Akido of Abuse

Akido is a martial art of momentum. You use your opponent's attack against them and redirect their energy into a defense of yourself. It's also a difficult and valuable skill to learn outside of the world of Akido.

In thinking, and in practice, about how abusers use technology to maintain their power and control over the victim, one eventually realizes that focusing on the device or medium to deliver threats is only half the problem. Abusers spend an inordinate amount of time learning what their victim is doing. In the past, it meant a lot of physical stalking, reading phone bills, and barring the victim from leaving the house. All of this still happens today, of course. However, with the advent of GPS, smartphones, location-aware applications, and far more portable electronics (laptops, tablets, etc) the need for physical surveillance is less. Instead, the practical answer is to install location tracking apps on phones, laptops, tablets, or the physical analog on cars, bikes, and people.

There's nothing wrong with trying to keep a device or object clean. It's a fine way to work on what's going on and who might be likely to install/monitor a victim all day and all night. The reality is that most abusers are just slightly more technical than their victims. The abuser only has to achieve the psychological illusion of omnipotent power, always watching, listening, and knowing the victim's habits and intimate details. However, focusing on what's in front of you (you the advocate, you the victim) is only half the answer. All of this data generated by the tracking has to go somewhere. Increasingly, the "always on/always connected" nature of devices lets abusers see, hear, and watch the victim in real-time. Remote administration tools (RATS) are common enough that an abuser can both watch the screen in real-time, learn the GPS-accurate location, and listen in on conversations in real-time as they can control the device against the wishes of the victim. It's still a chilling effect to be working with a victim, only to have the computer tell us "You're both going to die", or to watch text typed on screen, or to have applications move around on their own, and to have all of this happen in response to your inputs to try to stop it. The device has to have a connection to somewhere, whether periodically or constantly to stream the data back to the abuser. Sometimes it's an email, sometimes a streaming video connection, sometimes just XML data going back and forth.

Flipping Bits for Fun and Love

If you watch a device long enough, many of these applications simply include the subscriber information in some field passed across the network in the clear. The more sophisticated apps use HTTPS or some sort of encryption. However, luckily, these apps never check certificates, or downgrade to non-encryption pretty easily. MITMProxy has some cool tools to make the job easier. An unintended benefit of most phone apps being horrible with privacy is that they are horrible at protecting the privacy of the abuser too. Your operating system wants to share, regardless if this is Android, Apple OS X, Apple iOS, Microsoft Windows, or Linux variations. Most operating system can be coaxed into sharing a lot of data pretty easily. Metasploit is still great at doing this, especially the decloak module.

Follow the Data

Forcing the device to use your network, recording the flowing traffic, and then analyzing the resulting traces is fascinating-well, at least for me. It reminds me of my teenage years recording network traffic, reading up on protocols, and messing around with the traffic to see how devices and applications respond, or break. The point is, with all of the data being siphoned off the devices, the data has to go somewhere. The more data an abuser wants, the more the signal leads back to the source.

I've purposely not named applications in this post. I've encountered a number of "workplace monitoring" tools and "know where your kids are" apps on phones, laptops, and tablets. They all leave a huge trail back to the abuser. What data I can't get at easily, I can give to the police who can then subpoena the provider for it. Which sounds great, but the reality is that most providers either ignore or deny the subpoena.

Data, data, where are you?

The first reason to go through all of these steps is to help the victim build a trail of evidence for a court case. The problem is that even after going through all of this, the third parties which hold the data rarely give it up. Here's an example from a real case:

The texter

A woman was being abused by her police officer husband. After nearly being killed the second time, she filed for a protective order. It was granted for her and her children. She started to receive threatening text messages from a phone number she didn't recognize. She soon after fled the state and took the children to her friends house across the country. The text messages kept coming, sometimes daily, sometimes in floods for hours, sometimes nothing for days. She blocked the number and things would seemingly calm down for a few days. And then a new number would start it all over again, but continuing the thread from past text messages, sometimes even referring to them or quoting them. In court for the protective order violation hearing, the defense stated that it's not clear who was at the phone when the text messages were sent. Unfortunately, this is technically correct. The text messages are tied to the phone and an account, not necessarily a human holding the device.

Abuser Akido

The police sent a subpoena to the phone companies involved. Both companies claimed they couldn't comply because the request wasn't specific enough. However, we did learn the phone was pre-paid. This means it is unlikely an account or identity can be tied to the phone account. I was asked to help out as a technical advisor/expert. My thought process was to think about the network the phone uses. The phone company can clearly see to which tower the abusers phone is connected. It can see how often text messages are sent, what number they originate from, where the phone was purchased, every where the phone has been, and everything else going on to/from the phone. The victim is only seeing the text messages sent to her. She can't see everything else going on with the phone. The phone company, however, can see it all, because they see the network traffic (both voice and data) since they are the network provider. The police sent new subpoenas. Now we await the data, hopefully. The abuser's trail of data is weight that can be used against them, just as aikido enables one to use your opponents weight against them.

Thanks to SC for review, edits, and suggestions.