Homepage

Reflections from Training Police on Cyber Threats

I recently had an opportunity to help my campus' Chief Information Security Officer train our campus' police department on physical cybersecurity attacks. He lectured, I demoed the attacks in our lab.

It was really cool, we talked about common physical attacks like lock picking, shoulder surfing, bash bunnies, wifi pineapples, badusbs, card reader/cloners, packet squirrels, and Flipper Zeros. We also went over the incident response process and the process for the police department to request data from IT.

But it was interesting to see the look on the officers' faces when they saw me demonstrate something as simple as a BadUSB attack, or my quick demonstration of a capacitive sensor hidden behind a painting. These were the people in charge of protecting the public, and while they of course knew the basic threats that they faced, I was surprised at their surprise when they realized how electronics surround the public in everyday life. For example, of course most people know not to plug in a random usb that they found on the street, but I bet if I asked everyone on campus, staff or student, maybe 5% of them could actually give me a strong, factual answer about WHY they shouldn't. I would bet that even less understand the signals that they constantly put out of their phone, IDs, car keys, bluetooth earbuds, or anything else. This is absolutely not a dig at any specific person, or any police department, but a realization of how little the public at large knows about how complex the electronic world around them is, and how easy it can be to be manipulated and broken by someone who understands it.

It also made me think about the tethering of a traditional government police/law enforcement office to a corporate IT department. As the world becomes more and more tied to the internet investigations, security, public threats, and basically everything else law enforcement is charged with handling becomes more tied to a corporate IT department, where the police have much less room to move and do what they would usually do in their line of work. It's an interesting concept of government responsibility and freedom being taken/folded into a corporate structure, especially because a local police department with a dozen officers is much less likely to have staff trained in cybersecurity than a local large business with hundreds of employees.