Advancements in computer technology have found their way into every aspect of law enforcement. Frankly, these advancements have changed the landscape of criminal investigations forever. To help deliver improved law enforcement services, police agencies across the country are finding creative ways to deploy advanced technologies in their workflows. Body-worn cameras, 3D scanners, smartphones, mapping tools, advanced communication equipment, computers and software are all blending into a set of tools that are just as relevant to policing as handcuffs, patrol cars, and ticket books. At the same time, criminals are taking advantage of the same technologies. Not surprisingly, however, they are learning about and using technology for more sinister purposes.
Cybercriminals have historically used technology to help them commit financial crimes, identity theft, and to cause disruption by spreading spam, malware and computer viruses. Cybercrime is evolving and it is now a serious threat to our personal safety. Because of this, the way crime is committed and investigated is changing. In a May 2018 interview, Los Angeles Police Department cybercrime expert Detective Andy Kleinick said that cyber technology is a major factor in almost all crime.[1] As the correlation between violent crime and technology increases, this means the identification, collection, preservation and presentation of digital evidence will need to be handled just like physical evidence. In fact, in the near future, detectives will spend as much time looking for digital evidence linking suspects to crimes and crime scenes as they do looking for physical evidence today.
An evolving source of this digital evidence will come from the Internet of Things (IoT). Simply defined, the Internet of Things, or IoT, is anything that has some basic level of computer technology built into it, allowing the device to connect or communicate with other devices or, more importantly, to the internet.[2] The Internet of Things will provide endless possibilities on how this technology will expand. For most using the world wide web, though, IoT is not fully understood and the impacts are simply not realized.[3] This lack of understanding includes those in policing.
Law enforcement organizations must observe and prepare for the challenges they will face when it comes to working with this evolving realm of the IoT digital evidence. We will explore how advancements in technology impact the investigation of violence motivated cybercrime, which can be carried out through IoT devices in the next decade. When investigating violent crime, police administrators, detectives, and first responding patrol officers must take the use of technology into account in almost every criminal investigation. To do so, we need to address how law enforcement officers train to develop high-tech investigative skills, how they identify what might contain digital evidence, and how they link that digital evidence to their investigations.
Challenging the Investigative Mindset
Investigating and solving violent crimes of the future will require an entirely new set of skills, far beyond the knowledge and abilities detectives currently possess. Ask yourself, “Are my agencies detectives being trained to understand the complexity of computer technology as it relates to the investigative challenges facing them over the next five to ten years?” We first must recognize that virtual crime scenes are just as challenging to work as their physical counterparts. Violent crimes carried out through IoT technology will involve significant amounts of digital evidence. That evidence will need to be collected from multiple sources, including the internet, personal computers, portable electronics and IoT devices.[4] Digital evidence will be as relevant to proving crime as a murder weapon left behind at a homicide scene is today.
In addition to eyewitness testimony and physical evidence, detectives must also learn to understand how electronic items either possessed or associated with victims or suspects (including any electronic item at the crime scene) may contribute to the case. By using information or data from these sources, investigators might be able to paint a picture that otherwise could not have been portrayed through physical evidence alone. For example, in January 2018, German law enforcement discovered health information captured on a rape and murder suspect’s phone could be related to the crime. His installed health app showed the suspect was climbing at or near the time of the crime. This movement could have easily been associated to the hill along a riverbank where his victim’s body was discovered.[5] In 2015, Bentonville Police in Arkansas sought ambient sound recordings from an Amazon Echo home entertainment device to see if they could hear what occurred around the time of a murder. In addition, they used flow data recorded by the suspect’s smart water meter to show the suspect used abnormal amounts of water to clean up after the homicide.[6] These examples illustrate how detectives should consider everything in the IoT as possible sources of evidence. The list of possible IoT sources of that evidence will only continue to grow; in fact, it includes a surprising number of everyday devices.
From Light Bulbs to Cement
Advancements in computer technology have found their way into many common and everyday devices. Tools, appliances, automobiles, and toys are a few basic categories of items that now have incredible connectivity through IoT technology. Specific items like light bulbs, power outlets, pet feeders, thermostats, door locks, home security systems, and even cement can now connect to the internet.[7] Any one of these items can have sensors built into them that allow them to collect, send and receive data, turning them dumb items into smart devices.[8] This high level of connectivity allows for the transmission of information and data, which will enable cybercriminals to alter and disrupt IoT devices for their intended purpose. IoT devices are designed and manufactured with convenience in mind, not security[9]. Those modifications can cause harm to others, thus creating a new dimension of violent crime. The world has clearly entered into the age of the Internet of Things as evidence in the estimation over 11 billion devices will exist in the United States by 2025.[10] This explosion of cyber connectivity will create a plethora of opportunity for hackers interested in exploiting the lack of security built into these items.
Marc Goodman, author of Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, summed up the current state of connected devices when he said this during a Wired magazine interview in 2015, “Most folks don’t realize the extent to which the whole world is becoming a computer. All physical objects in our space are de-materializing and are being transformed into information technology.”[11] Goodman isn’t the only person warning us. Bruce Schneier, an internationally renowned security technologist, who the Economist called a “security guru,” and author of over a dozen security and technology related books says, ““We no longer have things with computers embedded in them. We have computers with things attached to them.”[12]
Because IoT devices are connected to the internet and each other through a series of networking elements, they are susceptible to being remotely hacked by cybercriminals[13]. This connectivity poses a serious threat to public safety, and another way to commit crime in addition to being a source of evidence. What if a hacker accessed an Internet-connected pacemaker, insulin pump, or defibrillator with the intent of inducing a disruption that resulted in someone’s death? Would law enforcement officers recognize the death as something suspicious, or would they classify the death a result of natural causes?
A Threat to Medical Devices and More
The threat of cybercrime is no longer focused on the disruption of computer systems or stealing personal identities and money. Cybercriminals can now threaten our physical health through the disruption of medically connected, worn or implanted devices. To expand on this point, ponder this scenario…Charlie is well educated thirtysomething who recently received an advanced computer science degree at the University of California at Berkeley. Charlie is self-centered and struggles to maintain significant relationships in his life. As far as he is concerned, Charlie believes he is entitled to go straight from college to retirement. Fortunately for Charlie, his father suffered a near fatal heart attack shortly after Charlie graduated. As the only son and remaining family member, Charlie moved in with his father to help care for him. Although inconvenient, it was Charlie’s responsibility as the only surviving relative. It didn’t take Charlie long to use his computer science training, experience and education to write software that allowed him to access into his father’s implanted pacemaker. The doctors who put the pacemaker into Charlie’s father truly believed it would add years to his life. What they didn’t realize was the device was manufactured with poor internet security.
As Charlie and his father watched a weekend football game on television, Charlie used his laptop to send commands to his father’s pacemaker, disrupting its operation. The commanded malfunction resulted in a catastrophic failure of the pacemaker, which put Charlie’s dad’s heart into a rhythm that would not sustain life. Within seconds, Charlie’s father lay dead in his favorite recliner. Charlie calmly called 911 to report his father apparently suffered another heart attack and appeared dead. When medical personnel arrived, Charlie expressed disbelief and anger in the fact his dad’s new pacemaker should have prevented this tragedy. None of the emergency workers or attending physicians suspected anything inappropriate, so the death was signed attributed to natural causes. Charlie received a substantial inheritance and greedily fulfilled his dream of starting life in retirement. Would law enforcement officers from your agency recognize or suspect foul play if they encountered a homicide of this nature. If not, there is work to do.
Scenarios like this are not as far-fetched as you might think. In 2007, Vice President Dick Cheney had the wireless communication capabilities on his implanted pacemaker disabled to prevent an assassination attempt.[14] Not much changed regarding implanted pacemaker security, though, until 2017 when all of the major US manufacturers of implanted pacemakers issued cyber security warnings with their products. In another case, following pressure from the US Food and Drug Administration, St. Jude’s recalled hundreds of thousands of implanted cardiac devices. The problem is not isolated to implanted cardiac machines such as pacemakers and defibrillators. Hacked and disrupted automated insulin pumps could cause altered doses, resulting in potentially fatal consequences.[15]
The IoT cyber threat is not limited to medical devices manufactured or used in the United States. Belgian and British researchers found security flaws in 10 implanted medical devices that centered around the proprietary communication protocols manufactured into these machines.[16] Cyberattacks can also access and disrupt automobiles. Auto companies are investing heavily in IoT connected vehicles, connecting their vehicles in several ways. First, they use embedded technology that enables the vehicle to use its own computer technology to connect externally to other sources. Second, tethered technology allows components on or in the vehicle to connect via another device, like a smartphone. This type of technology is built into common mobile apps, like Google Maps, Gasbuddy and music products like Spotify.[17]
In 2013, Charlie Miller, a Security Researcher at Twitter and Chris Valasek, Director of Vehicle Security Research at IOActive, were some of the first researchers to expose vulnerabilities in automobiles by hacking into Wired Magazine reporter Andy Greenberg’s Jeep Cherokee.[18] Miller and Valasek were able to remotely control several of the operating systems on Greenberg’s vehicle, making it impossible for him maintain control. Because cars are literally computers on wheels, they can be hacked, potentially with catastrophic results. Technology controlling critical safety features will soon be on the IoT, making them a target for hacking.[19] Cellular, BlueTooth and WiFi enabled components built into automobiles provide entry points for hackers.[20] Will your jurisdiction’s next serial killer be someone causing fatal collisions by introducing disruptions into critical operating systems on the newest family sedan?
Law Enforcement’s Response
These examples demonstrate how IoT devices can and will be hacked by cybercriminals to inflict harm on others. Unfortunately, because these technologies often lack dependable security features, they are easy targets. As they are exploited for criminal purposes, society will expect law enforcement agencies across the country react to this growing threat appropriately. To help prepare police agencies, administrators must consider revamping and modernizing training to deal with this crime trend. Traditionally, cybercrimes training has been reserved for investigators primarily assigned to special high-tech crime units. It’s now time for detectives assigned to homicide, gang, narcotics and sex crimes units to receive advanced cybercrime and high-tech investigative training as well.
In a May 2018 interview, LAPD Lieutenant Bruce Hosea, who manages the Los Angeles Police Department Cyber Crime Unit, discussed training options for law enforcement.[21] Lieutenant Hosea said all law enforcement agencies must recognize the importance of providing modern and relevant cybercrimes training for their staff, drawing a correlation between crime and technology. In his opinion, technology can be used as a tool that helps link both suspects and victims to crime. At the same time, technology could be used by any suspect to plan and commit crime. Hosea’s statements support broadening tech training to a much wider array of investigative specialists, especially those where hacking the IoT can help perpetrate these crimes.
Like most agencies throughout the county, LAPD cybercrime detectives receive fundamental training through federal agencies. One venue for this training is the National Computer Forensics Institute (NCFI) in Alabama, which is a program sponsored by the US Secret Service.[22] Lieutenant Hosea said class sizes are small and the waiting lists to get into the training is long. To help bridge the gap, the LAPD has partnered with the University of California at Irvine to create two classes to train officers. A one-day class offers the basics information all law enforcement officers should have. A five-day class dives deeper to build the skills investigators should possess. Those who have received training often provide briefing trainings to other patrol officers on how to recognize and deal with digital evidence when they run across it in the field. Law enforcement agencies across the country should consider implementing similar programs to help develop their staff.
Lieutenant Hosea added that cybercrimes units and regional high-tech tasks forces scattered across the country cannot be expected to handle the growing demand for their services. From his perspective, it is critical cybercrimes units have the discretion to delegate the basic responsibility of investigating cyber related crime back to the detectives responsible for the related cases. Some of those basic tasks include collecting physical hardware, and writing the search warrants needed to identify, preserve and analyze the digital evidence.
Legal Challenges and Cybercrime Models
During a personal interview with Detective III Andy Kleinick with the Los Angeles Police Department in May 2018, he warned about two major emerging investigative challenges regarding law enforcement’s approach to cybercrime investigation.[23] First, electronic communication privacy acts across the country, especially in California, are changing how law enforcement interacts with digital information. To some, California’s version of this law, known as SB 178, or CalEPCA, has been hailed as the best digital privacy law in the country. CalEPCA severely restricts law enforcement access to digital information stored on electronics.[24] According to Kleinick, because of this, other states are looking toward California for developing their own digital and cyber related laws and policy. Kleinick believes CalEPCA has just as much of an impact on search and seizure practices in California as the Miranda warning has on self-incrimination throughout the country. Electronic communication and privacy laws govern all electronic devices, not just smartphones, computers and tablets. The translation for law enforcement – all IoT devices will fall under this umbrella. In most cases, accessing data from IoT devices will require a search warrant based on probable cause.
The second concern voiced by Kleinick centers around how law enforcement agencies are developing, or considering developing, their own cybercrime units. Many departments might consider building teams staffed by civilians with high tech experience. Unfortunately, because of spectrum of digital evidence that can be gleaned from electronic items these days, we can’t just look into a computer and pull out evidence. Investigators must be able to put the pieces together from the digital information seized. Plus, high tech evidence includes a large amount of contraband, like child pornography. Because electronic devices store large amounts of personal information, some of it can be constitutionally privileged. Communications with a spouse, attorney, or counselor are just a few examples. Kleinick said police agencies are starting to experience problems working with this type of data and information if sworn officers are not involved in the process.
In Conclusion
For better or worse, computer technology has found its way into every aspect of our lives. The conveniences of the IoT continues to amaze us in innovative, creative, and powerful ways. However, because Internet of Things connected devices are nothing more than things with computers attached to them, they are hackable. Once hacked, IoT devices can be used for criminal purposes. Law enforcement must learn everything they can to address the threats IoT potentially pose. High-tech crime investigation training will need to expand to help law enforcement agencies prepare their officers and detectives for the future, high-tech crime they will encounter. Special, often free, programs exist to help law enforcement agencies keep up with advances in computer technology, but creative alternatives should be explored.
Society expects law enforcement personnel are trained and equipped to protect them, no matter what threatens their personal safety. Officers must be trained and learn how to recognize the potential impact of the Internet of Things and how it can be used to commit crime. Law enforcement administrators need to evaluate their organizational training plans and adjust them to keep up with the demands and challenges. There are multiple challenges facing law enforcement and their approach in dealing with digital evidence. Most of these issues have not been vetted through the legal system. Case law to help guide law enforcement conduct in these areas simply doesn’t exist. Cyber motivated violent crime is a real threat and it can materialize in unimaginable ways. Waiting until tomorrow will exponentially put the public and law enforcement at an increased risk.
[1] Personal interview with the author, May 5, 2018.
[2] “What is the Internet of Things? WIRED explains | WIRED UK.” http://www.wired.co.uk/article/internet-of-things-what-is-explained-iot. Accessed 6 May. 2018.
[3] “A Simple Explanation Of ‘The Internet Of Things’ – Forbes.” 13 May. 2014, https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand/. Accessed 5 May. 2018.
[4] “Digital Evidence and the US Criminal Justice System – NCJRS.” https://www.ncjrs.gov/pdffiles1/nij/grants/248770.pdf. Accessed 6 May. 2018.
[5] “Apple health data used in murder trial – BBC News.” 12 Jan. 2018, http://www.bbc.com/news/technology-42663297. Accessed 3 May. 2018.
[6] “Bentonville Police Use Smart Water Meters As Evidence In Murder ….” 28 Dec. 2016, http://5newsonline.com/2016/12/28/bentonville-police-use-smart-water-meters-as-evidence-in-murder-investigation/. Accessed 3 May. 2018.
[7] “15 Examples of Internet of Things Technology in Use Today – Beebom.” https://beebom.com/examples-of-internet-of-things-technology/. Accessed 5 May. 2018.
[8] “Leverege | IoT Explained – How Does an IoT System Actually Work?.” 29 Oct. 2016, https://www.leverege.com/blogpost/iot-explained-how-does-an-iot-system-actually-work. Accessed 8 May. 2018.
[9] “The Internet of Things: Convenience vs. Risk – Bryley Systems Inc..” 14 Mar. 2018, https://www.bryley.com/2018/03/14/the-internet-of-things-convenience-vs-risk/. Accessed 6 May. 2018.
[10] “• IoT hardware in US retail market 2014-2025 | Statistic – Statista.” https://www.statista.com/statistics/688756/iot-in-retail-market-in-the-us/. Accessed 3 May. 2018.
[11] “Crime Has Gone High-Tech, and the Law Can’t Keep Up | WIRED.” 21 Mar. 2015, https://www.wired.com/2015/03/geeks-guide-marc-goodman/. Accessed 5 May. 2018.
[12] “Security and the Internet of Things – Schneier on Security.” 1 Feb. 2017, https://www.schneier.com/blog/archives/2017/02/security_and_th.html. Accessed 29 Apr. 2018.
[13] “IoT Hacks and Vulnerabilities – Hacker Noon.” 12 Dec. 2017, https://hackernoon.com/iot-hacks-and-vulnerabilities-347dbe2ef98c. Accessed 6 May. 2018.
[14] “Facing Up to Online Murder and Other Cybercrimes – Scientific ….” 3 Dec. 2014, https://blogs.scientificamerican.com/guest-blog/facing-up-to-online-murder-and-other-cybercrimes/. Accessed 29 Apr. 2018.
[15] “Hackers pose danger to patients with pacemakers, other medical ….” 19 Apr. 2018, http://tucson.com/business/hackers-pose-danger-to-patients-with-pacemakers-other-medical-devices/article_38bdd701-a8d1-5fe0-8ef7-91ddb46d90ca.html. Accessed 28 Apr. 2018.
[16] “Medical Devices Are the Next Security Nightmare | WIRED.” 2 Mar. 2017, https://www.wired.com/2017/03/medical-devices-next-security-nightmare/. Accessed 28 Apr. 2018.
[17] “Automotive Industry Trends: IoT Connected Smart Cars & Vehicles ….” 20 Dec. 2016, http://www.businessinsider.com/internet-of-things-connected-smart-cars-2016-10. Accessed 29 Apr. 2018.
[18] “Hackers Remotely Kill a Jeep on the Highway—With Me in It | WIRED.” 21 Jul. 2015, https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/. Accessed 29 Apr. 2018.
[19] “Connected Cars: Vulnerable Computers on Wheels?.” 16 Oct. 2017, http://www.govtech.com/fs/automation/Connected-Cars-Vulnerable-Computers-on-Wheels.html. Accessed 5 May. 2018.
[20] “The Latest Security Threat Could Be Hiding in Your Car | Fortune.” 4 Jun. 2016, http://fortune.com/2016/06/04/connected-cars-security-threat/. Accessed 5 May. 2018.
[21] Personal Interview with the author, May 4, 2018.
[22] “NCFI – Home – Usss.gov.” https://www.ncfi.usss.gov/. Accessed 29 Apr. 2018.
[23] Interview with the author, May 4, 2018
[24] “California Electronic Communications Privacy Act (CalECPA) – SB 178 ….” https://www.aclunc.org/our-work/legislation/calecpa. Accessed 9 May. 2018.