It’s possible that the bulletins that businesses receive from local police already alert them to the physical risks of poor wireless security. But if they do, based on my experiences of patronizing businesses ranging from gas stations to grocery stores, from restaurants to swimming pools, in and around Seattle and Tacoma as well as in the San Francisco Bay Area and even in Vancouver B.C. these last three years, no one seems to be listening.
What’s happening to me, being “real estate mobbed,” that is, stalked and harassed by almost ceaseless verbal abuse delivered over whatever transport is available, might well include the use of a real estate or private investigator owned surveillance drone, but even if it does, it is almost certainly a drone used to stalk with the intention of hacking networks to gain access to the victim. In other words, a drone used to gain access to the speaker-enabled systems closest to the victim. Such access is necessary to complete the end-to-end experience of harassment that “mobbers” (coincidentally, a term used to describe those who bully by cell phone) believe is necessary to force a legal resident to flee his or her home, an experience that the police are unlikely to believe.
Whether or not the Seattle Police or any local police department believes that drone stalking is happening or that cyber-bullying exists and can be made to be a continuous and horrific experience for the victim, this kind of stalking crime is all about the Internet of Things (IoT). In the same way that ransomware has started to affect consumers, the comparative ease of stalking remotely, over wireless networks, and over unsecured IoT devices coupled with our lack of familiarity with what this crime looks like and how it presents, is sure to encourage its continuance. In many ways, what is happening to me is no more than an application or extension of cyber-bullying, one that deploys it to the physical arena as well as the virtual one.
Maybe a year back, I started a page listing businesses where I’ve been stalked. I haven’t kept up the page because most businesses are affected by similar vulnerabilities. But tonight, on the way back from Fred Meyer (a local grocery store), it occurred to me that waiting for small mom-and-pop stores to individually consider the impact of IoT devices and wireless networks on the safety of their customers and their physical premises is just never going to happen. Large chains may be able to issue advisories and directives to individual stores, to recommend that every store that makes wireless available ensure that it’s separate from business-critical systems or to enforce upgrades of unprotected devices. But when rolling out a chip-and-pin payment system introduces major trauma, improvements to security that are not immediately recognized easily fall by the wayside.
We can’t demand that businesses take responsibility for buying and deploying state-of-the-art infrastructure that turns out not to be secure. We can’t insist that every small business hire network security expertise to make up for our failure to anticipate IoT crime.
But if it’s not already happening, the FBI should be handing advisories down to local police on the measures that businesses can begin to take, and take now, to improve network security and to help us to make the transition to an infrastructure with greater security. In the end, local security is national security.
There are common issues in infrastructure that can be addressed. For example, there was the well known case of hackers putting a pornographic soundtrack on the speakers at a Target store. All it takes to access many public announce systems, is a failure to change the manufacturer’s default access phone number. Or perhaps stores should be warned that the convergence between wireless access points and speakers also creates vulnerabilities and given information about some precautions they can take to bridge the gap to more secure components. And now that firewall devices that can better protect wireless networks and IoT devices are coming onto the market—like CUJO and F-Secure Sense—the FBI should be sending advisories to police for dissemination to local businesses. What good is a closed-circuit security system if hackers can use it to exploit store vulnerabilities? And maybe businesses should consider an exterior camera that might put eyes on the roof in the event of a hovering and hacking drone or should at least alert employees to the possibility of rogue drones in much the same way that security teams teach employees not to allow others to follow them into secured buildings. After all, until the FAA sees fit to force transponders, flight plans, or suitable radar to be deployed to domestic drones, that’s all we can do as the proliferation of drones continues in the business and consumer sectors. In the same way that police work with the community to alert them to public dangers, the police should encourage the community to address the real, physical risks we face because of poor infrastructure and codes that haven’t caught up with technology, and to discourage the increasing volume of crimes enabled by the Internet.
Because without network security, there is no physical security. Not anymore. ▪