Counterintelligence Risks of Smart Watches
“Apple watches are for nerds.”
Though we don’t actually think this, it’s easy to understand how one could come to that conclusion. The Apple Watch of today could be seen as the “calculator watch” of the ‘90s–in other words, a product with a nerdy association. One thing we can say is that smart watches are NOT/NOT for intelligence officers. Smart watches, like the Apple Watch, offer significant lifestyle benefits: fitness tracking, optimizing communication, and sleep monitoring. However, for CIA Human Intelligence (HUMINT) collectors who rely on anonymity to securely conduct clandestine operations, the networked device is a counterintelligence (CI) vulnerability and potential opportunity for exploitation. For every benefit the Apple Watch provides, it also comes with a threat.
In general, we are not against smart watches at WOE. In my post-CIA life I have worked in emerging technology and the benefits of “wearables”, including smart watches, are limitless. Even though their high-tech functionality runs counter to much of the analog-inspired stories that we put out at W.O.E., smart watches are great tools. They provide immediate and actionable data to increase one’s health, productivity, and situational awareness. To effectively provide this resource, the watch constantly collects data on one’s location, surroundings, vitals, and movement. That data is held on the device or sent to a cloud for storage and analysis. Depending on the applications on the device, much of this data is packaged and sold to third parties for targeted advertisement.
Strava Fitness App:
In late 2017, open-source fitness tracker data from Strava, an application that allows users to track their fitness activity, was used to reveal the location of sensitive military locations in countries including Syria, Niger, and Afghanistan. More than 3 trillion data points were available for analysis, posing a potential vulnerability for operational security (OPSEC), revealing sensitive government locations of importance to the US Government’s operations in the area. It’s important to note that this data was relatively rudimentary, simple GPS data points with map overlay– a fraction of the data collected by smart watches today. Even so, researchers from Bellingcat were able to manipulate and combine the information with other datasets to reportedly reveal the identities of British Special Air Service (SAS) personnel, proving that “anonymized” data often isn't.
Strava heat map showing sensitive government location. (Strava Data)
A CIA Case Officer’s core competency is to recruit and securely handle “agents” for strategic intelligence collection. This activity ideally occurs in face-to-face clandestine meetings with the foreign government penetration or non-state actors in back alleys, parks, seedy hotel rooms and safe houses. To securely collect human intelligence, the Case Officer must be “black” –free from hostile surveillance–to protect the identity of the asset. Traditionally, this requires a multi-hour Surveillance Detection Route (SDR) to determine one’s status. The rise of networked devices and “smart cities” with facial recognition and ubiquitous surveillance make the Case Officer's job more difficult than ever before. In these so-called “smart cities” movements are easier to track.
Ubiquitous Technical Surveillance (UTS):
The Internet of Things has permeated our everyday lives. Everything from your car to your toaster and baby monitor constantly collect data in order to provide a better user experience through the “smart” network.
Graphic Credit: Ridgeline International
A smart watch is just one vector in what has become known as “Ubiquitous Technical Surveillance (UTS).” According to defense contractor Ridgeline International:
UTS refers to the collection and long-term storage of data in order to analyze and connect individuals with other people, activities, and organizations. Because our data is stored indefinitely, these records are always accessible. In the case of Ubiquitous Technical Surveillance, this data can be used to forensically reconstruct events, no matter how long ago they occurred.
Most of this data is collected for commercial purposes, either to make the product more effective for the customer or to be packaged and sold for advertising. “Data is the new oil”. Collecting, storing, and processing data has never been easier or cheaper, and this ubiquitous network of technical surveillance can be exploited and analyzed in real time or after the fact, potentially revealing the time, location, and identities of those involved in a clandestine act.
Counterintelligence, or “CI”, is any potential risk to an intelligence officer, asset or operational activity. For Case Officers, this boils down to revealing the identity, location or tradecraft of an officer, Agent or clandestine act. The rise of technology has increased the potential points of collection (threat vectors) and exploitation, making secure agent handling more difficult. Not long ago, a hostile intelligence service would have to surreptitiously implant a listening device in an office or a beacon on a vehicle. Today, vehicles are integrated into a smart network with constant telemetric collection and everything from TVs to toasters and your watch now has a microphone that can be remotely activated known as “hot mic.”
When Washington Post columnist Jamal Khashoggi was killed by the Saudi government in a Saudi consulate in Istanbul in October 2018, initial reporting suggested his murder was recorded by his Apple Watch, something technically possible given the microphone and record feature. While it turned out this was disinformation (REDACTED), this is something that is technically possible and may potentially become more common in the future.
Jamal Khashoggi entering the Saudi consulate in Istanbul 2 October 2018
The Future is Now:
Not long ago, an intelligence officer could simply leave his or her phone (or smart watch) at home while operational; however, today even this lack of activity is an indicator. How often is your phone or smart watch sitting idle while you are at home for hours at a time? The lack of movement is just as telling as movement itself. When it comes to wearables, if an intelligence officer wore a smart watch 24-7, but removed it when operational, this could clearly be analyzed as an anomaly to identify suspected periods of operational activity. Should a pattern emerge, a hostile intelligence service may allocate physical (or technical) resources to further monitor that individual during a given time, hoping to exploit a vulnerability.
Pattern of Life Analysis:
Understanding a target’s “Pattern of Life” (POL) is crucial for intelligence collection and a smart watch is the ideal tool to collect POL data. A Russian intelligence officer’s regular visits to a casino, brothel or liquor store may indicate vulnerabilities for exploitation. Knowledge of regular visits to a gym or park for exercise presents an opportunity for a Case Officer to facilitate a seemingly innocuous encounter. For non-state actors and terrorists, patterns provide an opportunity for a capture-or-kill operation. Smart watches and other wearables present an opportunity for unprecedented “Pattern of Life” collection in real time but at an even deeper level of analysis including heart rate, sleep patterns and other physiological responses. Further, if the device is compromised, the microphone and camera can be activated, providing insight into that individual's home life, relationships and mental state.
Traditionally, this type of compromised technical system was limited to capabilities by advanced state actors, specifically hackers known as “APTs” (Advanced Persistent Threats). However, with the growing private sector intelligence industry, these capabilities are now available to companies, governments and non-state actors. Notably, Israeli firms including NSO Group have developed and commercialized these capabilities. NSO Group’s Pegasus spyware can be covertly installed on an individual’s Apple IOS software, exploiting previously unknown “zero-day” vulnerabilities in the software.
The US government openly acknowledges the risk of smart watches and prohibits the wearing of any Bluetooth, wireless or WIFI-enabled device in a Sensitive Compartmented Information Facility (SCIF), a secure government facility where classified government information can be discussed and transmitted. For intelligence officers who spend much of their time working in a SCIF, they are not permitted to bring their cellphones or any device that receives or transmits a signal, including smart watches.
Counterintelligence Risk = Collection Opportunity:
While smart watches present a vulnerability for CIA Case Officers, they present an equally interesting opportunity for the US Intelligence Community’s computer exploitation “hackers” to target foreign entities for intelligence collection. Exploiting a foreign intelligence officer’s smart watch could facilitate his or her pattern of life, allowing a CIA Case Officer to “bump” the foreign official to strike up a conversation in hopes of recruiting that individual as a penetration. Remotely activating the camera and microphone on a foreign President’s staffer could result in collection of Foreign Intelligence (FI) or valuable assessment data on that individual.
Despite the CI risks, foreign politicians including Former Russian Prime Minister Dmitry Medvedev have been photographed wearing Apple and other smart watches.
U.S. elected officials are not immune from this type of analysis by foreign intelligence organizations. Interestingly, current President Joe Biden was the first U.S. President to wear an Apple Watch in the Oval Office while President Obama reportedly chose the Fitbit for security reasons–it was a less “smart”, smart watch. For Biden, a certified watch nerd with a collection of Seiko, Rolex and Omega, this was no accident. It is possible that this was a signal from Biden that he is “hip” and focused on modernity. For a President criticized for his age, it would be a logical message to send. US Senators and Congressmen have been observed wearing smart watches in sensitive meetings where cell phones were prohibited. We can assume this is something that foreign intelligence services are watching closely.
President Joe Biden wearing Apple Watch in Oval Office (White House)
In 2022, Apple sold approximately 50 million smart watches, and we can expect this number to increase as the adoption of the Apple Watch becomes more widespread. That said, Case Officers will likely continue to rely on simple quartz and automatic timepieces to conduct an operational act (agent meeting) at the exact time and place without leaving behind a digital footprint that can be pieced together by a competent hostile intelligence service.
Sometimes it’s best to do things the old-fashioned way.
This newsletter has been reviewed by the CIA’s Prepublication Classification Review Board to prevent the disclosure of classified information.
Submissions from the W.O.E. community: