Home Featured One Rotten Apple

One Rotten Apple

by Keerat

Adam Irwin, Managing Director – Nodum Global

 

Technology is a wonderful thing but, like splitting the atom, it comes with a price. Gadgets designed to make our lives easier are being increasingly exploited to compromise privacy. The fictionalised case that follows was inspired by real events. Much of the techniques deployed by “Richard” were once available only to specialist police and government intelligence agencies.

Today, many people have access to espionage tools but are ignorant of their existence. Worse still, people are spied upon by those they know and trust. For many businesses, trade secrets and intellectual property are their lifeblood, their competitive advantage resting on protecting inside information.

 

 

A large, detached house, two kids at private school and a villa in the Algarve. The company’s success had brought its CEO, Nathan, wealth and status, at least locally. His 71-reg Bentley swung out from the sweeping gravel of the company’s offices. On his way to play tennis, perhaps? Or the golf club?

Richard, watching from his second-hand, occasionally reliable BMW, would know within minutes.

Richard had worked for Nathan from the start, way before the art-decorated Reception and Italian espresso machine. No promotion. No rise to speak of. In nearly ten years. And the latest humiliation: a ‘Performance Improvement Plan’.

Maybe his employer was having an affair? Or worse? Perhaps Richard could sell the company’s code—its golden goose—to a competitor. Though curiously, he found that this appealed less than reputational damage.

But how? The new IT manager knew his stuff. No more access to any file regardless of sensitivity. And last week’s memo had announced that all file transfers and user-activity would now be centrally logged, with ‘suspicious activity’—including accessing a file never before needed—flagged to Security.

Another vulnerability was needed.

Everyone has secrets: things they wouldn’t want family, friends or business associates to know. After all, Nathan knew nothing of Richard’s previous conviction; nor some of his recreational activities.

And if Richard found nothing? Well, a nasty virus on the system wouldn’t be impossible, with his access. And he still had the company’s Twitter account password, unchanged since its inception. An innocent comment… in favour of Palestine perhaps? That could cause plenty of damage to the new investment drive.

For now, Richard was content with monitoring: it gave him a sense of control and power over Nathan which he’d never achieve in business. He had thought about a private detective, but Googling for one felt risky: how would he know whom to trust? Besides, he didn’t need one.

 

For less than £30, he’d bought an Apple AirTag: a button-shaped gadget attaching to keys or other easily misplaced items. Download the ‘Find My’ app on your iPhone and you could locate your tag with ease.

You could even prompt the AirTag to make a high-pitched sound if proving particularly elusive. You don’t even need to be in the same postcode to monitor its whereabouts. Through clever Apple wizardry, the lost gadget will communicate with other Apple devices nearby, which act as beacons to help you find it.

Then a casual offer to help Nathan unload his bags from the Bentley and the tracker was in the boot.

It nearly didn’t end well. Apple had foreseen the behaviour of snoopers. Richard overheard Nathan asking the IT whizz what an AirTag was.

“Why d’you ask?”

“Some notification on my phone.”

Apple’s blasted ‘privacy alert’! If an iPhone detected an AirTag it didn’t recognise moving with it over time, it would trigger on the iPhone screen. Disastrously for stalkers (unless they removed its speaker), it would start chirping like a cricket. Luckily for Richard, Nathan didn’t click on the notification. The cops would have found the serial number useful. Close call.

Plan B. He’d need access to Nathan’s phone.

Nathan’s iPhone was for both business and personal use. Naturally, only he could unlock it. Remember the FBI chastising Apple for not sharing access into some terrorist’s phone? If the US Government couldn’t circumvent Apple’s security, our privacy—yours and mine—must be safe, right? Nathan’s financial portfolio management app; the texts about his daughter’s eating disorder; the WhatsApp group with his COO and HR… lately discussing Richard’s increased drinking. All protected.

And the ‘Face ID’ was genius: no more fumbling for his PIN. Nathan even tested it on his brother. They weren’t twins, but they were often mistaken. Foolproof: only Nathan’s legit face was recognised.

Richard was no part-time hacker nor engineer. But he was sharp and had always been into his gadgets.

He’d discovered, drinking alone at his local, a new use for his AirPods, Apple’s wireless headphones. Streaming the football on his phone (the pub was screen-free) he spotted an ear-shaped icon. He pressed it and was offered: ‘Live Listen’. All sounds in the room became amplified: a group of patrons, over ten feet away, voicing snide comments about the “ghastly” new interior. His phone even worked as a directional microphone: subtly position it and private conversations became clearly audible.

 

Next time Nathan convened a Board meeting, Richard gave it a go. First he made sure it was silenced. Then stashed his phone in the cavity for sockets and excess cables in the large rectangular table of the meeting room where all big decisions were made.

As if he had his rightful position on the Board: he was right there with them.

A few weeks later, leaving the pub after hours, Richard reached for his phone to catch up. It wouldn’t open. Too dark to recognise his face. A few more failed attempts and he was prompted to enter his pin code.

His eureka moment.

Nathan was forever leaving his phone in the kitchen after making coffee and chatting to people. Alone, Richard pounced on it. He dabbed his middle finger on his tongue and smudged the front camera lens with an almost invisible smear. As he predicted, Nathan returned within minutes: his now blurred face refused access. Several attempts later, discretely shadowing him back to his office, Richard saw his passcode. 2-1-0-7-9-6. Of course! Drinks in the office last year, for Nathan’s Silver Wedding: 21st July.

The next time Nathan left his phone unattended, Richard quickly opened Nathan’s Find My app. The one he’d used on his own phone to monitor the whereabouts of the AirTag. A standard feature on all iPhones: the app that helps you to find your Apple devices after loss or theft. You can also use it to locate other people’s phones—but first you must ‘friend’ each other, a process requiring mutual consent. Richard added himself and selected the option to ‘share indefinitely’. Nathan’s phone would now reveal its location to his, via the exact same app.

Round-the-clock Big Brother. And Nathan would never know.

 

Some Considerations for Business Leaders

1. Are your mobile device policies fit for purpose? Using personal phones for business matters and communicating about business issues using consumer-grade apps like WhatsApp present security and regulatory risks.

2. In this case, Richard eavesdropped on the Board meeting using his iPhone: a crude but fruitful method. But cheap and effective espionage tools are easily accessible: just look on Amazon. Consider whether your business needs to make use of Technical Surveillance Countermeasures (TSCM) and other security policies and procedures to protect sensitive information.

3. Much like TSCM, insider threats are not something only to be considered by large multinationals or government departments. Whether unwitting pawns or motivated saboteurs, insider risk is real and companies of all sizes and revenues should understand how to assess the problem and apply mitigations.

 

 

Here are some things you can do to protect yourself from Apple stalkers:

• Ensure you are running the latest iOS software: the ability to search for unknown AirTags was added in iOS 15.2 (December 2021).

• Consider upgrading your handset: precision finding features, (effectively turning your phone into a compass to locate the AirTag) are only available from iPhone 11 onwards.

• Android users can download the Tracker Detect app, freely available on the Google Play Store. This offers similar anti-stalking features to Apple’s Find My app.

• If alerted to an AirTag and with reason to believe you are being stalked, follow the instructions to locate the tag and find the serial number. Be sure to take a screenshot of the serial number and to photograph the AirTag in situ before it’s removed. This will be useful evidence for law enforcement (and lawyers). Be aware if you touch the AirTag, you may destroy forensic evidence that could help police to identify who has handled it.

You may wish to report the finding to the police immediately (stalking is a specific offence in many jurisdictions, including England) and seek their guidance. To disable it, remove the stainless-steel battery cover (embossed with the Apple logo) by pressing it down and rotating anticlockwise. This will reveal its disc-shaped battery. Removing the battery disables the AirTag.

• FaceID is only as strong as your passcode. Consider using a ‘custom numeric’ passcode (more than 6 digits long) or even better, a ‘custom alphanumeric passcode’ which can include letters and special characters as well as numbers. Long and complex passcodes are more secure and difficult for prying eyes to observe and remember. Also, do not use your iPhone passcode as a password for any other purpose. And ensure it is not easily guessed (pets’ names and significant dates are a big no-no).

• Regularly check your Find My app to see with whom you are sharing your location.

• Restrict what can be accessed on you iPhone when the screen is locked, so that your messages and notifications aren’t visible to others.

• Get a privacy filter. Once affixed to your phone’s screen, it obscures its view from nosy bystanders.

• Consider using the Erase Data option to wipe your iPhone after ten failed attempts to guess the password.

 

Adam Irwin is a former UK Law Enforcement Officer. He is the Managing Director of Nodum Global, a risk intelligence and investigations firm, co-Founder of corporate counterintelligence specialists Procypher, and is a trusted advisor to law firms, multi-national companies and private clients.

related posts