Electronic
Surveillance Threats
In 2017 the
Supreme Court ruled in a landmark judgment that privacy is a fundamental
right. From sophisticated spyware attacks to mass phishing via smartphones
and the rise of facial recognition technology, the range and reach of
surveillance threats to human rights defenders is growing.
For
security teams trying to keep activists safe, it is a cat-and-mouse game as
attackers rapidly adapt to developments aimed at protection.
“When
cyber-attackers see people are switching to using (messaging app) Signal, for
example, then they will try to target Signal. If people start changing to VPN
technology, they will start blocking VPN technology. If people are using Tor
browser, they will target Tor traffic,” says Ramy Raoof, tactical technologist
with Amnesty Tech.
Automated
surveillance equipment has become increasingly common and connected, making the
technique more covert and pervasive. Mobile
hacking, social engineering, network monitoring, face recognition technologies,
GPS tracking, and various other methods commonly employed to catch and prevent
crime and terrorism can also be used against civilians.
Electronic
surveillance threats – defending a facility against electronic surveillance is
a serious challenge and one that hasn’t been made any easier by the
proliferation of computer networks and wireless. Not only are businesses under
threat from phone tapping, and video and audio surveillance, wired and wireless
computer networks offer attackers a new dimension of intrusion.
Even the
simplest electronic surveillance devices are diverse, with room transmitters
being among the most common. Their role is to detect all the environmental
noise emanating from the location in which they’re planted.
Primary variations with room transmitters relate to differences in power
sources. In this case, either battery or mains power and it’s the battery
powered devices that are most diverse. Such devices can be secreted inside
almost any object allowing for their minimal space requirements. Examples
include the inside of pens, calculators, clocks, photo frames, under carpet,
behind curtains and underneath or inside furniture.
The types of battery used to power these devices varies too, depending
on the design, size and planned use of the device. Self-contained transmitters
designed for surreptitious surveillance favour small button batteries or higher
performance hearing aid batteries. When size is less of a concern and length of
transmission a higher priority, larger and longer lasting batteries can be
used, including the latest lithium types.
Average transmission devices typically have dimensions around 19mm x
12mm x 9mm. Should a small transmitter be built into a pen or a calculator,
transmission range will be limited, around 15-20m, though the use of lithium
batteries will increase the range.
Mains-powered room transmitters draw current either directly from the
mains voltage or trickle charge a battery that’s also used to power the device.
The advantages of this technique where electronic intruders are concerned
include the fact there will be less impact on main power sources that could be
monitored for fluctuations. Should mains power be lost the device will continue
to operate.
The key technical issue for mains powered transmitters is to reduce 240V
of alternating current to a direct current, low voltage output of 6-18V.
Designers are required to combine transmission circuitry along with a voltage
dropper, rectification, smoothing and voltage stabilization circuits.
As a rule, the most popular way to get the small current and voltage
requirements is to use a high voltage capacitor to act as resistance at the
50/60Hz mains supply frequency. Low power can be partially offset by injecting
some radio power into the mains.
Should there be enough room and a sufficiently low risk of detection,
it’s sometimes possible for a stepdown transformer to be used – this is
inherently more reliable that capacitor leakage or dropper resistance
techniques. It’s also possible for a transformer to supply a far greater level
of power to a strong transmitter.
AC units can be located inside walls, ceilings, under floors, inside
office equipment, in mains-powered clocks and within lamps and lamp holders to
name just a few possibilities. One of the favoured methods of installing an AC
bug is to simply plug in a dummy double adaptor to a power point in the room
you wish monitor. Despite the simplicity of this technique, only the most
observant would notice and even then, would be most unlikely to consider the
appearance of the unit a threat to security.
Electronic intruders wishing to secure a standalone mains-powered
transmitter are usually supplied with a square plastic box about 50mm x 50mm x
18mm, or an encapsulating board. There will be a pair of trailing leads coming
from these units for connection to the live and neutral lines of domestic AC.
There are still PSTN telephone transmitters. These are connected to
target telephone systems and transmit information to a receiving station
located nearby. The 2 basic models are the series-connected transmitter and the
parallel-connected transmitter. Both types either draw their operating voltage
from the PSTN phone line itself, or carry their own batteries that may be
trickle-charged from the phone line.
Series connected transmitters are connected between a telephone socket
and a telephone. In this configuration, only that extension will be accessed by
the listener. But in the event a series transmitter is used and located on the
incoming wires of a 2-pair cable on the other side of a telephone socket, all
extensions of the line can be accessed.
Muliplex telephone systems make life extremely hard for electronic
intruders trying to record communications. Because these systems multiplex more
than one signal onto a 2-pair cable, an intruder would need to employ a
de-multiplexer to access phones.
Partially connected transmitters are different. Both incoming feed wires
are connected to the parallel connected device, and this means the information
will be transmitted if either phone is used. With a series device, the wiring
of the telephone must be disconnected to allow insertion of the transmitter.
But installation doesn’t mean cutting and stripping of feed wires. Instead, the
device can be installed in a junction box that offers sufficient room, or even
in a telephone.
Series devices are easiest for security managers to detect using one of
the counter surveillance devices on the market that alert security staff to
temporary disconnection of phone lines. It’s possible for alarm panels
monitoring alarm systems to also monitor phone lines for integrity, with any
breaches then reported.
Parallel series devices, however, can be installed without temporary
line breaks and without effect on resistance. This makes them harder to detect,
though if the unit is drawing power from its host, this will cause a voltage
drop. Parallel devices are often equipped with alligator clips requiring no
more than a few millimetres of cable to be stripped or a pair of bare
terminals.
Battery-powered types are harder to detect and more effective in their
operation. With their greater operating current, they can achieve greater
operating ranges than bugs, giving 500-1000m ranges instead of 25-50m. Even
harder to detect are small rain-proof telephone transmitters that can be
connected to any point of the exterior wiring as it leaves a building or joins
a telephone pole. Such a device might never be detected.
Mobile phones are usually tapped using spyware. This is a whole other
science – it’s possible for experts to search for spyware and users might
notice quirks like rapid battery drain, though it can be difficult to know
whether this is caused by an illicit piece of software, too many open apps, or
simply an aging battery.
There are 2 primary groups of microphones available to an individual or
organization seeking illicit access to communications. These are
omnidirectional and unidirectional. Unidirectional microphones are portable and
can be aimed at a target. They’re a parabolic dish-mount device that can be
hand-held or tripod mounted. Such units offer excellent results for the
electronic intruder. Using a 45cm reflector, high quality sound can be obtained
at 250m. This performance increases fourfold if the reflector size is doubled
but the unit becomes much more visible.
Omnidirectional units pick up audio signals coming from any point of the
compass and in surveillance devices they usually have a diameter of about 6mm.
As a rule, these devices will be more effective towards the front. Another type
of microphone, the spike mike, is mounted on the end of a spike or probe.
Microphones can be connected to the audio input of a miniature transmitter,
allowing remote monitoring of conversations.
Like any other internet-connected device, surveillance systems can be
vulnerable to attacks without the right cyber-security measures in place.
Hackers can easily gain access to poorly configured devices with design flaws
or faulty firmware and manipulate or steal data. With cyber-attacks
accelerating, surveillance systems need to be protected from vulnerabilities,
and require the same vigilance provided to IT systems.
Closed-circuit video cameras to transmit a signal to a specific
place, on a limited set of monitors. It differs from broadcast
television in that the signal is not openly transmitted, though it may
employ point-to-point (P2P), point-to-multipoint (P2MP),
or mesh wired or wireless links but transmit a signal to a
specific place only. Not for open to all.
Cities in at least 56 countries worldwide have
deployed surveillance technologies powered by automatic data mining, facial
recognition, and other forms of artificial intelligence.
The ban that prohibits the purchase and
installation of video surveillance equipment from HikVision, Dahua and Hytera
Communications in federal installations – passed on year 2018 National Defense
Authorization Act (NDAA). In conjunction with the ban’s implementation, the
government has also published a Federal Acquisition Regulation
(FAR) that outlines interim rules for how it will be applied moving
forward. Like NFPA, now NDAA law accept globally.
Rules outlined in this FAR include:
·
A “solicitation provision”
that requires government contractors to declare whether a bid includes covered
equipment under the act;
·
Defines covered equipment
to include commercial items, including commercially available off-the-shelf
(COTS) items, which the rule says, “may have a significant economic impact on a
substantial number of small entities;”
·
Requires government
procurement officers to modify indefinite delivery contracts to include the FAR
clause for future orders;
·
Extends the ban to
contracts at or below both the Micro-Purchase Threshold ($10,000) and
Simplified Acquisition Threshold ($250,000), which typically gives agencies the
ability to make purchases without federal acquisition rules applying.
·
Prohibits the purchase and
installation of equipment from Chinese telecom giants Huawei and ZTE
Corporation. This would also presumably extend to Huawei subsidiary Hisilicon,
whose chips are found in many network cameras;
·
And, gives executive agency
heads the ability grant a one-time waiver on a case-by-case basis for up to a
two-year period.
Specifically, NDAA Section 889 creates
a general prohibition on telecommunications or video surveillance
equipment or services produced or provided by the following companies (and
associated subsidiaries or affiliates):
·
Huawei Technologies
Company; or
·
ZTE Corporation
It also prohibits equipment or services
used specifically for national security purposes, such as public
safety or security of government facilities, provided by the following
companies (and associated subsidiaries or affiliates):
·
Hytera Communications
Corporation;
·
Hangzhou HikVision Digital
Technology Company; or
·
Dahua Technology Company
While the prohibitions are initially limited to the
five named companies, Section 889 authorizes the Secretary of Defense, in
consultation with the Director of National Intelligence or the Director of the
FBI, to extend these restrictions to additional companies based on their
relationships to the Chinese Government. The prohibitions will take effect for
executive-branch agencies on August 13, 2019, one year after the date of the
enactment of the 2019 NDAA, and will extend to beneficiaries of any grants,
loans, or subsidies from such agencies after an additional year.
The provisions of Section 889 are quite broad, and
key concepts are left undefined, such as how the Secretary of Defense is to
determine what constitutes an entity that is “owned or controlled by, or
otherwise connected to” a covered foreign country, or how the head of an agency
should determine whether a component is “substantial,” “essential,” or
“critical” to the system of which it is part. The statute also fails to address
the application of the prohibitions to equipment produced by U.S. manufacturers
that incorporate elements supplied by the covered entities as original
equipment manufacturers (“OEMs”) or other kinds of supplier relationships.
Section 889 contains two exceptions under which its
prohibitions do not apply:
(1) It allows Executive agencies to procure
services that connect to the facilities of a third party, “such as backhaul,
roaming, or interconnection arrangements.” This likely means telecommunications
providers are permitted to maintain common network arrangements with the
covered entities.
(2) It permits covered telecommunications
equipment that is unable to “route or redirect user data traffic or permit
visibility into any user data or packets” it might handle, meaning a contractor
may still be able to provide services to the Government so long as any covered
equipment provided is unable to interact or access the data it handles.
The Constitution of India guarantees every citizen
the right to life and personal liberty under Article 21. The Supreme Court,
in Justice K.S. Puttaswamy v. Union of India (2017), ruled
that privacy is a fundamental right. But this right is not unbridled or
absolute. The Central government, under Section 69 of the Information
Technology (IT) Act, 2000, has the power to impose reasonable restrictions on
this right and intercept, decrypt or monitor Internet traffic or electronic
data whenever there is a threat to national security, national integrity,
security of the state, and friendly relations with other countries, or in the
interest of public order and decency, or to prevent incitement to commission of
an offence.
Only in such exceptional circumstances, however,
can an individual’s right to privacy be superseded to protect national
interest. The Central government passed the IT (Procedure and Safeguards for
Interception, Monitoring and Decryption of Information) Rules, 2009, that allow
the Secretary in the Home Ministry/Home Departments to authorise agencies to
intercept, decrypt or monitor Internet traffic or electronic data. In emergency
situations, such approval can be given by a person not below the Joint
Secretary in the Indian government. In today’s times, when fake news and
illegal activities such as cyber terrorism on the dark web are on the rise, the
importance of reserving such powers to conduct surveillance cannot be
undermined.
Risk of Electronic Security Threats to EHR/HIS is a
critical issue because as per the privacy and security rule of The Health
Insurance Portability and Accountability Act (HIPAA) the patient’s medical
records are to be secured and private which can be accessible only the hospital
authorities and the doctors in charge of the patient and the patient himself.
More
advanced techniques now no longer require a target to actively click on a link
in order to infect a device, explains Amnesty Tech security researcher Etienne
Maynier. An attack using NSO spyware on an activist in Morocco covertly
intercepted the activist’s web browsing to infect their phone with spyware.
“Instead of waiting for you to click on a link, they instead hijack your web
browser’s traffic and redirect you to a malicious website which tries to
secretly install spyware,” says Maynier.
Successful
targeting of well-protected phones is becoming more common and security teams
are under added pressure from a burgeoning industry in so-called ‘zero-day’
exploits, in which unscrupulous hackers seek to find unknown vulnerabilities in
software to sell. In May 2019, NSO Group exploited a zero-day vulnerability in
WhatsApp that was used to target more than 100 human rights activists across
the world with spyware.
How to keep your communications safe:
Using public Wi-Fi and VPNs: When you connect to Wi-Fi in a cafe or
airport your internet activities are routed through that network. If attackers
are on the network, they could capture your personal data. By using a VPN app
on your devices, you protect your online activities when accessing public
connections, preventing your internet activities from being seen by others on
the same network. If you want to explore options, try NordVPN and TunnelBear.
Password management: Using a password manager means you don’t have
to worry about forgetting passwords and can avoid using the same ones. It’s a
tool that creates and safely stores strong passwords for you, so you can use
many different passwords on different sites and services. There are various
password managers such as KeePassXC , 1Password or Lastpass. Remember to back up your password manager database.
Do not use password like password, ddmmyyyy, admin@123, administrator,
administrator1, Super@1234 etc.
Messaging apps: When we advise human rights defenders about
messaging apps, we assess each app on its policies (such as terms of service,
privacy agreement), its technology (if it’s open source, available for review,
has been audited, security) and finally the situation (if the app provides the
features and functionality that fits the need and threat model). Generally
speaking, Signal and Wire are two apps with strong privacy features.
Remember: Signal requires a SIM card to register, and for Wire you can
sign up with a username/email.
Phone basics for iPhone or Android: Only download apps from the official app store to
prevent your personal information from being accessed without your consent and
to minimise the risk of attacks. Update your system and apps frequently to
ensure they have the latest security patches. Enable ‘account recovery’ in case
you lose access to your phone. Finally, choose a mobile screen lock that is not
easily guessed, such as an 8-digit pin or an alphanumeric code.
