“And far away, as Frodo put on the Ring […] The Dark Lord was suddenly aware of him, and his Eye piercing all shadows looked across the plain to the door that he had made […] and all the devices of his enemies were at last laid bare.” – J.R.R. Tolkien, “The Return of the King“
“You hereby grant Ring and its licensees an unlimited, irrevocable, fee free and royalty-free, perpetual, worldwide right to use, distribute, store, delete, translate, copy, modify, display, and create derivative works from such Content that you share through Services.” – Amazon Ring, Terms of Service (as of Oct. 5, 2022)
There is plenty of research showing that many journalists have insufficient support, inadequate training and incalculable numbers of adversaries looking to cause digital harm. Most journalist cybersecurity guidance focuses on legacy devices — laptops, tablets and phones. While these threats are by no means over (spyware, for example, is still very much a concern), it is important to acknowledge and address the invasion of newer networked technologies all around us, such as Amazon Alexa devices and smart light bulbs.
In a previous article for The Journalist’s Resource, I wrote about the multiplying numbers of consumer Internet of Things (IoT) devices in private and public spaces and the threat that they pose to journalists’ security. This article further categorizes threats to journalists from the IoT, pairing example threat-types in each category with descriptions of potential consequences. The information presented here is based on a paper in Springer’s Proceedings of the International Conference on Cybersecurity, Situational Awareness and Social Media. Rather than providing an exhaustive or overly-technical list of potential threats, this system represents an initial step toward illustrating new and upcoming threats. It is designed to appeal to a narrative-driven audience, such as the media, to help them navigate the uncertainty that shrouds IoT threats, such as surveillance.
My goal is to give journalists ways to understand these threats, to easily communicate them to their sources and audiences, and to incorporate the IoT into regular risk assessments. My system includes six categories, comprising 19 IoT-specific threat types that are relevant to members of the media. These categories are:
- Regulatory gaps
- Legal threats
- Profiling threats
- Tracking threats
- Data and device modification threats
- Networked devices threats
One key theme across all six categories is that the commodification of data by the technology industry colors the design of IoT devices such that information leakage is often an intentional feature, rather than a bug. For example, the smartwatch app Strava is intended to facilitate profile sharing and tracking of exercise, such that users can share how much exercise they’re doing and where they are when they do it. But this functionality can have unintended consequences; it has also enabled the mapping of secret military bases. Some apps, hosted on IoT devices, only allow users to maximize their functionality if users agree to long and murky terms and conditions — and many devices require constant connectivity to work. The IoT is particularly menacing because even if you opt out of interacting with one device, you can’t necessarily escape its friends; it is called an Internet of Things precisely because devices form whole ecosystems. This means that threats can overlap deliberately (with attackers deliberately employing multiple threat categories), or inadvertently (because journalists may be reluctant to report IoT issues due to hostility from law enforcement).
Although these threats can coincide with and compound one another, it is necessary to pull them apart and examine them separately. This can help prevent journalists from becoming overwhelmed and experiencing decision paralysis due to the sheer scale and severity of cyber-threats to their work and wellbeing. This article will therefore detail one threat type from each of the aforementioned categories, to explore the impacts and implications of IoT risk for the media.
Many threats from the IoT stem from inadequate government regulation. While journalists may seek to avoid the devices entirely, they are increasingly pervasive.
One example: There is no legal requirement for IoT designers and manufacturers to secure their technologies, so each small, low-powered device can easily be infected with malicious software (malware) that can be used for various illegal purposes. For example, many poorly secured IoT devices can together be formed into a botnet, which is a network of corrupted IoT devices that can be used to power big, targeted attacks. These attacks can involve attempts to access more secure information while hiding the perpetrator’s identity, as well as further malware delivery that can drastically affect services, including publishing news stories.
So what? Botnets could also be used to launch large-scale campaigns to intimidate journalists and amplify disinformation, as reported by Brian Krebs in 2017 when Twitter profiles belonging to him and the investigative journalism outlet ProPublica were suddenly harassed online by thousands of similar accounts.
Legal threats, which are well-documented as the basis of many journalists’ fears, refer to ways in which IoT data or actions might be used either in law enforcement investigations or to embroil journalists in lawsuits.
One example: Criminal attacks on news organizations are a one-two punch: first, the media must mitigate the damage of the breach itself and then deal with repercussions that add more legal and financial pressures. The first impact may include being hit by ransomware (malware that holds a news organization’s systems ransom by encrypting their files or locking a news site), as in the case of Portuguese Media Giant Impresa. For the second part, the cost of a cyberattack can be devastating, and, for companies in the United Kingdom, has doubled since last year due to post-incident fines.
So what? These secondary consequences may significantly hinder a news organization’s ability to focus on and sufficiently fund news reporting. Even if they survive the cyberattack, organizations could be hamstrung by regulatory fines, investigation costs and compensation payments, causing staff to be laid off and news stories to be derailed.
One of the creepiest risks associated with the IoT is that of profiling, which means creating a comprehensive outline of a journalist’s life and character. This can include recording behaviors, associates (friends, family and colleagues), frequent locations, habits and even health information.
One example: Even when devices seem like they are not listening, they might be eavesdropping. Logs from smart home devices can allow residents’ routines to be recognized from their hours of use. Or there are multiple ways in which common IoT devices can be used to recognize typing patterns and reconstruct what was written, even when it was sent through secure channels.
So what? A malicious actor could eavesdrop to learn about an investigative story a journalist is reporting — and could threaten to use personal information to blackmail the journalist into not publishing on that topic.
Much of the data generated and interpreted by the IoT enables devices (and their users) to be located by anyone who has access to the location data illegally or legally, which can include foreign, state-sponsored hackers or domestic government actors. Technologically-tracked movement patterns are frequently sold to or shared with third parties, including private companies.
One example: Law enforcement’s use of social media analysis may be cross-referenced with data from IoT devices. For example, footage from many camera-equipped doorbells is automatically accessible by local police forces, effectively making the privately-owned doorbells an extension of state surveillance networks.
So what? A fear of identification and reprisals could lead to self censorship, both among journalists gathering information on the ground and their sources. This is especially likely if the devices can provide evidence identifying individuals who are suspected of attending protests at risk of government violence, such as at Black Lives Matter protests.
Data and device modification threats
Journalists rely on their reputation as a source of accurate information; any single discredited individual can have ramifications for public trust. Alteration of any data, from published information to account details, via IoT devices can not only undermine the credibility of a journalist but also potentially endanger them and their sources.
One example: Certain IoT devices — including some smart fridges — can access users’ social media and email accounts.
So what? These poorly secured devices can be hacked to plant stories and communications that are falsely attributed to journalists. This can seriously undermine a journalist’s credibility and job security.
As intelligence agencies have publicly noted, the interconnectedness of the IoT means that hacking into one device can allow an adversary to compromise an entire network or take down a website. In fact, this happened to The Guardian’s service provider via a Distributed Denial of Service attack in 2016.
One example: A journalist may depend on a given device (or network that includes an insecure IoT device) for their work, such as a camera-equipped drone for a photo- or video journalist.
So what? If a bad actor deliberately makes the device inaccessible to the intended user, a journalist could be left vulnerable to extortion — such as demanding a ransom in exchange for access to the device. Internet-access denial tactics are also used to reinforce aggressive treatment of journalists. Attacks unexpectedly limiting device functionalities can trigger detrimental physical, psychological and financial effects — for example, if executed against someone’s automobile.
I am currently designing a multi-piece toolkit, which will help members of the press determine the specific IoT threats that are most relevant to them. The toolkit also will help journalists determine the best countermeasures for their circumstances so they can continue their work safely. The toolkit also highlights protections and mitigations at the organizational and industry levels, which I argue are highly necessary. The threats detailed in this and my previous Journalist’s Resource article compound each other to magnify personal and professional consequences for targets. Media organizations should learn about IoT threats and work together to combat them, as no individual can remove these threats alone. Legacy institutions, civil society groups, freelancers — every media stakeholder must make it a priority to share information on these threats and incorporate the IoT into security routines and risk assessments.
I’m keen to connect with others who are interested in emerging technological and legal risks to journalist safety, and to hear readers’ thoughts on the issues discussed in this article, including any experiences of such threats. You can contact me at firstname.lastname@example.org or via Twitter at @AnjuliRKShere.