Today, the Internet of Things (or IoT) is a common part of our lives. Internet-connected thermostats enable us to make better energy decisions and we can check on our homes, even when we are thousands of miles away, through connected security cameras. While the general public’s exposure to IoT has been with consumer products, the introduction of 5G in the last few years will usher in the widescale use of commercial/industrial IoT. For decades, legislation has required communications service providers (CSPs) to assist law enforcement in investigations. And, as analog voice migrated to VoIP and VoLTE and dial-up migrated for FTTx and mobile broadband, the requirements to assist have migrated as well. But what of IoT devices, where do they fit in the world of regulation and law enforcement investigations?
Wiretap Legislation
First, a little background on the applicable legislation to wiretaps. Prior to 1967, wiretaps were very unregulated. Several Supreme Court cases limiting wiretaps prompted Congress to pass the Omnibus Crime Control and Safe Streets Act in 1968. Title III of that document is where privacy protections and the legal exceptions to those protections (i.e., wiretaps), their permissible use, and oversight were defined. In 1986, the Electronic Communications Privacy Act (ECPA) was passed which expanded the concept of a wiretap from telephone calls to include data transmission. Title II of the ECPA (i.e, The Stored Communications Act or SCA) provided privacy protections for stored records and provided the legal means for law enforcement to have access. The ECPA also addressed the concept of Pen Register and Trap and Trace Devices.
Through the mid-1990s, wiretaps were lawfully conducted by law enforcement and oversight from courts to ensure privacy was protected. However, it was up to law enforcement to install their own wiretap equipment. In 1994, the Communications Assistance for Law Enforcement Act (CALEA) was passed which required CSPs to modify/enable their facilities to assist law enforcement in conducting wiretaps. In 2006, the Federal Communications Commission ruled that all communications running over the Internet (including VoIP) were covered under CALEA. The takeaway is that if you were a CSP and offered a communications service (like VoIP or VoLTE) or provided Internet Access, you had to be able to provide the (en clair) communications content (CC) and/or intercept related information (IRI) in real-time to law enforcement.
IoT Devices and Wiretaps
An IoT device is a digital machine that is uniquely identifiable and can transfer and receive information without requiring human interaction. Most of these devices are “always-on”, meaning that they are doing their job 24/7. For example, your Amazon Echo is always recording what is happening near it in the event that you say “Alexa…”; your Apple Watch is always recording your vitals and location so you can track your health or exercise routine; and, your security camera is always streaming the view of your doorstep in case of an event. What law enforcement agencies would not want real-time access to an Echo device on the desk of a drug dealer or monitor the real-time location from an iWatch worn by a terrorism suspect? Can law enforcement issue a real-time court order on an IoT device?
The answer is yes, only if the CSP sells that device to the consumer along with a communications service. There are many devices that fall under this category today – for example, the watches with GPS and cellular service for parents to keep in touch with their children. And very soon, self-driving cars, delivery drones, and other cutting-edge technologies will fit in this category.
Even if the CSP does not provide the IoT device, law enforcement can still secure real-time feeds by focusing the court order on the CSP and the specific communications service through which the IoT device connects. In this scenario, multiple issues can arise: 1) How do you make sense of the communications from the IoT device; 2) is the feed from the IoT device encrypted; and, 3) where is the service located?
Assuming the IoT device’s communications are en clair (unencrypted), law enforcement needs to be able to make sense of that traffic. For the IoT device to communicate with the cloud service, it initially must use standard, network-level protocols (such as TCP or HTTP). However, how the device communicates after that, is in the hands of the developers who created the device. In other words (using an earlier example), if you have real-time access to the feed from a smart speaker, it means nothing unless you can decode the feed and turn the bits-and-bytes into audio that you can listen to.
One common topic discussed by cybersecurity leaders is the threat posed by IoT devices. Firms that make the devices have to choose between low per-unit costs (by eliminating hardware encryption assist) or lowering performance (to support of software encryption). A similar choice is presented for time to market vs. designing in security features and protections. As a result, many IoT devices provide streams that are both unencrypted and inherently insecure.
When an IoT device’s feed to the cloud is encrypted, law enforcement will leverage the SCA to retrieve any stored communications for that device. What is available largely depends on what the owner of the IoT device subscribes to from the cloud service – in the scenario of a home security camera, it means the difference between 24/7 video and audio or 5-second clips when there is motion. In order for a law enforcement investigator to send an SCA order to a provider, that cloud service and the data need to be in the United States. If it is outside of the United States, other, lengthy processes are used.
Protections in ECPA and SCA used to prevent United States-based cloud services from assisting foreign law enforcement (in the event that the communication was to/from a US citizen). And, even when the cloud service was US-based, the data was often housed outside of the United States, making it unclear which laws prevailed. All of this was settled with the Clarifying Lawful Overseas Use of Data (CLOUD) Act of 2018. (Changes for CSPs, cloud services, and the US and foreign law enforcement as a result of the CLOUD Act in an upcoming blog post.)
The New Crime Landscape with IoT Devices
As we are aware, the intersection of connecting devices to the Internet, and many of those devices being insecure, creates a natural, target-rich environment for hackers. However, there is another trend emerging and that is the intersection of 5G, connected devices, and traditional crimes.
With the increased number of devices per area, increased bandwidth and lower latency, 5G, is enabling new technologies such as mobile edge computing. While virtualization and automation are not new concepts, the design of 5G networks includes these, and CSPs are implementing their own private clouds. Similarly, the concept of autonomous vehicles, virtual reality, or augmented reality is not new, but the characteristics of 5G make them commercially viable. All of these changes intersect to bring about a new criminal landscape, new crimes, and a need for new investigative tools. Here are a few examples:
- When you combine 5G with autonomous (IoT) vehicles and drug traffickers, you have a drug distribution system operating around the clock operated from anywhere, around the world. Who do you arrest and charge? What evidence can you use?
- When you combine 5G with connected thermostats (IoT) and hackers, you have a vector for causing brown-outs or domestic terrorism over a large geographic area. How does an investigator determine if it was coordinated or coincidence? How do you prosecute?
There’s no doubt that IoT will enable the modernization of age-old crimes. But we may soon see a whole new landscape of crimes. This will require changes to how lawful intelligence is deployed and used and require revisiting the capabilities and investigative techniques of law enforcement.
Summary
The trend of connecting devices to the Internet (IoT) has only just begun. Devices are becoming smarter and new classes of devices are being created that we have not yet envisioned. Much of this growth is coinciding with the launch of 5G networks. This is due to the increased number of devices per area, increased bandwidth, and lower latency inherent in 5G.
While, by definition, IoT devices do not require human interaction, they do handle a wealth of information from vital statistics on a person’s health, to the sound and/or visuals of what is happening around them. Law enforcement is keenly interested in the information stored within or transmitted by these devices and has the means to garner this information either in real-time or what is stored. The challenges are how to leverage the information and deal with the legal hurdles that arise depending on the countries where the device’s owner resides, where the devices’ s manufacturer resides, and where the data that manufacturer collects is stored.
Cybersecurity research has shown that IoT devices are being used by hackers as an entry point to networks. Much of the IoT devices do not use encryption and lack fundamental security measures, making them an easy target. With the innovations expected to arrive with 5g (e.g., smart cities or self-driving vehicles), it is inevitable that such IoT devices will be a tool used in committing a crime. Monitoring such devices for evidence will be as commonplace as performing a wiretap on a mobile phone is today. This will require an update to the thinking around the lawful intelligence of IoT devices and the tools used to investigate the evidence collected from these devices.
SS8 Xcipio provides the ability to provide lawful intelligence on specific IoT device identifiers and collect those communications from network elements (e.g., routers and switches) or from passive devices. SS8 Intellego provides law enforcement with the ability to playback or reconstructs information from those communications. SS8 PXE (protocol extraction engine [protocol decode library]) provides the ability to decode and make sense of IoT communications whether en clair or encrypted.
About Kevin McTiernan
Kevin has over 20 years of extensive experience in the telecommunications and network security industries. At SS8 Kevin is the VP of Government Solutions and is responsible for leading the vision, design, and delivery of SS8’s government solutions, including the Xcipio® compliance portfolio.
About SS8
SS8, a network intelligence company, provides solutions to help customers quickly identify, track, and investigate devices and subjects of interest. They work closely with leading intelligence agencies, communication providers, law enforcement agencies, and standards bodies. Headquartered in Silicon Valley with sales and support offices in the U.S. and UK, SS8 has deployments in more than 30 countries supporting networks with nearly 1 billion subscribers. For more information, visit www.ss8.com.
