If you don’t know normal, then you can’t find anything abnormal!
In the age of IoT (Internet of things) a lot of everyday items and things have changed from being just “a thing” to a thing that now connects to the internet via WIFI, Bluetooth or other RF function in order to make our everyday life easier and more convenient.
But at the same time, it has also given a perpetrator easier access to our network and thus the capability to attack our systems whether it is at home or at the office. 10 years ago, a lightbulb was just a lightbulb but now a lightbulb comes in all kinds of configurations and often includes electronics and wireless connection capabilities.
The smart question would now of course be; “But if you know the item has electronics in it, why is it a problem then?”
The problem is if the perpetrator has managed to take a normal device and turn it into a voice recording or video recording device, and here is why expert exploitation is very important. Knowing the capabilities of a device and what it should and should not do is important in order to determine whether it is a threat or just how the device is supposed to function.
Has it been tampered with, so it looks the same but operates differently than intended by the manufacturer? Has the perpetrator placed and concealed additional components next to the original ones, so they won’t be detected so easily?
This is some of the issues that could pose a challenge to a TSCM sweeping team and this is why skilled personnel with exploitation training is important.
An example is this moist detector alarm found inside a wall in connection to a sensitive area. Initial exploitation showed nothing out of place, but after looking into the components of the device it was clear that the device could easily be altered to record sound.
This meant that an on-site exploitation was conducted, and every little print board and electronic component was looked at in order to determine if the device could function in another way than intended.
Another kind of exploitation is where the device has been identified as a direct threat and the client or victim of the illegal surveillance wants to find the perpetrator and/or press charges.
In this case an exploitation needs to be handled in such manner that evidence is usable in a legal case. This is also sometimes referred to as a forensic exploitation.
This GPS device was located inside a vehicle. The GPS device was hidden inside the vehicle's frame which showed that the perpetrator had to have access to the vehicle keys, the exploitation also concluded that the installation itself would have taken 30-60 min to complete.
The forensic exploitation secured fingerprints, DNA and SIM card information etc. This just shows that a correct exploitation done by professionals makes the difference once you go to court.
Here at SECCON we sometimes spend hours taking stuff apart in order to know how it works, how it functions, how it is supposed to behave once activated and how can we alter it so it might work differently and become a threat/ bugging device.
This is all a part of working professionally with TSCM and staying on top of the fast moving electronic world.