Every once in a while, those of us in the hacker community are asked about how to protect computer systems from intrusion. Most of us will try to be helpful and will pass on what we can, with the intent that we can help others by providing the knowledge and the tools to get the task done. Today I’ll talk about surveillance. Usually this is a discussion about online surveillance, but this blog post is geared specifically toward physical surveillance.

FYI, I am not going to be giving out any state secrets or new bad-guy tactics here, as spies and (smarter) criminal elements are more than aware of these tactics themselves.

Why This Topic?

The ability to watch a society in near real time can have great benefits, particularly for criminal investigation and even proactive crime prevention. Major traffic movements can be monitored and in the event of emergency services it helps guide fire departments and EMS to a location while avoiding traffic congestion. But there are some cases when you don’t want to be monitored - in part because this type of technology can be easily abused, and it is often fraught with flaws.

Inaccurate visual surveillance. The science behind this is imperfect. You could be mistaken as someone else by an algorithm processing video footage or photos/still frames. Data gathering techniques are not perfect and are prone to errors. This could lead to being detained, and even something added to your record.

Inclusion by proximity. You are out on errands and you cross paths with a politically-motivated protest. Depending upon the level of surveillance used and how wide of a net is cast, different forms of surveillance could pick up on your presence and mistakenly associate you will this protest. Depending upon the data gathered, you could become a new target to track which leads to unpleasant encounters.

Invasive marketing. You’re walking through a mall, and on a whim decide to enter a store that sells luggage. You look around but do not buy anything, in fact you leave the store without any interaction with sales staff and head home. Now all of the sudden, when viewing social media and news sites online, you see tons of luggage ads. Coincidence?

Who's Watching?

We'll break this down into the different categories of watchers, from least likely to most likely.

Spies. Actual spies from foreign governments coming to spy on you in particular. Truthfully this is highly unlikely, and if it is, most likely you already have “people” to talk to about this.

Government agencies. It could be a repressive regime spying on its people, or an overzealous effort by law enforcement to try and monitor activities in an attempt to control the citizenry.

Marketing agencies. Online monitoring is extremely common, but there are methods of physically monitoring citizens that retail companies can and do use.

Criminals and criminal organizations. While it is possible that a gang or cartel could be coming after you, most likely this will be a crime of opportunity where a criminal is looking for any victim and you happen to be there. Usually the criminals are using just their eyes, and not cameras and electronic gear.

How Can You Be Monitored?

Visually. Cameras seem to exist everywhere, from businesses to major street intersections to toll booths, and even from other people walking around in public with cameras on their phones. Some of these cameras are owned by private businesses, some are owned by governments, and for many of them there is little oversight. Criminals on the other hand use things like eyes, since they are usually looking for victims based upon a combination of vulnerability and availability.

Physically. Biometric identification has advanced in multiple areas, and has grown from fingerprints to include palm prints, iris and facial recognition with the possibility to perform near-real time analysis from the field or from one of the cameras listed above.

Electronically. There is a lot of tech that a person carries with them, and that tech can generate unique and personal identifying data - sometimes the data is anonymized so a name isn’t included, yet there are so many unique identifiers that it doesn’t even matter. This is in addition to the data that is generated online - this is data that the phone puts out wirelessly, and there are organizations that can collect that data. Ordinary citizens can afford the tools needed to do this (only a laptop and special software is required, and most of the time the software is free), but often there are law enforcement agencies and even private organizations using these techniques. These private organizations are often able to buy and sell entire databases to any organization they deem fit, be it another data-gathering firm, ad agencies, government agencies, or law enforcement.

Basic Avoidance

There are a few basic steps one can take to avoid surveillance, and we’ll start with your physical appearance. Consider “going gray.” I wrote about this fairly recently in a blog post called "Going Gray: The Gray Man." I'd also highly recommend this video on the topic. This helps you blend in and in case you end up on camera you could still escape scrutiny if there are “flashier” things (or people) in frame - particularly if the footage is being reviewed by a human and not an algorithm. Is it perfect? No. But it helps improve your odds.

As I write this, there is a global pandemic, and a side effect of this pandemic is that one can seriously step up their "going gray” game by wearing PPE (Personal Protection Equipment), such as a mask. Couple a mask with a plain hat and sunglasses, and you've removed yet another level of personal recognition in person and on video, since you are even less recognizable. A few months ago, if you were dressing that way most people would assume you were on your way to commit an armed robbery. Right now no one thinks twice. This will thwart facial recognition algorithms as well.

In doing just this much - going gray and using PPE - you’ve removed a large amount of ways you can be physically monitored and visually tracked.

Personal Devices

Let's talk tech and the ways we can be monitored via our tech while out and about in the physical world.

Your phone. This is possibly the biggest one, as everyone wants a smart phone for getting on social media, keeping in touch with family and friends, and using it as GPS for location information and directions. The problem is that many of the apps perform telemetry and are sending back data to advertisers, the apps will send back app usage as to how the you’re using the app back to the developers, and so on. This data is used by some groups to build a profile on you, which can be sold to any number of parties including ad firms and law enforcement just to name a couple.

For this communication to happen in the first place, your phone needs to communicate via Wi-Fi or cellular. When it comes to the latter, this requires regular contact with cell towers - typically more than one so that the phone can move from one point to another and not drop a signal. The data about the signal and its strength at the towers can also be used to triangulate your physical location.

Don’t think that not having cellular service for your phone will prevent this triangulation - all of these phones are still able to call emergency services, so even without having phone service, the phone is still talking to cell towers.

When Wi-Fi is active on your phone, it will periodically check for nearby Wi-Fi networks. This is done with a Probe Request looking for available Wi-Fi networks to connect to. Sometimes if will send out a broadcast message, and in some cases it will ask about a network it was connected to in the past. A nearby adversary could easily capture this information and learn a lot about you and your phone - including the unique media access control (MAC) address. The MAC address identifies the phone manufacturer, and makes for a unique identifying number associated with your phone. Couple this with any network queries about a past-connected address and a few lookups in Wigle, and your location history could be revealed.

Bluetooth also has numerous issues involving tracking and privacy that can be too revealing. While it is convenient to use Bluetooth to talk to various devices and accessories, it opens you up to yet another avenue of revealing information. And like the Wi-Fi interface, the Bluetooth one also has a MAC address - and it is incrementally one digit off from its Wi-Fi counterpart. The thing to remember here is that while Bluetooth has a range of around 33 feet, a listening device with a fairly inexpensive antenna dramatically increase that range.

Personal accessories. Personal accessories include (but are not limited to) fitness trackers, smart watches, and wireless ear buds. They typically use Bluetooth to communicate with your phone, although there are a few devices including some fitness trackers and a few watches that can actually use LTE and talk to cell towers without hopping through your phone. All of these are devices also have unique MAC addresses and when you take a number of these devices together as a whole, they create a vivid and highly traceable overall fingerprint. You and your devices could show up across multiple cell towers, Wi-Fi networks, and Bluetooth beacons creating a complete physical path you’ve traveled.

Advanced capture. Remember that data can be captured in other ways, such as via Stingray technology. This type of technology can be used from aircraft such as small planes and helicopters to help cover large areas, and similar technology could certainly be install in a smaller package that could fit into a car, a backpack, or mounted to a drone. An overzealous law enforcement agency could use multiple combinations of scanners and sensors to gather a lot of data in one fell swoop. Sure they could be after that criminal or terrorist you happened to be standing next to, but they are gathering a LOT of data. This has even more potential consequences if you are a part of a peaceful protest, or just accidentally walking by one by accident - your personal-identifying data is now mixed in with a group you may not want to be associated with.

Mitigation of Digital Monitoring

Assuming you don’t want to just leave all of your personal tech at home when venturing out, you can mitigate the digital surveillance dangers in a couple of different ways.

The first method is the easiest - if you wish to prevent tracking of your tech, place your tech in a faraday bag. I have a couple of Mission Darkness faraday bags, and if I’m out in my car and wish to “disappear”, the tech goes in the bag. There are several different brands with various features and they are probably fine, but this is one brand that I own and I’ve personally tested. In light of a faraday bag, if your phone’s battery is removable you could unplug it (simply powering it off will no suffice), but this doesn’t take care of your remaining personal tech. Besides the Mission Darkness bags are fairly inexpensive.

The second method involves using a burner phone while out. I’d still keep the burner in that faraday bag pretty much all of the time until needed, with nothing but the most needed apps and a specific set of procedures and protocols for communication with family and friends. As a burner phone done hacker-style is a bit more involved, I’ll cover it in detail in another blog post or maybe a video.

Disabling Bluetooth and Wi-Fi when not in use helps, airplane mode helps (although as mentioned, if your home can still call 911 it is still talking to towers), but either a faraday bag or using a phone with a removable battery are the best way.

What Wasn’t Covered

There are a few areas we did not get into, such as using a credit card in a store or debit card at an ATM which place you physically at a location at a point in time (you can always use cash). We also didn’t cover transportation options like taxis or public transportation (again use cash), but hopefully you have enough to work with to get you started.

Summary

There are multiple ways one can be tracked physically - but with a few precautions such as dressing to blend in, wearing your PPE, and corralling your personal tech, you can limit if not completely eliminate your presence to those who might be trying to physically monitor you. Stay safe!