“R2D2, you know better than to trust a strange computer!” – C3PO in “The Empire Strikes Back”
In its 2021 World Press Freedom Index, which ranks countries and regions based on the level of freedom afforded to journalists, Reporters Without Borders pointed out that independent journalism is partially or totally blocked in 73% of the 180 countries classified. While the press has a tendency to shy away from self-reflective coverage, the many journalists who are subject to threats such as surveillance, censorship and harassment have recently been recognized: Maria Ressa (now Shorenstein’s mate and co-founder of the Philippine news site rapper) and Dmitry Andreyevich Muratov (chief editor of the Russian newspaper Novaya Gazeta) he won Nobel Peace Prize “for their efforts to safeguard freedom of expression, which is a precondition for democracy and lasting peace.” The Norwegian Nobel Committee noted that both winners “are representatives of all journalists who uphold this ideal in a world where democracy and press freedom face increasingly adverse conditions.”
Some of the dangers journalists face are obvious: physical attacks on the press when covering protests in 2020for example, while others, such as national security laws invading source protections, are more insidious. Both types of threats can be facilitated by the so-called “consumer Internet of Things” (IoT): networked devices that are growing in prevalence and capacity, ranging from smart cars to fitness trackers. The general risks associated with such systems have been reported by technology and security journalists (for example, here, hereY here). Similarly, more specific examples of journalists targeted via their smartphones are scattered throughout the media and raised as issues in journalist-focused materials.
A prominent example of a high-profile smartphone-related threat is that of the NSO Group. Pegasus spyware. The Israeli technology company’s clients, including several national government officials, supposedly identified many journalists as surveillance targets, in countries that include Canada Y Mexico.
By comparison, there is limited awareness of the implications of other devices, specifically for journalists and their sources, with mentions of the dangers of the IoT notably absent in safety guides for journalists. That this makes the IoT effectively a “Unknown Unknown” it is particularly worrying, given the ubiquity of such technologies, which can be found in homes, offices, stores, even on the street. Additionally, they are often designed to integrate into your environments, subtly replacing older versions with less intrusive functionality; an example is the smart doorbell boom. Like spyware, these devices can be co-opted to monitor messages, location information, and daily actions. Unlike spyware, the IoT can also facilitate cyber-physical threats.
This article outlines how journalists can begin to think about the various environments they go through, what IoT devices they may encounter on their travels in each place, and how these devices can pose a risk to their work and well-being. It is based on my PhD research, which began with a pilot study that assessed the extent to which journalists recognize and understand IoT threats (spoiler: not very well). My job then was to map IoT threats to journalists by environment (information to be shared here, as an aid to awareness). So far, my research has involved interviewing more than 70 cybersecurity experts and journalists in the US, UK, Australia, and Taiwan, and initial findings have been presented to both computer science and public policy audiences. .
The pilot study results Indicated abstract concerns about technological threats are causing some journalists to return to analog methods of information gathering, communication, and storage, such as using pen and paper instead of voice recorders, and choosing physical dead spots over online. The recommendations from cybersecurity experts encompassed both immediate and long-term mitigation methods, including practical individual actions that are technical and sociopolitical in nature. However, all the proposed individual mitigation methods are likely to be short-term solutions, as 76.5% of the 34 cybersecurity experts who participated in the study responded that in the next five years it will not be possible for the audience is excluded from the interaction. with the IoT.
Four Categories of IoT Threats
Taking into account the most likely journalistic workflow, my research has divided the common environments in which to consider IoT threats into four categories: (1) private homes, (2) public spaces, (3) workplaces, and ( 4) portable devices. There is an overlap between the categories, for example, many journalists’ homes are also their workplaces, especially amid the pandemic and budget cuts that are closing physical newsrooms. Still, this method of categorization should allow journalists to get an initial idea of the scale of the problem and to cross-reference relevant categories as needed. Each of the four sections has been further subdivided by device function, to make it easier for journalists to spot these potentially poorly secured devices as they hide in plain sight. (The links in each section highlight real-life examples of IoT device hacking.)
In Particular houses, there are three types of IoT devices: those used primarily for entertainment, for security, and for home management/services. Here, journalists should consider threats such as:
- Leisure: Internet-connected children’s toys are easy tools for espionage, as evidenced by the ‘my friend cayla‘doll, the spiritual descendant of the furby. Cayla was banned from Germany due to the ease with which hackers could access her microphone to listen to private conversations, which could be a goldmine for discovering possible passwords (for example, names of children and pets).
- Security: A smart doorbell that someone uses to verify home deliveries from the office can be an easy way for an attacker to live broadcast images of the surrounding area, including neighboring properties, providing useful insights into the living pattern of residents in and around the owner’s home, even those without a smart doorbell.
- Home/utility management: Voice assistants, popular for their ability to order purchases and play background music without users having to lift a finger, have been known to “wake up” and start listening even without “hearing” your name, as well as to send snippets of recordings to people on their owners’ contact lists, potentially compromising confidential calls with sources or editors regarding unpublished stories.
In Public spaces, there are three sub-environments where network devices of different types can be found: transportation, indoor public areas, and outdoor public areas. In each, journalists should consider threats such as:
- Transport: Smart car GPS systems could be hacked to track the vehicle and brakes could be hijacked to cause a crash.
- Indoor public areas: Smart alarms, which are controlled remotely via smartphones and other wireless devices, can be subject to flaws and attacks that could trapping people in buildings or keep people out, which could inhibit journalistic work.
- Outdoor Public Areas: Drones can be hijacked to look out those below, and are now commercially available in forms small and quiet enough to fly surreptitiously, threatening even clandestine open-air gatherings with sources in areas devoid of CCTV.
In work places, there are three types of IoT devices: those primarily used for meeting/waiting room entertainment, for security, and for public services. Here, journalists should consider threats such as:
- Animation in waiting room/meetings: Smart TVs can come with cameras, microphones and access to online accounts that are linked to credit cards. These devices could easily be hacked to showcase the variety of people meeting with newsroom executives even before the partnerships have been publicly announced, perhaps jeopardizing the already limited funding sources given to the media.
- Security: Remote access closed circuit TV systems could be hacked to allow continuous video-monitoring of employees in a news organization.
- Utilities: Internet-connected printers could be a entry point to a networkor they could even record both the content and metadata associated with a document, allowing unauthorized users to reprint it.
In all settings, journalists must consider the threats from Portable devicesWhat:
- Smart watches and fitness trackers can perform many of the same functions as a smartphone and serve other intimate purposes. If hacked, they can leak a journalist’s information. Vital signs and tracking information, leading to the publication of sensitive locations through apps, similar to the recent military debacles related to drinking (UnTappd) and running (Strava).
Based on my pilot study, I am developing a risk assessment framework of strategic and tactical countermeasures that journalists and news organizations can use to protect themselves from these emerging technological threats. If you are interested in the frame, please follow me on twitter and stay tuned for more of my work at The Journalist’s Resource. If you’d like to get involved in the process of commenting on framework iterations, feel free to get in touch directly!