Skip to content

Stalkerware with John Bambenek

Screen Shot 2021-11-15 at 11.39.01 AM

I’m contacted by people on a regular basis who believe that their devices have been compromised and that they’re being stalked and spied on. Sometimes they’ve misinterpreted what they’re looking at but sometimes they are actually being digitally stalked. Find out what to do about it in this episode. 

Today’s guest is John Bambenek. John is the Vice President of Security Research and Intelligence at ThreatSTOP and the President of Bambenek Consulting where he provides security consulting, penetration testing, forensics, and auditing. He has spoken at numerous security conferences including Black Hat. He has spent 20 years doing investigation work on cybercrime threats.

John is going to go over what Stalkerware is, in what scenarios it is most common, and things we can do to mitigate the harm it can do.

Show Notes:

  • [1:00] – John Bambenek is the Vice President of Security Research and Intelligence at ThreatSTOP and owns his own company, Bambenek Consulting. He has been working in cybersecurity since college.
  • [3:01] – John explains that Stalkerware is a malicious mobile app that is put on your phone to track your movements, monitor who you are talking to, see your texts, and other various activities through your phone.
  • [3:26] – Stalkerware is most commonly found in cases of former relationships, but John shares his experience with Stalkerware found on the mobile device of an assassinated politician in South America.
  • [4:39] – Odds are, if there is Stalkerware on your phone or mobile device, that that is not all that is going on. There are usually many signs of abusive or controlling behavior.
  • [5:45] – There are also ways that people can be stalked without installing Stalkerware, such as monitoring Instagram and Facebook activity.
  • [6:29] – Multiple IP addresses and their locations are often misinterpreted.
  • [9:14] – Stalkerware is most commonly installed onto someone’s phone by someone who has physical access to it, although remote installation is possible.
  • [9:58] – There are also built-in features that can be misused, such as Find My Friends on an iPhone.
  • [11:18] – Stalkerware is different from malware that is accidentally downloaded where hackers may have access to a device belonging to someone they don’t know. Stalkerware is intentional and usually involves some prior relationship.
  • [14:08] – Whenever you can, have a password on your phone that you don’t give to someone, multi-factor authentication on accounts and other important logins.
  • [14:50] – Multi-factor authentication is a very useful early warning system. John shares an experience he had in another country and how multi-factor authentication helped catch something unusual early on.
  • [16:07] – John is a unique case because he wants a device compromised to aid him in his career in security research and shares some stories about his experiences.
  • [18:12] – Chris and John discuss devices to bring or not to bring to conferences like Black Hat.
  • [21:52] – A factory reset and changing all passwords is largely sufficient in eliminating Stalkerware installed on a phone.
  • [24:28] – Once you start getting real-world indication that you are being stalked, establishing a police report is an important next step.
  • [25:28] – With effort and with a court order, it may be possible to determine who has installed the Stalkerware on your device if you don’t know who it is.
  • [26:31] – One thing to keep in mind is when you wipe the phone, you also wipe the evidence.
  • [27:13] – Taking down the people who create these Stalkerware malware is more valuable to police and investigators than individual cases of Stalkerware.
  • [28:23] – The Coalition Against Stalkerware is a community of activists providing resources to victims and who are trying to figure out what can be done about Stalkerware on a larger scale.
  • [29:30] – Language needs to be precise because there are software creators whose intentions are not malicious.
  • [31:40] – There are laws that need to be changed and police detectives need to be educated so they can become experts in examining mobile phones.
  • [33:00] – John explains that if you give someone access to your phone years ago and then they install Stalkerware on your phone maliciously later, they will not go to jail for it because you gave them permission at some point.
  • [34:43] – There are industry coalitions and other groups dedicated to helping victims of stalking, but stalking has been a prevalent behavior in long term documented history. 
  • [35:27] – There are people who want these tools to monitor and control someone’s movements and there are people who want to make money by providing this malware to them.
  • [36:01] – There are lots of ways someone can be stalked without the use of Stalkerware. Because of the nature of social media sites like Facebook, we are leaking information all the time that can be watched and used.
  • [37:41] – People don’t understand the difference between anonymous and private. John gives examples of how this can be a problem.
  • [39:10] – To get the benefits of advancing technology, we have to give up something in exchange. These things are not necessarily good or bad, you just need to understand what you’re giving up to have this service.
  • [40:16] – Every decision has its pros and cons and you have to be mindful of what they are and be okay with that. And sometimes there are ways to mitigate some of those harms.
  • [40:40] – John explains the problem with Bluetooth: We have so many devices and it’s all or nothing.
  • [43:16] – There are many contact tracing apps that are created for a legitimate purpose that can be misused for the purpose of stalking.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Can you give the audience a little background as to where you come from and what you’re currently doing?

Sure. Currently, I work as Vice President of Security Research and Intelligence at ThreatSTOP. I have my own consulting firm, Bambenek Consulting. I’ve been working in cybersecurity pretty much my entire career ever since I left college. I probably got my start earlier in security before that. It’s eight or nine years old cheating at video games and not wanting to grind for whatever shiny sword, gold, or whatever and just going into hex editors and just giving myself all the equipment I wanted. That apparently turned into a fairly lucrative decades-long career in cybersecurity.

I very much remember—on the Commodore 64—going into the disc editor and upping my character stats like, “Hey, I want to be a first-level character with 255 this, 255 that.” I remember those days.

Yeah, computer games are supposed to be fun. Why am I grinding for 40 hours to have fun? That sounds like work.

It definitely was at those times. Me and my brothers were really happy to find a file editor when we were kids and save ourselves many hours of our summer wasting time. Running, I get a lot of people coming to me saying, “Hey, I think I’ve been hacked. I think someone’s on my devices snooping and listening to what I’m doing, intercepting my emails, and intercepting my text messages.

Often, when I’m looking at them, they start showing me what they’re looking at and it turns out that they’re mistaking what they’re seeing in their Google Access. They see four different Verizon wireless IP addresses, and it doesn’t match their current one, so they assume that someone else has hacked into their account when it’s probably just a history of them accessing their account.

I know that there are stalkerware packages out there, and this is a legitimate concern for people going through divorces and people running companies. Can you give me a background on what stalkerware is?

Sure. In essence, the biggest variety of it is a malicious mobile app put on your phone. If you think about information—“I want to track somebody’s movements, I wonder who they’re talking to, who they’re emailing, who they’re texting, are they having an affair,” or whatever. Your phone is the device that’s most likely to have that. There are a lot of different ways. We call it stalkerware because probably the most conventional use cases—somebody you have a relationship with or did at one point in time, but then it goes all the way up the spectrum.

There was a case I worked on in South America involving a politician who was assassinated. Now we’re on his phone that could have been used to track his movements, and then there was a bit of work if that tied to those who assassinated him. Certainly, business executives and the like, there are lots of concerns—back when people traveled—of bringing mobile devices with them to countries that don’t necessarily have our view of privacy and freedom that we do in the Western world.

I know I’ve traveled to interesting places and took precautions. That involves getting a burner phone, having my wife’s phone number in it, and basically chucking it in the trash when I came back to the States because it was the cheap burner phone. It did the job of me being able to talk to my wife and kids when I was overseas. Some of it is real and, obviously, there’s a lot that can be also misinterpreted.

Let’s talk about that. What are the signs that people see that lead them to think there is a stalkerware on their phone? What are legitimate signs of stalkerware? And what are not legitimate signs of stalkerware?

The legitimate signs and the times that I’ve talked to people about it is it’s usually not an aberration. Meaning, whoever installed stalkerware on your phone, and then that’s all they did. That’s part of a large abusive relationship. Somebody’s being controlling, doesn’t like who you’re talking to. They show up in places where you are. If it’s a spouse, it’s a little bit harder because usually, your spouse knows where you are.

But if you’re in a dating relationship and all of a sudden you see somebody you broke up with two months ago that keeps showing up when you’re taking vacations. Then you’ve got some indications that they’re following your movements.

There are some ways to do that without stalkerware. People have Instagram and Facebook. People create fake accounts just to keep track of what you’re doing—the whole Facebook creeping on exes. Some people take that to the next level, but it’s usually not just installing stalkerware. You’ll see some other indications that somebody is actively malicious towards you.

I know one of the things that I often see that leads me to believe that it’s incorrect is those multiple Verizon IP addresses when it’s the same user accessing their Google account. What are some of the signs that you would say that people mistakenly believe are signs of stalkerware that probably aren’t?

Well, I think when people who aren’t doing cybersecurity and start saying, “Oh, I want to see all of the IP addresses on phones that are connecting to it.” That’s easy to misinterpret because mobile devices change IP addresses frequently as you go around, get on Wi-Fi or not. I wouldn’t pay as much attention to the IP address’ location. If you’ve never left Chicago, Illinois, and you’re seeing accesses from Colorado, then pay a little bit more attention to that.

But there’s a lot that can be misinterpreted by people who don’t understand networking, and not that people have to and shouldn’t. But the unfortunate side of this equation is if you’re a private individual, there’s no one to protect your privacy but you. Because Facebook and all these companies that we’ve come to rely on, they’re in the business of collecting lots of information. Their business model is anti-privacy.

People have to be experts on how to protect their information despite that really being somewhat unfair because it can get very technically complex quickly.

I have people sending me—not intentionally, but they end up doing it—screenshots of dozens and dozens and dozens of configuration pages on their phone. “Look, this firmware isn’t the right firmware,” or something like that. I’m like, “I don’t know what firmware is on your obscure Android phone.” “Look at this IP address. It’s 10 dot dah, dah, dah, dah, dah.” “Well, that’s inside your own network. Don’t worry about that.”

I think once the person crosses the threshold from knowing absolutely nothing to knowing a little bit, everything they see leaves them, “Oh my gosh, what’s going on? I’ve been hacked. I’ve been compromised.” I remember one of my wife’s accounts got compromised and she got notification from the company. “Hey, we see this unusual activity from Iran.” I’m like, “Okay. We definitely haven’t been to Iran recently. Okay. Time to change your passwords, time to go through all of that,” but we didn’t confirm it.

Obviously, you never click on the link within the email saying that your account has been compromised. Always go to the website, go to the source, and try to confirm it there. It absolutely does happen when you’re talking about locations and providers suddenly being unusual. It is a good sign that something is amiss and at least needs to be looked at more carefully.

How is stalkerware getting on people’s devices?

The easy way: it’s usually somebody with physical access. Very few people are capable of remote installing malware on mobile devices. It does happen. But if you’re able to do that reliably, there are lots of intelligence agencies—pick whatever country you want to be loyal to—and they will pay you lots of money to do that professionally. It’s typically outside the range of most people.

Somebody who’s had physical access, probably. Somebody who does a crafted phishing attack, potentially tricking you to install something, or they could just be relying on things that are inbuilt. I’m an iPhone user. There’s the whole Find My Friends feature. There are family settings so I can go see where my children’s devices are, which is a perfectly legitimate use case. But somebody could enable that stuff who is no longer involved with you and now they’re just using a built-in service to follow your movements.

Or someone that you were in a relationship with and you gave them access to that and when the relationship ended, you forgot to revoke that access.

Right. There are lots of different ways that can happen that they’re obscure. They know your Apple ID password because they wanted to install an app—that’s legitimate when you were in a relationship. Now they can log into your iCloud account and see where your phones are, your tablets, or your MacBook. A lot of these technologies have features built in to allow following movements.

When people start referencing they’re just seeing text messages, now you know it’s at another level. But usually, the kind of person who is following somebody’s text messages and their email is doing it for a reason that will lead to other behaviors that make it apparent.

We’re differentiating stalkerware from the random drive-by malware where you went to a website and got compromised due to some drive-by download. You weren’t necessarily—with the exception of where you’ve been spearphished—most of those cases are just the random drive-by where hackers are like, “Okay, I now have access to a device. I have no idea who the person is. Maybe I can do some damage. Maybe I can annoy them.” But the stalkerware is very intentional of, “I’m trying to access this person’s activities.”

Right. And it’s usually some prior relationship. You were on the radar for a reason. The ex-wife, ex-husband, ex-dating partner, sister, brother, or whatever. There was some preexisting relationship. There is a branch of criminals who just go after women for various sextortion. But stalkerware is not their usual technique. It’s not outside the realm of possibility that they would use similar tools.

Is that where you see most of the stalkerware that you’ve dealt with? Is it mostly in relationships like personal relationships or corporate relationships?

It’s usually personal relationships. There is corporate espionage that goes on and some of these tools have a dual purpose. If I want to follow text messages and emails and get information on the phone to stalk somebody or steal corporate secrets, well, it’s the same functionality you’re looking for. I don’t know that there’s been a lot of crossovers yet, but a lot of nation-state actors and espionage operations, like using commodity tools, because that obfuscates that it’s actually somebody serious behind it.

If you’re a corporate executive and you’ve got a piece of known stalkerware on your phone, you’re going to make assumptions about who that is. It might not be your ex-wife or ex-husband. It might be the PRC, Russia, or whatever region that might be spying on you. The bulk of the cases are obviously individuals—the people that are worth spying on at that level. But there are a whole lot of bitter ex-partners out there who don’t want to let a relationship go.

That’s the much more common equation—is a personal, disgruntled relationship, someone who’s obsessive, or won’t let things go.

Right. Usually, you can suss out that as there’s somebody who’s obsessive trying to follow your digital footprints is going to be obsessive about other things too.

Yeah, and vice versa, probably. Traditionally, the advice I would give people in just relative privacy is whenever you can make sure you’ve obviously got a password on your phone, that it’s not something that you’re giving to people, that you’ve got multi-factor authentication on your bank accounts and your important things, whether it’s SMS or tokens. Something is better than nothing. I believe tokens are better than SMS, but something is usually better than nothing.

We talked about physical access, what other advice would you give someone to keep this from happening to them, or at least mitigate the risk?

You mentioned one with multi-factor auth. I take a little different twist on it. You get a text message or some app says, “Hey, do you want to authenticate?” But it also gives you a warning that somebody else is doing it. When I’ve gone to interesting countries, I create a Gmail account, I put multi-factor auth on it with an intentionally weak password just to catch if I can find that I’ve been somewhere that managed to get the password to do it.

Because then I’ll get a push notification. It’s like, “Oh, that’s interesting. I didn’t log into that account because I left that country two months ago, and now somebody is logging into it with the correct password.” It gives you very quick information, and it’s a very useful early warning system. I’ve caught the early stages of corporate breaches with that.

It’s like, “Hey, this is somebody logging into a service. They have the correct password, but it wasn’t me who entered it.” Went to the other people who had it, like, “No, it wasn’t us.” “Okay, well, we know somebody’s got the password. We’re going to sit there and cut this person off right here and now before they find another way in.”

That’s referred to as a honeypot, I believe?

In essence, yeah. When I do that overseas on myself, it’s a model of a personal honeypot. Here’s my device. I’ll leave it in the hotel room. Put all the malware you want on it. Infect it with all the things, please, because I’m just going to bring it home and reverse engineer all of it. You’re just making my work as a researcher much easier, but I’m a special case.

You’re definitely a special case. You’re looking to get a device compromised in hopes of learning more. Whereas me, I don’t want a device compromised because I don’t want to throw out that $1500 iPhone.

Yeah. There was a conference I was at that I did have a laptop compromised in. I was passive-aggressive about it. I just left the new laptop stickers on it. The saran wrap that they wrap the case in. It’s just like, “Yeah, here’s a new one because I know you’re coming into my hotel room.” Had a little alarm clock with a camera—an odd way to make sure to catch them. They wiped that, but what they did, they didn’t infect the laptop with anything because I had the slides I was giving my talk on. It’s like, “Oh, I mean, you could have gone to the talk.”

I used my phone as an alarm clock. My flight was 6:00 AM, so I had to get up at 4:00 AM. 1:00 AM the alarm goes off. I go tap the phone and go away. 2:00 AM it goes off again. 3:00 AM was like, wait a second. When I hit the phone, it’s not muting. It was the laptop that was going off. They were basically waking me up every hour. Before I got on the plane I was like, “Oh, you sneaky bastard. Well done. Screw you.”

It’s kind of having your friends call the hotel and ask them to set up wake up calls for you at particularly obtrusive times.

Yeah. That’s some of the fun games that could be played on that level. I don’t know about fun. I was on the business end of it.

When you’re in college and high school, it’s fun. Outside of that, it’s not very fun.

Yeah. I was able to sleep on the plane. It was all good. That laptop ended up in the Gulf of Mexico because I wasn’t going to bring that across the national boundary.

I’ve often thought about going to a Black Hat conference and thinking, “Okay, what do I not need to bring? Not just into the conference, but what devices am I going to intentionally leave behind and not even let into a hotel room? Am I going to bring an effective burner credit card? What actions do I need to take to protect myself while I’m at this conference?”

I definitely don’t want to bring my cell phone. I definitely don’t want to bring my laptop. Okay, then how do I make this a beneficial trip if I don’t have these devices that I would normally have with me?

I’ve stopped bringing my laptop to those conferences, mostly because I don’t want to carry it with me all the time. If I have those devices, I have them with me, but I’m not opening up my laptop. That’s 18-hour days of going between events, meetings, and the after-hours party there. No, I’m not going to bring my laptop. I’ll bring my phone. There are very few people who are able to do much more than interception.

Most of my stuff’s encrypted or at least the stuff I care about is. And if they can crack all of that, then I’m dealing with an intelligence agency, and it doesn’t really matter where I happen to be—they’re going to get me. But a laptop, at a certain point I’m not going to use it, and you never do at Black Hat unless you’re a presenter. Actually, I think they give you presentation computers, now that I think about it. You’re not even presenting off your own laptop, unless you’re doing a demo.

No, don’t do a demo in a presentation if you can avoid it. What I noticed is at Black Hat three or four years ago, it was just after somebody did research to say, here’s how you can build a home-built stingray. To intercept your phone calls. Part of that involves dumping people down to 3G because that’s less secure, and then you could do interception of SMS. There were so many people setting that up around the venue that cell service was unusable until you have to go about half a mile away.

The stingrays were intercepting stingrays and it just created a blanket of just RF interference.

That’s the stuff that I would be worried about. Just even being in Vegas proper during a conference like that, you’re just like, “Oh gosh.” I see the warnings. Don’t use ATMs when you’re in Vegas during conferences and all those kinds of things.

Yeah, I mean I’m less worried about credit cards. Debit cards are a little bit trickier. A credit card, I’ll call up and say, “Hey, I didn’t make this charge.” They send me out a new card, whatever. I’m not liable for theft. Debit cards, they’re a little tricky because money actually moves. But eventually, you get made whole. It’s an inconvenience, but it’s not awful. The only reason there are so many ATMs in Vegas is to encourage you to gamble. To be honest, it’s the only place where you can roll up to an ATM with a credit card and get cash because they really wanted to gamble.

I guess, if you really want it at the tables, make sure you got your 0% APR credit card and go ahead and take a cash advance for a couple of grand and you go get that Blackjack table.

Yeah, not proper advice, though.

No. Just bear in mind, the house always wins.

That they do.

You want to spend $50 or $100—whatever your leisure money is—gambling. That’s just leisure money whether you go to a show or hang out at a Blackjack table. Probably, don’t get yourself into 20% credit card debt over that.

Yeah, not a good way to fund your entertainment values.

Back to stalkerware. We’ve gone on a trip, we’ve left our phone in a room, and someone has gotten into it. Whether we had a password or not, they knew the password—let’s ignore that issue. They’ve installed stalkerware on our phone or laptop, what do we do about it? Is that device burned? Their only solution is to toss it, or can these things be cleaned and put back to a new state?

In a factory reset and resetting all the passwords, in the overwhelming majority of cases, is good enough. If you wipe the phone, it wipes everything. Again, if somebody gets an infection, it gives you a low level where they’ve infected the factory wipe build that’s on the phone. All right, you’ve got a significant problem that’s outside what most people are capable of.

I know executives will bring special builds of phones that are resilient against that kind of thing, but for the everyday user, a factory wipe and then resetting all of your passwords is largely sufficient. But really making sure that you get everything and taking a look.

For instance, if somebody gets in your Apple phone, you make sure you reset the iCloud password and get an idea of what other devices are on there, their settings that allow you to sync apps between devices. If this phone is out there that you don’t recognize anymore, but syncing apps is the default where you download an app on one device, it downloads on all of them, well they could just put the malware right back in.

It’s making sure that all of the places where they get access is shut off. I have an Android device. That’s just what I use for burner devices. I don’t think they have a similar functionality of syncing across devices, but the point remains is to make sure you get everything and start resetting passwords to Facebook and all the other apps that go along with it.

Most of like Facebook and Google, at least, when you’re in that process, you have the ability to force log out any other device that’s logged in. That at least buys you some time to start changing stuff on your own before they can get back into the account.


And making sure that the accounts aren’t linked and all that kind of crazy stuff.

Yeah, definitely. I said, once you start getting real-world indications of this, if you’ve got an order of protection, it’s time to go to the judge and talk. If you don’t, then it might be time to get a police report. Local police departments are getting better about this because it is a prevalent problem. There are starting to be more widely available resources to help people who find themselves in that situation.

Maybe a little bit outside of your scope, if you have a client who they know their devices have been compromised with stalkerware, you know it’s been compromised with stalkerware, but there is no obvious person of interest, let’s say. There’s no disgruntled spouse, no ex-boyfriend, no ex-girlfriend, or no crazy next door neighbor. You have 100% proof the device has been compromised. Are you able to find out who compromised the device?

With effort. The problem comes in as you’re relying on the adversary to make a mistake that otherwise indicates their identity. It depends on the software they use. A lot of these tools are licensed, which means it’s a transaction somewhere. Now, these companies aren’t exactly the type that you could just send a discovery order to and they’ll give up the customer. But there might be other things that lead you from point A to point B.

The unfortunate reality is once you’re into that kind of question, then a lot of resources have to be expanded to figure that out. Some of those require court orders. If you got an order of protection, well, you wouldn’t have an order of protection in that case, because you don’t know who it is. You can go to court and open a case to say, “I don’t know who this is, but they’re doing bad things.”

I would say in that case, like I said a few moments ago, “Hey, you wipe your device, you’re fine.” The one thing to keep in mind when you wipe the device, you also wipe the evidence. If you want to pursue something criminal or you’re with an expert, then you are getting a new phone, because then I or somebody like me needs to preserve the evidence.

Maybe there are some ways that we can get them out in the open to find out who they are, but that may depend on police department interest. Your mileage varies depending on police departments, it depends on the interest of the local prosecutor. The most interest that we get on this kind of stuff at the high end is how do we take down entire families of stalkerware and the criminal groups behind it, because going after the—I wouldn’t even know—tens of thousands—I don’t know how many people are engaged in this kind of behavior just in the US, but it’s a large number.

There’s a small number of people who are making the software and enabling it. If we’re lucky, they have databases of their customers. That’s how we get the customers.

It’s almost more valuable to go after the drug reference rather than the users or the street corner pushers—going after those that are actually creating the drugs, or in this case, creating the product. If you take them out, then you take out everyone who’s using their products, potentially.

Yeah. It’s kind of the loose analogy. That’s why we have a DEA to do big picture stuff that you can make into federal crimes. It’s not to get the guy selling dime bags on the street corner. Well, I guess, marijuana is legal in most places. The point remains is the system—I don’t know that it works as designed, but the thought was, “Hey, let’s go after this at a large scale and not worry about street crime, because there’s always going to be another guy who shows up again.

Are there entities that are going after the stalkerware, the malware manufacturer? I use the term manufacturer loosely, but rather than trying to go after the people that are using it to target individuals, is there some concerted effort going after the people that are producing the products and services?

There is a group out there—the Coalition Against stalkerware—that’s trying to take people—a cybersecurity community, activists in dealing with women’s shelters, and legal aid groups—trying to figure out what can be done about this. One, to provide resources to victims in a one-on-one situation, or what could be done at a larger scale.

Part of it is this notion in the United States is, is it really illegal to make malware? If you’re not in the market of selling it, then you put in a disclaimer, “Don’t use this for illegal purposes,” wink-wink, nudge-nudge. But it gets into where things need to be precise in our law—for good reason. We don’t want to make it easy to prosecute people who are not being malicious. It just means there are other tracks in place that also make it harder for us to go after authors of stalkerware.

There are laws that probably need to be passed and policy that make it more obvious this is bad. And we’re starting to have cyberstalking laws in many states. But local law enforcement, obviously, this is a very different form of policing than walking a beat, speed traps, or other things that police officers are used to. There needs to be resources for local police too. There are efforts to start trying to build on all of that because there’s enough recognition that this is a real problem.

Yeah. Some of the challenges are the legal issues always trail the events that are happening. It took a long time for the legal system to adapt to identity theft. I know a relative of mine, his Social Security Number was used to earn income in multiple states, and those states sued the fake individual. Of course, the person didn’t show up, but the judgment was against my relative because nobody showed up.

Once he found out about it, it was, “Okay, how do I deal with this?” The only mechanism most of the states had was, “Well you have to pay the judgment, and then petition to get the money back after you’ve proven that it wasn’t you.” Laws have changed significantly since then. This was more than 20 years ago, but I assume the same sort of thing will happen with stalkerware and malicious applications as the laws will trail five to 10 years behind them being widely available or being widely used.

Yeah. There’s expertise, there are laws that need to change, and the experts are putting it on detectives and local police departments. There’s computer forensic examiners who can examine mobile phones, but I know what my hourly rate is, and it’s probably higher than an hourly rate of what a detective makes. No one really wants to sit there and push the income that commands down the scale. But on the flip side, this is a real problem.

If you’re a victim, it can be very devastating, especially when you start dealing with people who are stealing intimate photos, and the kind of extortion that can go on. People who are not just stalking but engaging in just over intimidation and just trying to ruin people’s lives.

Yeah, I’ve probably talked to more people who are—maybe not being intimidated, where there’s not really the overt action—but it’s kind of the low level, “Yeah, someone’s obviously getting into my accounts.” It’s like, “How much money are you willing to spend to find out who it is?” The answer is usually, “Well, I can’t afford anything.” Well, then your answer is, like you said, wipe the device and get on with your life. It’s a horrible answer in a sense, but it’s maybe the pragmatic one.

Yeah, I don’t know what the right answer is there. There’s a technical answer. I’ve had this question with people who’ve gone through divorces and whatever. What’s your objective here? If I could prove it was them, after spending a lot of time doing it, you’re not going to go to jail over it, probably, because you gave him permission to access it two years ago and then they installed this on it. Now I found it, you uninstalled it and there you go. The laws of possession and authorization get murky once somebody did something when they were authorized and then are no longer authorized. We’re coming up with laws on intimate photos. You had consented to have that material, what happens when the relationship ends?

Common sense would dictate you should delete that stuff, and certainly post it to the whole ex-girlfriend, ex-wives sharing sites. But the laws have taken time to actually accommodate that scenario of revenge porn laws. I don’t know if all 50 states have them yet, but I know a lot do.

Yeah, definitely heading in that direction, and for good reason.

Yeah, it’s something that wasn’t envisioned when laws were written 20, 40, or 100 years ago. It’s a new reality we find ourselves in, which is why we have legislative bodies to deal with evolving reality and create laws to deal with it.

Speaking of evolving realities, where do you see stalkerware going in the next couple years in terms of its capabilities, and your capabilities to find and remove it?

Now, there are industry coalitions and other groups getting together saying, “We need to do something about this” and saying, “Here, you wipe your device.” We’ve got to do something programmatic about it. Part of that’s the law, part of that is having police departments with the right resources, and part of that is having women shelters or other community groups that deal with those kinds of situations—having resources putting effort into it.

Stalking is always—I don’t know if it’s always—but it’s been a pretty prevalent part of when relationships end for long-term documented history. It’s not that behavior is not going to go away. There are people who want tools to do that, and there are people willing to make money by providing those tools. The easy ones are where if it’s a malicious app on the phone, you just delete the app, and that may end your problem aside if you happen to change all the passwords, or wipe phones.

But there’s money to be made there, which means people are going to be doing development to make it more discreet and more hidden. Like I said, there’s a lot of other ways to do that that don’t involve installing stalkerware, because a lot of these devices keep track of what we’re doing. I can watch a Facebook feed and see where you’re going. I don’t need to stalk you. I just need to watch it. There’s lots of information we leak about ourselves all the time.

The smartphones are being put with contact tracing apps or functionality in the devices, which means these devices are emanating a unique token so that it stores in the database, I was around that unique token, which has now got coronavirus. I need to isolate, which all sounds good, but the tokens are only beaconed for about 30-feet (give or take).

If I’ve gotten close enough to somebody with not a lot of other people around, I can turn that token into an identity, put sensors around, and watch where they go. Then there’s just no indication because unless you happen to find a sensor, that’s just promiscuously listening to all the Bluetooth tokens and contact-tracing apps, then you have no idea. Except that somebody who you used to be in a relationship with or is just creeping around, keeps showing up at places you are in ways that they shouldn’t, or times and places where they shouldn’t.

A part of the problem is, like I said, we’re just creating more information leakage in random people under the guise of—I’m not going to say we shouldn’t do contact tracing for COVID, we actually should. But doing it through phones and something that just beacons out into the air is going to have privacy implications. People don’t really understand the difference between anonymous and private. The anonymous token that’s being beaconed is anonymous. It doesn’t tie to your identity, but it’s not private because anybody close enough can see it.

If they can say that token is that person because that’s the only one in the room, now I’ve just defeated anonymity. Now, as long as I see anywhere that beacon is, I know that person is there because we carry our phones around with us all the time. Every day, we’re creating new technology that creates new possibilities of people to maliciously abuse it to compromise privacy, our finances, or any other thing that criminals will do with electronic means. Good news on the job security for us. It sucks and it’s going to suck harder.

Yeah. I think that’s true with any emerging technology. There will be advances that are helpful and beneficial to our lives and advances that put us at risk. There’s an advantage of having Google maps know where you are and how to get to places. I remember back in the days where we had paper maps. When you wanted to go somewhere, “It’s in what city, what page is that? It’s not in this book, I’ve got to go find someone who’s got a map book for the next neighboring city, county, or state.”

Now, we just press a button and, “Hey, let’s route around the traffic because we know where the traffic is.” To get the benefits, we have to give up something in exchange for those.

There’s always a consequence.

To me, I’ve always looked at it as these things are not necessarily good or bad, you just need to understand what you’re giving up to get the service. When you use Facebook, you give up a lot of your personal privacy to be able to connect with your friends, and a lot of the other platforms are the some way. There is an exchange going on somewhere, you just need to know what it is to be okay with it.

I think people focus on the positives and don’t realize that there can be drawbacks. Facebook is an example. At one point in time, I deleted my Facebook and I ended up recreating it at some point thereafter. But there’s a friend of mine—an occasional acquaintance—realized that her boyfriend committed suicide but had no idea that it happened because it wasn’t on Facebook where she said that.

We missed out on a tragic event where I would’ve reached out to somebody, had I known. Every decision has its pros and cons, and you just have to be mindful of which one it is, what they are, and be okay with that. And sometimes there are things that you can do to mitigate some of those cons. I only turn on the GPS on my phone when I actually really need Google maps, or probably, more accurately, when I’m ordering Uber, and then I turn it off when I’m done.

Would you recommend the same thing for Bluetooth?

The problem with Bluetooth is we have so many devices. If you’ve got Bluetooth devices, I’ve got an Apple watch, which means I need to have Bluetooth enabled. I’ve got AirPods—I need to have Bluetooth enabled. It’s kind of an all-or-nothing thing. I mean, being in control of what connects to your phone via Bluetooth, but the unique identifiers well, it’s an interesting note. I haven’t actually reverse-engineered some of these contact-tracing apps. What happens if you turn Bluetooth off?

They don’t work.

It doesn’t let you turn Bluetooth off.

Yeah. At least at this point, in the US, let’s say these apps are voluntary. If they’re using the functionality that both Google and Apple jointly developed, it’s all opt—in theory…let’s assume they’re not lying to us. If they’re lying to us, we have bigger issues. But assuming they’re not lying to us, it’s all opt-in. Easy to opt out. And by turning off Bluetooth, it disables the feature also.

Yeah. The problem with some of that is as […] my campus where I’m finishing my PhD in U of I—University of Illinois—they want to have an Illinois app on your phone that does contact-tracing, and they can mandate it, or highly incentivize it. What they’re trying to say is, ‘We’re going to incentivize people to do this. We want contact-tracing, that way you’d be safe” or whatever.

Most people will say okay. But early on, before COVID, we’re saying we want to collect all this information to identify people who are needing some intervention to prevent suicide or whatever. We can collect all the information and use a machine-learning math to go find people who are in trouble.

First, no. As somebody who does machine learning, the idea that you could just let math find people that have problems without giving any real thought, no. They say it’s privacy by design, but you’re collecting all the information. You can make decisions to opt out if you want, but you’re going to be highly incentivized and coerce people into opting in to everything.

There’s lots of soft ways to get around that. And the implications of these kinds of technologies and tools being available—who can have access, what information they can get—aren’t fully understood even by experts.

I think that’s the thing that I almost worry about more on locally developed apps. The local college builds an app for contact-tracing students. It’s not going to be run by security. Let’s say the app is even designed by security professionals and the app is secure and all that, but there’s a still human element of who has access to the data. Are they other college students who are trying to find out where their girlfriend is and they’re now using, in theory, something that has a “legitimate purpose” and misusing it for the purposes of stalking.

Yeah. Part of it is we don’t have full knowledge. We don’t know how things can go bad. I’ll give you another coronavirus example. I’ve got a machine-learning algorithm I developed and that is very accurate in saying, “this domain is malicious, this domain is not.” Then March rolled along and the pandemic hitting full force, and then it was starting to flag public health sites because governments were just throwing up sites out there to get resources out there.

The case of what everybody was doing was higher than everything. I don’t want to say panic, but we have a real realization that we had a real problem on our hands, and people started doing things quickly instead of doing things the way you do it in normal times.

It was a fundamental shift in the pattern of what is normal. Nobody’s life is “normal” compared to what it was back in January.

Right. I have this system that I developed that says, “Okay, the domain’s good or bad.” I explicitly whitelist popular stuff. I’m never going to block Facebook, Google, and the root servers with DNS. The worst thing happens, I get a false-positive request, a false-negative request, or whatever. Nothing catastrophic will happen, and then all of a sudden, I’m interfering with public health bodies actually doing public health in a pandemic.

Yeah, that’s the problem.

I need to realize that a cause of an error of my algorithm could have been that high. It just never would have occurred to me before February of this year that that was something that had to be accommodated for.

I think even a lot of the companies that have used machine learning for a lot of things, they had trip-ups in that as well. I know that two of my Twitter accounts got suspended for—it was always 90 days. It was effectively a permanent suspension until they realized it was a mistake, but it was because, in theory, there was some discussion I had about COVID that crossed some machine-learning algorithms threshold that went, “Oh, this is suspicious.”

We’re not going to look into it, we’re just going to terminate the account, not tell the person, not explain why. Until three months later, yeah, there was a machine-learning mistake. “We’ve unterminated your account. Sorry. Great. Thanks.”

At least they corrected it three months later…

Yeah, but a lot of places wouldn’t do it. But it just goes to show you—I’m not knocking you—you have one person who’s working on their algorithms. You have these massive entities with potentially hundreds of engineers working on stuff when something so big as coronavirus shifts, not just one landscape, but tons of landscapes. It throws off machine learning in a way that they just never intended.

Well, yeah. That machine learning does what it’s intended to do. It profiles normal, and it profiles abnormal. And when everybody changes everything…

Everything’s abnormal.

Everything’s abnormal, surprise. I don’t think that the price is fully understood of these things being deployed at a wide scale. Like I said, it wouldn’t have occurred to me that interfering with government operations during a pandemic was a risk I had to mitigate, and we are. That’s what technology is enabling is errors in technology and security have more serious and more profound consequences.

Ten years ago, the notion that malware can get somebody killed, no. It’s sci-fi. But now we’ve got respirators and ventilators running Windows 10 embedded with the same vulnerabilities of the desktop.

Or Windows XP or older.

The point remains: we’re adapting, “Hey, this technology works for personal computing, why do something new? Let’s put it in embedded devices that keep people alive.” That means when the thing blue screens, somebody stops breathing. We’re creating a much more dangerous world where we haven’t been really great about protecting information. And now we’re putting medical equipment and cyber-physical systems on there. Self-driving cars that have to figure out, “Is this a pedestrian or a crosswalk?” using the same technologies that really weren’t good at protecting privacy in the first place.

It’s a strange new world that we’re living in.

Yeah. Unlimited job security.

Yeah. Spin it on the positive here. We always have to look at it that way. There are benefits for some people and risks for other people. For those of us who deal with security, these sorts of things are a benefit for us. I’ll be one to admit that my website has done well and got more traffic because of coronavirus. More people working from home, more people interested in privacy and security. It has driven more traffic to the site. Never would’ve expected it. Never thought a health emergency would drive traffic to my technical website. How does that make sense? It’s a new world that we’re living in.

As we wrap up here, are you open to people contacting you if they believe they’re a victim of stalkerware and they want assistance?

Yeah, sure. A more direct way would be taking a look at the Coalition Against Stalkerware—that might have resources more available to you. If someone is in central Illinois, then, certainly, I  have a contact form at that people can reach out to, and I’m happy to answer questions or try to direct people to resources, if I can.

If people want to follow you on social media, where you have an account that is public.

Yeah, I’m on Twitter @bambenek and on LinkedIn as well.

There’s a convenience of having a unique name.


We’ll definitely put links to all those in the show notes, and I really appreciate your time today. Is there any parting advice that you would give our audience?

Be mindful of the technology that you bring into your home, what some of the information being collected is, and what that means. Especially like Smarthome, Amazon Echo, smart appliances, and the like. Be mindful of what information is collected and how it can be used against you.

Related Articles

  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking
  • Online Privacy
  • Online Safety
Stuart Madnick has been in cybersecurity since 1974 and knows a lot about the costs of cyberattacks.

The Cost of Cyberattacks: Minimizing Risk, Minimizing Damage

Most of us view the internet as a useful and benign tool. But in many ways, it’s…

[Read More]

How to Keep Your YouTube from getting Demonetized

You finally did it–you hit all of the markers for acceptance in the YouTube Partner program, and…

[Read More]

How to Stay Out of Facebook Jail

Many of us have been there before–behind the proverbial bars of social media punishment. We’re left shocked…

[Read More]
Lisa Plaggemier's job is to promote cyber security awareness.

Cyber Security Awareness for Everyone

You can do anything on the internet – shop, bank, meet your future spouse, become famous, and…

[Read More]

Cyberbullying Prevention: What Parents Can Do

It’s very easy for anyone to create a fake online profile and say or do mean things…

[Read More]
Lost iPhone

Lost iPhone? If It’s Missing, Look Up to the Cloud for Help.

Here's an important piece of advice: You need to learn what Find My and can do...

[Read More]