
Adding up all the attacks in the previous panels, by now the Adversary has a very good idea of what J is doing and how she is vulnerable. In addition to the potential for behavioural manipulation via IoT “nudging”,[8] predictive analysis can also be used to infer more sensitive data, such as one’s health status being recognised based on requests made to voice assistants,[9] or wearable devices.[10]
Knowledge of someone’s pattern of life may also facilitate physical attacks against them.
What can you do about these threats?
Systemic threats such as profiling and tracking require big picture countermeasures. For example, news organisations and civil society could collaborate with cyber security researchers and designers to create and implement cutting-edge, open and transparent standards for IoT protection.
These could include developing intrusion prevention and anti-malware systems for the IoT, e.g. digital tripwires that detect threats coming into the network.
Citations
[1] Bhartiya S (2017) Your smart fridge may kill you: The dark side of IoT. Available at: https://www.infoworld.com/article/3176673/your-smart-fridge-may-kill-you-the-dark-side-of-iot.html (accessed 18 November 2020).
[2] Hoffmann S (2018) IoT Security Architecture and Policy for the Home - a Hub Based Approach. 15 November. Oxford, United Kingdom: IoT Security Foundation. Available at: https://oxil.uk/publications/iotsf-security-architecture-home/IoT-Security-Architecture-and-Policy-for-the-Home-a-Hub-Based-Approach.pdf (accessed 12 August 2020).
Gulzar M and Abbas G (2019) Internet of Things Security: A Survey and Taxonomy. In: 2019 International Conference on Engineering and Emerging Technologies (ICEET), Lahore, Pakistan, February 2019, pp. 1–6. IEEE. DOI: 10.1109/CEET1.2019.8711834.
[3] Patel, C., Doshi, N.: Security Challenges in IoT Cyber World. In: Hassanien, A.E., Elhoseny, M., Ahmed, S.H., and Singh, A.K. (eds.) Security in Smart Cities: Models, Applications, and Challenges. pp. 171–191. Springer International Publishing, Cham (2019).
[4] Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660.
[5] Agrafiotis I, Nurse JRC, Goldsmith M, et al. (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity 4(1). Oxford Academic. DOI: 10.1093/cybsec/tyy006
National Security Agency (2020) Limiting Location Data Exposure. National Security Agency | Cybersecurity Information U/OO/155603-20 | PP-20-0535, August. USA: National Security Agency. Available at: https://media.defense.gov/2020/Aug/04/2002469874/-1/-1/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF (accessed 11 September 2020)
Staff of Senator Ed Markey (2015) Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk. February. Massachusetts, USA: Office of the United States Senator for Massachusetts. Available at: https://www.markey.senate.gov/imo/media/doc/2015-02-06_MarkeyReport-Tracking_Hacking_CarSecurity%202.pdf (accessed 26 October 2020).
[6]Cha S-C, Hsu T-Y, Xiang Y, et al. (2019) Privacy Enhancing Technologies in the Internet of Things: Perspectives and Challenges. IEEE Internet of Things Journal 6(2): 2159–2187. DOI: 10.1109/JIOT.2018.2878658.
Nawir M, Amir A, Yaakob N, et al. (2016) Internet of Things (IoT): Taxonomy of security attacks. In: 2016 3rd International Conference on Electronic Design (ICED), Phuket, Thailand, August 2016, pp. 321–326. IEEE. DOI: 10.1109/ICED.2016.7804660
[7]Agrafiotis I, Nurse JRC, Goldsmith M, et al. (2018) A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate. Journal of Cybersecurity 4(1). Oxford Academic. DOI: 10.1093/cybsec/tyy006.
Cha S-C, Hsu T-Y, Xiang Y, et al. (2019) Privacy Enhancing Technologies in the Internet of Things: Perspectives and Challenges. IEEE Internet of Things Journal 6(2): 2159–2187. DOI: 10.1109/JIOT.2018.2878658
[8]Rahaman, T.: Smart Things are Getting Smarter: An Introduction to the Internet of Behavior. Medical Reference Services Quarterly. 41, 110–116 (2022). https://doi.org/10.1080/02763869.2022.2021046
Owens K, Gunawan J, Choffnes D, et al. (2022) Exploring Deceptive Design Patterns in Voice Interfaces. In: 2022 European Symposium on Usable Security, Karlsruhe Germany, 29 September 2022, pp. 64–78. ACM. DOI: 10.1145/3549015.3554213.
[9]Abdi, N., Ramokapane, K.M., Such, J.M.: More than smart speakers: security and privacy perceptions of smart home personal assistants. In: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security. pp. 451–466. USENIX Association, USA (2019).
[10]Alqhatani A and Lipford HR (2019) ‘There is nothing that i need to keep secret’: sharing practices and concerns of wearable fitness data. In: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, USA, 12 August 2019, pp. 421–434. SOUPS’19. USENIX Association.
Cha S-C, Hsu T-Y, Xiang Y, et al. (2019) Privacy Enhancing Technologies in the Internet of Things: Perspectives and Challenges. IEEE Internet of Things Journal 6(2): 2159–2187. DOI: 10.1109/JIOT.2018.2878658
Gulzar M and Abbas G (2019) Internet of Things Security: A Survey and Taxonomy. In: 2019 International Conference on Engineering and Emerging Technologies (ICEET), Lahore, Pakistan, February 2019, pp. 1–6. IEEE. DOI: 10.1109/CEET1.2019.8711834