Hacking Terrorists… and You

Imagine two top ISIL operatives driving to their headquarters in Syria’s northwestern Idlib region and getting a call from their boss, which the driver answers on a hands-free Bluetooth connection. After hanging up, they discuss the call they’ve just received while another government is actually eavesdropping on their conversation in their vehicle, recording it all because the Bluetooth system had been hacked, bugging the in-car microphone. That’s great, you say, because ISIL is our enemy. But what if that same capability were redirected toward peaceful, innocent citizens in this age of homeland security and counterterrorism, as it has been in the past?

Hackers can hit OnStar and Ford SYNC, unlock doors, kill the engine, turn on the car’s microphone, listen to you, and even deactivate the ignition. It’s not science fiction -- live road tests have proven these wireless attacks can work.

Smart phones and Google Glass, the wearable computer that looks like something you’d expect to see on Mr. Spock, provides yet another platform for spying. For years, governments have been able to remotely access computer devices -- whether laptops, desktops, smartphones, or tablets -- and turn on cameras and you’d never know it. That’s easily defeated with a Post-it note slapped over the lens. But with your smart phone or Google Glass, governments theoretically have the ability to remotely turn on and see everything the wearer sees, does, or hears -- and exactly where it’s all happening, using the internal GPS without the user knowing it’s been activated. Are you in your home having a private conversation with your spouse? Not anymore. Imagine you’re in your office working on a sensitive project, or in a board meeting, or perhaps at a doctor’s appointment, or discussing legal issues with your attorney that are supposed to be protected by privilege -- all of that is potentially accessible. Imagine your fate if companies or bad guys accessed this information about you... well, panic, because if they want it, they can get it.

That’s not science fiction, either. Governments have even wired the entire ocean with covert underwater microphones a few decades ago to listen for enemy submarines. Some governments have access to every conceivable electronic device that is connected to the Internet, sends or receives signals, or transmits anything over the air or through a cable, to include phones of all kinds, computers, radios, GPS navigational devices, Bluetooth, routers, Wi-Fi -- all of what is called the grid. They essentially have the entire earth monitored -- ground, air, sea, and even space itself.

But what if you want to get off the grid? Why not buy a new SIM card for your cell phone, in cash, and get people off your trail like in the movies? Nope, every mobile phone has an IMEI number (International Mobile Equipment Identity) hard-coded to that device. The moment you bought it with your credit card and requested that AT&T or another carrier issue you a phone number, you were officially tied to that phone. Replacing the SIM just changes your phone number -- you’re still identifiable, down to within feet of the very spot you’re standing when you put a charged battery in your device... even without ever turning it on.

What if you ditched your old phone and bought a prepaid phone from a store with no security cameras, got a new SIM, and did it all with cash -- not with credit cards tracking back to you -- to throw them off? Sorry, that won’t work, either -- not if you call or text any of your old contacts with that new phone. Searchers analyze out at least three degrees -- meaning the phone records of everyone you called (one degree), the records of everyone they called (two degrees), and finally, phone records of everyone they called (three degrees). This includes the number dialed, who dialed it, how long the call lasted, the cell tower that picked up the signal, the IMEI number of both phones, the latitude and longitude of the callers, and much more -- giving tremendous data on both users. With that information your calling pattern would be recognized, your voice matched to earlier calls, your identity nailed down, and then your location determined using the GPS function in the device. Time elapsed? Seconds. But what if you disabled the location services on your iPhone? They can turn it back on and you’ll never know it.

But what if you bought a new computer with cash, created new e-mail addresses and a new Skype identity? Sure, but if you e-mailed your old friends and associates, it would again create a pattern pointing back to you; and the same goes for your Skype, IM, FaceTime, and all similar accounts. Guess what else -- every computer has a burned-in identity, called a MAC address (Media Access Control), which is assigned by the manufacturer and stored in its hardware. As soon as you connect to the Internet, your MAC identity pops up, your location is betrayed by your IP address, and then your days of anonymity are over -- encircled by the tentacles of the eavesdropper like a nest of snakes.

Okay, then how do you get off the grid?

Unless you’re ready to give up e-mailing people and ditch calling your family, friends, coworkers, and associates by any method other than a loud yell across the yard, you can’t. Don’t think using the apparently low-tech postal system is a workable option, either, because every piece of mail, both the sender and receiver’s addresses, are photographed and recorded to retroactively track your mail at the request of law enforcement, with no warrant required. That’s more than 160 billion pieces of mail just last year, giving the government a pretty good map of your contacts. FedEx and UPS aren’t exempt, either. In 2013, they were threatened with criminal charges if they didn’t actively police the contents of sealed packages.

The surveillance state has been expanded not only beyond the borders, but within as well, in ways that people probably never expected. Unmanned aerial vehicles fly along the borders with Canada and Mexico scanning for illegal crossings. In most major cities, there are cameras on every intersection, in police cars, on light poles, and in buildings. Through a program called License Plate Recognition technology, or LPR, these cameras see license plates, read them, pull up the ownership information on you, feed that information back to a central database, and match it up with GPS data, all run by your local municipality. It gives the authorities real-time access to where your vehicle is and where it’s been and can estimate where it’s going, anytime. This technology was used extensively in the hunt for the Boston Marathon bombers. So unless you smear mud on your license plate, you’re never going to be able to drive free of surveillance again -- and that’s just what a local city can do; imagine what a nation is capable of pulling off.

But even if you did ditch it all, moved to a cabin in the Siberian or Alaskan wilderness, relied on solar power, and used carrier pigeons for communicating, if you ever walked into a Starbucks and someone with Google Glass was recording something, then posted it to his or her Facebook page -- guess what -- your face is there, and you can be placed at that store, on a particular date and time... and that’s a starting point.

Recall the movie No Country for Old Men when the killer used the captive bolt pistol to execute the first victim on the road by putting it against his forehead and firing it? Imagine how the guy looked right after that bolt hammers into his skull and he’s no longer alive but he doesn’t know he’s dead -- that’s your right to privacy today.

Jamie Smith is a decorated former CIA officer, author of “Gray Work: Confessions of an American Paramilitary Spy” (WmMorrow/HarperCollins 2015), frequent commentator for FOX News, CNN, MSNBC, former advisor to the Chair of US House Intelligence Terrorism, HUMINT, Analysis, and Counterintelligence Subcommittee, advisor to GRAY | Solutions and holds a doctorate in law.

Cole Smith is a student and research assistant.

Imagine two top ISIL operatives driving to their headquarters in Syria’s northwestern Idlib region and getting a call from their boss, which the driver answers on a hands-free Bluetooth connection. After hanging up, they discuss the call they’ve just received while another government is actually eavesdropping on their conversation in their vehicle, recording it all because the Bluetooth system had been hacked, bugging the in-car microphone. That’s great, you say, because ISIL is our enemy. But what if that same capability were redirected toward peaceful, innocent citizens in this age of homeland security and counterterrorism, as it has been in the past?

Hackers can hit OnStar and Ford SYNC, unlock doors, kill the engine, turn on the car’s microphone, listen to you, and even deactivate the ignition. It’s not science fiction -- live road tests have proven these wireless attacks can work.

Smart phones and Google Glass, the wearable computer that looks like something you’d expect to see on Mr. Spock, provides yet another platform for spying. For years, governments have been able to remotely access computer devices -- whether laptops, desktops, smartphones, or tablets -- and turn on cameras and you’d never know it. That’s easily defeated with a Post-it note slapped over the lens. But with your smart phone or Google Glass, governments theoretically have the ability to remotely turn on and see everything the wearer sees, does, or hears -- and exactly where it’s all happening, using the internal GPS without the user knowing it’s been activated. Are you in your home having a private conversation with your spouse? Not anymore. Imagine you’re in your office working on a sensitive project, or in a board meeting, or perhaps at a doctor’s appointment, or discussing legal issues with your attorney that are supposed to be protected by privilege -- all of that is potentially accessible. Imagine your fate if companies or bad guys accessed this information about you... well, panic, because if they want it, they can get it.

That’s not science fiction, either. Governments have even wired the entire ocean with covert underwater microphones a few decades ago to listen for enemy submarines. Some governments have access to every conceivable electronic device that is connected to the Internet, sends or receives signals, or transmits anything over the air or through a cable, to include phones of all kinds, computers, radios, GPS navigational devices, Bluetooth, routers, Wi-Fi -- all of what is called the grid. They essentially have the entire earth monitored -- ground, air, sea, and even space itself.

But what if you want to get off the grid? Why not buy a new SIM card for your cell phone, in cash, and get people off your trail like in the movies? Nope, every mobile phone has an IMEI number (International Mobile Equipment Identity) hard-coded to that device. The moment you bought it with your credit card and requested that AT&T or another carrier issue you a phone number, you were officially tied to that phone. Replacing the SIM just changes your phone number -- you’re still identifiable, down to within feet of the very spot you’re standing when you put a charged battery in your device... even without ever turning it on.

What if you ditched your old phone and bought a prepaid phone from a store with no security cameras, got a new SIM, and did it all with cash -- not with credit cards tracking back to you -- to throw them off? Sorry, that won’t work, either -- not if you call or text any of your old contacts with that new phone. Searchers analyze out at least three degrees -- meaning the phone records of everyone you called (one degree), the records of everyone they called (two degrees), and finally, phone records of everyone they called (three degrees). This includes the number dialed, who dialed it, how long the call lasted, the cell tower that picked up the signal, the IMEI number of both phones, the latitude and longitude of the callers, and much more -- giving tremendous data on both users. With that information your calling pattern would be recognized, your voice matched to earlier calls, your identity nailed down, and then your location determined using the GPS function in the device. Time elapsed? Seconds. But what if you disabled the location services on your iPhone? They can turn it back on and you’ll never know it.

But what if you bought a new computer with cash, created new e-mail addresses and a new Skype identity? Sure, but if you e-mailed your old friends and associates, it would again create a pattern pointing back to you; and the same goes for your Skype, IM, FaceTime, and all similar accounts. Guess what else -- every computer has a burned-in identity, called a MAC address (Media Access Control), which is assigned by the manufacturer and stored in its hardware. As soon as you connect to the Internet, your MAC identity pops up, your location is betrayed by your IP address, and then your days of anonymity are over -- encircled by the tentacles of the eavesdropper like a nest of snakes.

Okay, then how do you get off the grid?

Unless you’re ready to give up e-mailing people and ditch calling your family, friends, coworkers, and associates by any method other than a loud yell across the yard, you can’t. Don’t think using the apparently low-tech postal system is a workable option, either, because every piece of mail, both the sender and receiver’s addresses, are photographed and recorded to retroactively track your mail at the request of law enforcement, with no warrant required. That’s more than 160 billion pieces of mail just last year, giving the government a pretty good map of your contacts. FedEx and UPS aren’t exempt, either. In 2013, they were threatened with criminal charges if they didn’t actively police the contents of sealed packages.

The surveillance state has been expanded not only beyond the borders, but within as well, in ways that people probably never expected. Unmanned aerial vehicles fly along the borders with Canada and Mexico scanning for illegal crossings. In most major cities, there are cameras on every intersection, in police cars, on light poles, and in buildings. Through a program called License Plate Recognition technology, or LPR, these cameras see license plates, read them, pull up the ownership information on you, feed that information back to a central database, and match it up with GPS data, all run by your local municipality. It gives the authorities real-time access to where your vehicle is and where it’s been and can estimate where it’s going, anytime. This technology was used extensively in the hunt for the Boston Marathon bombers. So unless you smear mud on your license plate, you’re never going to be able to drive free of surveillance again -- and that’s just what a local city can do; imagine what a nation is capable of pulling off.

But even if you did ditch it all, moved to a cabin in the Siberian or Alaskan wilderness, relied on solar power, and used carrier pigeons for communicating, if you ever walked into a Starbucks and someone with Google Glass was recording something, then posted it to his or her Facebook page -- guess what -- your face is there, and you can be placed at that store, on a particular date and time... and that’s a starting point.

Recall the movie No Country for Old Men when the killer used the captive bolt pistol to execute the first victim on the road by putting it against his forehead and firing it? Imagine how the guy looked right after that bolt hammers into his skull and he’s no longer alive but he doesn’t know he’s dead -- that’s your right to privacy today.

Jamie Smith is a decorated former CIA officer, author of “Gray Work: Confessions of an American Paramilitary Spy” (WmMorrow/HarperCollins 2015), frequent commentator for FOX News, CNN, MSNBC, former advisor to the Chair of US House Intelligence Terrorism, HUMINT, Analysis, and Counterintelligence Subcommittee, advisor to GRAY | Solutions and holds a doctorate in law.

Cole Smith is a student and research assistant.