Law in the Internet Society

Network Compromise and Technological Stalking

-- By DavidKellam

With the increase in mass reliance on technology and the Internet, personal network compromise is becoming an increasingly common and malignant issue. A particularly malignant manifestation of this issue is technology's growing role in stalking, which is enabling stalkers to use modern conveniences to track a victim's whereabouts and identify their friends and family. The purpose of this essay is to make readers aware of current vulnerabilities by exploring one path that cyber-stalkers often take that is used to invade the most common technologies and services. The essay will conclude with a brief policy suggestion.

Late to the Game

Roughly one million women are ‘cyberstalked’ annually in the United States, yet the U.S. has been notably slow to respond to this new phenomenon; other domestic issues obscure the rapidly growing threat born of our increasingly available online identities and the criminal justice system has allocated resources to the culmination of cyberstalking, sexual assault and murder, rather than the steps taken by the perpetrators that lead up to it. Fortunately, these steps can be frustrated if liability is allocated to the router manufacturers, phone and network providers, and social media corporations that make personal information unreasonably insecure.

One Example of Successful Invasion

Cyber stalkers have countless entry points into the digital identity of a victim. A common starting point is the router, so this particular example of technological invasion will begin there.

Accessing a router is astonishingly easy. This is due both to manufacturers who place a developmental premium on ease-of-access and device-integration over security, and the uninformed consumer that demands this compromise to occur. Mainstream commercial routers, until recently, came only with paper-thin WPS encryption, and still come with this substandard encryption written into the default settings. Furthermore, they come with mass-manufactured default passwords and seldom require users to provide non-standard passwords for administrative access. Perhaps most fatally, router manufacturers don’t distinguish between typical and advanced users, and thereby add features like remote administration, UPnP? , device integration, and port-forwarding to all routers to satiate the few that will ever use them. As a result, router features that dramatically increase the risk and breadth of unauthorized access come built into routers that are sold to users with no ability to disable them.

Customers themselves are no less guilty- generally satisfied only if they can plug the router in, use it immediately, and boast to their neighbors about how it is the newest and most expensive model. While the true mistake was using a commercial router (and Wifi) in the first place, these users only increase the likelihood of unauthorized access by failing to change the defaults or to update the firmware. Once a stalker has completed the initial step of invading a victim’s router, they will have access to abundant personal information and might well have access to home IP cameras and other smart devices.

Because cyberstalking often revolves around the interception of messages, location, and personal information, a common next step is to use the router to access a smartphone, which conveniently consolidates them all. There are several ways this can be done: for example, using a metasploit, which is essentially using the terminal to place an application onto a connected phone that gives remote payload-access to the phone’s microphone, camera, files, etc.

However, this is often detectable. Thus, a good cyberstalker will not stop with a mere installation. With access to the phone, the hacker also has access to the phone’s stored credentials and typed passwords, which means access to social media, and most importantly, the unfortunately popular Gmail. Thus, the next step on this path is to access Google; the hacker not only has all email correspondences, but can use the evasively titled 'Google Timeline' (location history) to trace exactly where the user has been since they created the account, and where, when and how often they go to specific locations presently. Furthermore, Google allows users to see the MAC and IMEI of devices connected to their account. Because the hacker’s is likely masked, this does little to aid the user. However, the hacker can access this list of devices and can obtain the IMEI of the victim’s smart-phone.

With the IMEI and an easily obtainable $300 device, the hacker can then clone the phone. At this point, the hacker has exhaustive and nearly untraceable access to everything that the phone transmits over the mobile network. Even if the victim secures the Google account and removes any malicious apk.s from their phone, the hacker can listen to every call and receive every text and connected email, without the risk of being detected by a phone’s antivirus.

To finalize their grasp, an experienced cyberstalker then has one final step in this scenario: hacking the device of the victim’s family member. Once the stalker has taken the same steps as above to hack the device of a family member with consistent communication with the victim, the victim cannot safely change their phone number because the hacker will find it when the family member communicates with the new number, and the cycle begins again.

Awareness & Liability

This phenomenon shouldn’t be surprising. In a world where computer use has been streamlined to the point of a technically ignorant population, where nearly everyone uses Wifi, commercial routers, and Google/social media to store their most precarious information, often from their mobile device, cyberstalking is the corresponding progression for those who intend to monitor a victim until they know exactly when and where they can find the target at their most vulnerable. In fact, the UK estimates that 97% of premeditated murders have been subsequent to some type of cyberstalking.

Those with stalking tendencies are unlikely to disappear, however, some solutions may exist. One would be the imposition of liability on router manufacturers, service providers, Google, etc., in instances where sexual assault or murder can be trace to substantial security oversights. This could incentivize corporations to allocate resources to security, more frequently patch vulnerabilities, and educate their user-base on the rudiments of online security.

Navigation

Webs Webs

r3 - 06 May 2018 - 20:15:13 - DavidKellam
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM