Strip 5: The sweet smell of success

This comics-based toolkit is designed to help journalists and other members of the media understand how the IoT may threaten their work through a hypothetical scenario. Please note, all the ways in which the IoT is depicted and used maliciously are based on real-world evidence and examples. Citations are at the bottom of the page.

Each page of this toolkit (start with strip 1) takes one strip from the Senses of Security comic to go into detail about the IoT threats the journalist-protagonist (J) is facing. The toolkit breaks down the strips into annotated panels, to help readers better understand threats that may be relevant to you, and how you could mitigate these dangers to protect yourself.

If you’re interested in bespoke training for yourself or your organisation, please get in touch!

What threats are in this panel?

Threat 1: Difficulty with Forensics

As J has discovered, many IoT devices are inherently difficult to investigate, as logs (if any) can be tiny or overwritten quickly, and some devices only log high-level activity. This makes them difficult to audit and thus makes attacks hard to prove. Unfortunately, using digital forensics to detect tampering, is unlikely to help. This is already notoriously unreliable regarding consumer IoT devices due to general lack of regulation in this sector. Tracking attacks is also challenging because time stamps can be easily falsified by changing the time on the device’s clock.[1]

What can you do about these threats?

The fact that the team is on Plan Z and has not yet given up demonstrates the need for two critical countermeasures:

  1. Creating emergency/contingency plans that do not rely on/include IoT devices.

  1. IoT devices should be included in all risk assessments and risk management strategies, not simply as assets but also as potential threats.

Even if the journalists have gotten rid of all of their devices, they can still be at risk from IoT technologies that are out of their control in their private, professional, and public environments. Read more about how to map and understand these threats in Related Resources.

Unfortunately, the Adversary is correct - not all IoT threats currently have effective countermeasures. Simply ridding yourself of your own devices cannot protect you from risks posed by the technologies that share your environments. Still, I suspect the Adversary’s cynicism will be his undoing, because imperfect mitigations are better than no action at all!

What can you do about these threats?

These panels demonstrate countermeasures that are effective against some of the IoT’s information-gathering powers, including:

  1. Physically covering cameras.

  2. Blocking signals, such as by using Faraday bags which are pouches that shield anything inside from external electromagnetic radiation, which temporarily blocks Internet of Things device capabilities.

  3. Creating stronger passwords, not relying on default passwords that can be more easily hacked.

  4. Patching, i.e. automatically installing updates for Internet of Things devices. Remain aware of when manufacturers plan to stop releasing patches, as this will signal a likely increase in device vulnerabilities.

  5. If a journalist or their colleagues tend to be targeted by malicious actors based in specific countries, configure firewalls to include GeoIP filters which block incoming traffic from certain countries from accessing an individual’s devices and their information. Set up host definitions in a firewall to filter for scanners belonging to search engines (e.g. Shodan) that index vulnerable Internet of Things devices. Create a firewall rule to block this list. This should block these scanners from being able to index machines.

This marks a turning point in J’s strategy - the recognition that personal vigilance isn’t enough when facing IoT threats. Structural issues like regulatory gaps and legal threats mean that journalists may be unknowingly exposed to security flaws, as devices and apps lack adequate obligations for secure design and allow adversaries to legally access and manipulate these devices. J's epiphany signals the need for systemic reform, not just smarter user habits.

What additional threats are in this panel?

Threat 2: Regulatory gaps

Poor inbuilt IoT security results from lax legal restrictions regarding security and privacy by design. Data is left vulnerable for many reasons, for instance because security settings are configured to an inadequately low default, and it is unclear how users can alter them.[2] A feature of this is that apps and the IoT devices on which they are hosted often have weak authorisation protocols that allow overreach, including downloading malware, which could facilitate data theft and manipulation via third party software or device layers, either in storage or in transit.[3] The resultant ambiguity as to whether a journalist is responsible for specific information, either through sharing or creation, could have ramifications for their credibility and public trust.

Threat 3: Legal Threats

Legal threats are one of the most pressing types of risk perceived by journalists in democracies. This refers to ways in which IoT data or actions might be used either in law enforcement investigations, or to embroil journalists in lawsuits.[4] Examples of these threats that I have categorised include: Abuse of data and privacy laws, Weaponisation of financial penalties, and Warrantless bulk data purchase.[5]

What can you do about these threats?

My final panel is a call to action, not just for J, but for all who care about press freedom in this age of connected threats. By writing to her elected representative, J highlights the urgent need for coordinated work to mitigate IoT risks. This could take myriad forms, including:

  1. Lobby governments to publish lists of companies that have provided data to government and related agencies so that consumers, including members of the press, can make informed choices and can warn their sources. This countermeasure could also include news organisations reporting on these lists so that their audiences, including their sources, can also make informed decisions.

  2. Encourage more legal, political and media (including international) scrutiny of outdated or ambiguous legal clauses that enable exploitation of IoT capabilities, e.g. in 'technology-neutral' or surveillance-focused laws. These can include legitimate interest clauses that allow access to data, data retention laws that are vague about what constitutes metadata, etc. A motivating factor behind the scrutiny should be the risk posed by these clauses to press freedom.

For a future where journalism remains independent and democracy is secure, we all need to push for greater accountability and policies that put press freedom first. Will you take action with us?

You have now completed your journey through Senses of Security! We hope you have found this tour helpful, thought-provoking, and inspiring. More information and research about how the IoT can threaten journalists and press freedom can be found in additional resources created from Anjuli’s reseearch.

If you’re interested in further training for yourself or your organisation, please get in touch!

Citations

[1] M. Conti, A. Dehghantanha, K. Franke, and S. Watson, “Internet of Things security and forensics: Challenges and opportunities,” Future Generation Computer Systems, vol. 78, no. 2, pp. 544–546, 2018.

[2]Michel MCK and King MC (2019) Cyber Influence of Human Behavior: Personal and National Security, Privacy, and Fraud Awareness to Prevent Harm. In: 2019 IEEE International Symposium on Technology and Society (ISTAS), Medford, MA, USA, 15 November 2019, pp. 1–7. IEEE. DOI: 10.1109/ISTAS48451.2019.8938009.

[3]Anell S, Grober L and Krombholz K (2020) End User and Expert Perceptions of Threats and Potential Countermeasures. In: The 5th European Workshop on Usable Security, Genova, Italy, 7 September 2020, p. 10. IEEE. Available at: https://eusec20.cs.uchicago.edu/eusec20-Anell.pdf.

[4]Holcomb, J., Mitchell, A., Page, D.: Investigative journalists and digital security: Perceptions of vulnerability and changes in behavior. Pew Research Center in association with Columbia University’s Tow Center for Digital Journalism, Columbia University, New York (2015).

[5]Shere ARK, Martin AP, and Nurse JRC (2023) Threats to journalists from the consumer Internet of Things, in Springer Proceedings in Complexity: International Conference on Cybersecurity, Situational Awareness and Social Media (Cyber Science 2022), https://link.springer.com/chapter/10.1007/978-981-19-6414-5_17