Law in the Internet Society

Technological Stalking

-- By DavidKellam - 30 Dec 2017

Roughly one million women are ‘cyberstalked’ annually in the United States, yet the U.S. has been notably slow to respond to this new phenomenon. This is because other domestic issues obscure the rapidly growing threat born of our increasingly available online identities and because the criminal justice system has allocated resources to the culmination of cyberstalking, sexual assault and murder, rather than the steps taken by the perpetrators that lead up to it. Fortunately, these steps can be frustrated if liability is allocated to the router manufacturers, phone and network providers, and social media corporations that make personal information unreasonably insecure. Unfortunately, however, the victims often unknowingly volunteer the personal information that leads to cyberstalking, and this growing threat cannot be abridged without also raising awareness of the high possibility that cyberstalking is to affect their lives.

The Starting Point

Accessing a router is astonishingly easy; when my father refused to upgrade from dial-up, I was able to hack myself onto a neighbor’s SSID in less than a half-hour when I was no more than fifteen. This is due both to manufacturers who place a developmental premium on ease-of-access and device-integration over security, and the uninformed consumer that demands this compromise to occur.

Mainstream commercial routers, until recently, came only with paper-thin WPS encryption, and still come with this substandard encryption written into the default settings, rather than the (slightly) more secure WPA2. Furthermore, they come with mass-manufactured default passwords, printed on the routers themselves, and seldom require users to provide non-standard passwords for administrative access. Perhaps most fatally, router manufacturers don’t distinguish between typical and advanced users, and thereby add features like remote administration, UPnP? (NAT-PMP for Apple people), device integration, and port-forwarding to all routers to satiate the few that will ever use them. As a result, router features that dramatically increase the risk and breadth of unauthorized access come built into routers that are sold to users with no ability to disable them.

Customers themselves are no less guilty- generally satisfied only if they can plug the router in, use it immediately, and boast to their neighbors about how it is the newest and most expensive model. While the true mistake was using a commercial router (and Wifi), these users only increase the likelihood of unauthorized access by failing to change the defaults or to update the firmware.

The Next Step

Because cyberstalking often revolves around the interception of messages, location, and personal information, the logical next step is to use the router to access a smartphone, which conveniently consolidates them all. There are several ways this can be done: for example, using a metasploit, which is essentially using the terminal to place an application onto a connected phone that gives remote payload-access to the phone’s microphone, camera, files, etc.

The phone can then be used to upload any local information to a remote source. However, this dramatically increases data consumption and is often detectable. Thus, a good cyberstalker will not stop with a mere installation. With access to the phone, the hacker also has access to the phone’s stored credentials and typed passwords, which means access to social media, and most importantly, the unfortunately popular Gmail. With Google access, the hacker not only has all email correspondences, but can use the evasively titled 'Google timeline'; (location history) to trace exactly where the user has been since they created the account, and where, when and how often they go to specific locations presently. Furthermore, Google, to feign a concern for security, allows users to see the MAC and IMEI of devices connected to their account. Because the hacker’s is likely masked, this does little to aid the user. However, the hacker can access this list of devices and can obtain the IMEI of the victim’s smart-phone.

With the IMEI and an easily obtainable $300 device, the hacker can then clone the phone. At this point, the hacker has exhaustive and nearly untraceable access to everything that the phone transmits over the mobile network. Even if the victim secures the Google account and removes any malicious apk.s from their phone, the hacker can listen to every call and receive every text and connected email, without the risk of being detected by a phone’s antivirus. The experienced cyberstalker then has one final step: hacking the device of the victim’s family member. Once he has taken the above steps to hack the device of a family member with consistent communication with the victim, the victim cannot safely change their phone number because the hacker will find it when the family member communicates with the new number, and the cycle begins again.

Awareness & Liability

This phenomenon shouldn’t be surprising. In a world where computer use has been streamlined to the point of a technically ignorant population, where nearly everyone uses Wifi, commercial routers, and Google/social media to store and disseminate their most precarious information, often from their mobile device, cyberstalking is the corresponding progression for those who intend to monitor a victim until they know exactly when and where they can find the target at their most vulnerable. In fact, the UK estimates that 97% of premeditated murders have been subsequent to some type of cyberstalking.

Those with stalking tendencies are unlikely to disappear, however, the risks of being cyberstalked can be tempered if the general population is made aware of the dangerous possibilities of cavalier internet use. While no mainstream encryption is foolproof and while a diligent cyberstalker can gain access through countless other channels, users that recognize the risk, choose to use email sparingly and securely, and distance themselves from social media services and Google can reduce the online footprint around which these cyberstalkers thrive. Furthermore, in instances where sexual assault or murder can be traced to substantial security oversights by router manufacturers, Verizon, Google, etc., liability should be more readily imposed. This could incentivize corporations to allocate resources to security, more frequently patch vulnerabilities, and educate their user-base on the rudiments of online security.

There are several parts here that don't fully fit together for almost any imaginable reader. You present a problem (women, specifically women, being "cyberstalked"), which turns out to be a species of personal network compromise. Nothing is said about this particular subtype of invasion as opposed to all other examples of personal network compromise.

Then you present some possible modes of entry through parts of the attack surface. Why routers and smartphones but not other devices is unclear. Why the particular forms of attack described, and not other ones, ditto.

Then you have a response conclusion, based around telling people how to improve their security and imposing liability on manufacturers of devices and providers of networking. These are somewhat different in scale and political cost—perhaps indeed occupying near-endpoints on both axes—but we don't get told why these are the points on the spectrum of possible policies that we should choose, or how to go about anything specific.

Improvement seems to me to lie in limiting the draft's reach in order to increase its coherence. Specifics should be illustrative, but not so chosen as to imperil the reader with randomness. And the central idea that ties the disparate sections together should be articulated, not implied.

Navigation

Webs Webs

r2 - 22 Apr 2018 - 17:25:07 - EbenMoglen
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM