It used to be that physical criteria were used for marking a target. The characteristics ranged for personal identification marks -- such as height, weight, race or hair color -- to issues of location such as street address or movement relative to a landmark.
Today, monitoring capabilities have evolved far, far beyond that. On one hand, as information workers, we want ease of communications. On the other, as individuals, we want privacy. More often than not, the two sides are fundamentally at odds with one another.
As more electronic devices infiltrate our personal and professional lives -- everything from BlackBerrys to iPods to smart watches to GPS devices -- we are increasing the number of data points that can be extrapolated into uniquely identifiable patterns. By passively monitoring broadcast signatures generated by any given person's or group's devices, hitherto referred to as the "target," a statistical correlation can be drawn to not only infer the identity of the target, but also to track the target. Passive analysis could present a significant threat to corporate information security, enabling the collection of competitive information regarding the movements of officers, sales personnel, etc.
The vectors of identification
The identification vectors created by these devices can be exploited to varying degrees. The following are example identification vectors:
- Cellular phones/pagers: When carrying a cell phone or other devices
- that connect to a central service, the connection method can be monitored and used to uniquely identify the target based on service records or used as a unique signature to track the target.
- Bluetooth devices: A Bluetooth-enabled device is keyed to its host. This key can be used as a signature to track the target. Long-range Bluetooth "sniper rifles" can be used to pick up data from a considerably farther distance than the specification ever intended.
- Radio Frequency Identification (RFID) Devices: Retail and supply chain RFID tags that are not deactivated can be picked up using standard store technology or customized special purpose long-range readers. Any given RFID value may disclose behaviors of the target, and as the number of RFID signatures increases the ability to uniquely identify and track the target increases as well.
- Wi-Fi: The IP address, security key, MAC address, signal strength and direction all combine to facilitate the identification and tracking of a target. Whether the data is encrypted or not really doesn't matter if the intent is to identify and track a target. In other words, the content would be considered secondary to the value of the signature created.
- Thermal radiation: To varying degrees, devices and people generate heat. The combination of absolute measurements and relative ratios could enable unique identification and tracking. For example, one person with temperature X, one device with temperature Y and another device with temperature Z could identify an individual and the devices they may be carrying.
- Electromagnetic / RF radiation: In the fraction of a second that a device with a transmitter or electrical device is turned on, it generates a unique signature that can be identified and tracked. As the level of shielding increases, the ability to use this vector decreases. If unshielded, there are a number of proven methods to intercept and transform the intercepted radiation into meaningful information, such as van Eck phreaking.
Putting the patterns in place
By using one or a combination of the above vectors, patterns can be identified to uniquely track targets. There are many ways to consider patters and glean information from them.
One involves the pattern of existence. By monitoring the current state of patterns and comparing them to a previous state, it becomes possible to determine if information has changed, though not necessarily what has changed. To put this in the context of the security professional, these methods make it possible to determine the differences in the electronic signatures of people and platforms. If such data is stored in a database and indexed, then the matching algorithm could be used to make probability assignments based on the detected patterns.
There are also patterns of behavior, essentially how the time of day and intervals of activity are combined with the vectors above to create a unique profile signature of a target. If the intended target always gets up at 5:30 a.m., checks his Hotmail account on his Wi-Fi-enabled laptop, commutes to CNN headquarters and carries his Bluetooth-enabled cell phone on his walk to the subway between 7:00 a.m. and 7:15 a.m., then he can be tagged and tracked by stationary and mobile monitoring systems. Patterns could be stored, indexed and matched yielding probabilistic identification of targets.
Finally, there are patterns of assemblage. A given vector alone may not be sufficient for identification and tracking, but as the number of identification vectors increases, a unique signature profile will emerge. If a military unit's supplies have RFID tags and the enemy can use long-range scanners to read the tags, suddenly it becomes possible to identify which military group is in which location based on tag readings and the goods that correlate with them.
A pattern of awareness
For corporate security personnel, this potential avenue of passive analysis can be problematic. A competitor could monitor the movements of key personnel and/or physical products, thus gaining data on current activities. This data could then be correlated with other data to increase the probability of a known outcome being identified.
Enterprises or organizations with sufficient interests that require countering pattern-related threats have at least three options to consider. First, they can use shielding technologies to reduce the signature generated by electronic devices. Second, they can use jamming technologies to confuse rogue sensors. Third, they can use decoy technology, which can randomize the generation of patterns and thus marginalize the value of the data collected by the sensors.
This is a very real threat today and as the use of electronic devices increases, so will the opportunities to collect and analyze patterns to determine behaviors. As with any threat, mitigating activities should be justifiable relative to the impacts of the organization should such activities take place.
George Spafford is an author and information security professional based in Saint Joseph, Mich. He travels globally consulting and training on IT management, operations and security topics.