Skip to main content

DULT Threat Model
draft-ietf-dult-threat-model-00

Document Type Active Internet-Draft (dult WG)
Authors Maggie Delano , Jessie Lowell
Last updated 2024-10-01 (Latest revision 2024-09-18)
Replaces draft-delano-dult-threat-model
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state I-D Exists
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-dult-threat-model-00
Detecting Unwanted Location Trackers                           M. Delano
Internet-Draft                                        Swarthmore College
Intended status: Informational                                 J. Lowell
Expires: 22 March 2025         National Network to End Domestic Violence
                                                       18 September 2024

                           DULT Threat Model
                    draft-ietf-dult-threat-model-00

Abstract

   Lightweight location tracking tags are in wide use to allow users to
   locate items.  These tags function as a component of a crowdsourced
   tracking network in which devices belonging to other network users
   (e.g., phones) report which tags they see and their location, thus
   allowing the owner of the tag to determine where their tag was most
   recently seen.  While there are many legitimate uses of these tags,
   they are also susceptible to misuse for the purpose of stalking and
   abuse.  A protocol that allows others to detect unwanted location
   trackers must incorporate an understanding of the unwanted tracking
   landscape today.  This document provides a threat analysis for this
   purpose, will define what is in and out of scope for the unwanted
   location tracking protocols, and will provide some design
   considerations for implementation of protocols to detect unwanted
   location tracking.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at https://ietf-wg-
   dult.github.io/threat-model/draft-ietf-dult-threat-model.html.
   Status information for this document may be found at
   https://datatracker.ietf.org/doc/draft-ietf-dult-threat-model/.

   Discussion of this document takes place on the Detecting Unwanted
   Location Trackers Working Group mailing list (mailto:unwanted-
   trackers@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/unwanted-trackers/.
   Subscribe at https://www.ietf.org/mailman/listinfo/unwanted-
   trackers/.

   Source for this draft and an issue tracker can be found at
   https://github.com/ietf-wg-dult/draft-ietf-dult-threat-model.

Delano & Lowell           Expires 22 March 2025                 [Page 1]
Internet-Draft              DULT Threat Model             September 2024

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 22 March 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   4
     2.1.  Conventions . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
     3.1.  Taxonomy of unwanted tracking . . . . . . . . . . . . . .   4
       3.1.1.  Example scenarios with analyses . . . . . . . . . . .   7
       3.1.2.  Bluetooth vs. other technologies  . . . . . . . . . .  11
     3.2.  What is in scope  . . . . . . . . . . . . . . . . . . . .  11
       3.2.1.  Technologies  . . . . . . . . . . . . . . . . . . . .  12
       3.2.2.  Attacker Profiles . . . . . . . . . . . . . . . . . .  12
       3.2.3.  Victim Profiles . . . . . . . . . . . . . . . . . . .  12
     3.3.  What is out of scope  . . . . . . . . . . . . . . . . . .  12
       3.3.1.  Technologies  . . . . . . . . . . . . . . . . . . . .  12
       3.3.2.  Attack Profiles . . . . . . . . . . . . . . . . . . .  13

Delano & Lowell           Expires 22 March 2025                 [Page 2]
Internet-Draft              DULT Threat Model             September 2024

       3.3.3.  Victim Profiles . . . . . . . . . . . . . . . . . . .  13
   4.  Design Considerations . . . . . . . . . . . . . . . . . . . .  13
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   6.  Normative References  . . . . . . . . . . . . . . . . . . . .  13
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  14

1.  Introduction

   Location tracking tags are widely-used devices that allow users to
   locate items.  These tags function as a component of a crowdsourced
   tracking network in which devices belonging to other network users
   (e.g., phones) report on the location of tags they have seen.  At a
   high level, this works as follows:

   *  Tags ("accessories") broadcast an advertisement payload containing
      accessory-specific information.  The payload also indicates
      whether the accessory is separated from its owner and thus
      potentially lost.

   *  Devices belonging to other users ("non-owner devices") observe
      those payloads and if the payload is in a separated mode, reports
      its location to some central service.

   *  The owner queries the central service for the location of their
      accessory.

   A naive implementation of this design exposes both a tag’s user and
   anyone who might be targeted for location tracking by a tag’s user,
   to considerable privacy risk.  In particular:

   *  If accessories simply have a fixed identifier that is reported
      back to the tracking network, then the central server is able to
      track any accessory without the user's assistance, which is
      clearly undesirable.

   *  Any attacker who can guess a tag ID can query the central server
      for its location.

   *  An attacker can surreptitiously plant an accessory on a target and
      thus track them by tracking their "own" accessory.

   In order to minimize these privacy risks, it is necessary to analyze
   and be able to model different privacy threats.  This document uses a
   flexible framework to provide analysis and modeling of different
   threat actors, as well as models of potential victims based on their
   threat context.  It defines how these attacker and victim persona
   models can be combined into threat models.  It is intended to work in

Delano & Lowell           Expires 22 March 2025                 [Page 3]
Internet-Draft              DULT Threat Model             September 2024

   concert with the requirements defined in
   [I-D.detecting-unwanted-location-trackers], which facilitate
   detection of unwanted tracking tags.

2.  Conventions and Definitions

2.1.  Conventions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.2.  Definitions

   *  *active scanning*: a search for location trackers manually
      initiated by a user

   *  *passive scanning*: a search for location trackers running in the
      background, often accompanied by notifications for the user

   *  *tracking tag*: a small, concealable device that broadcasts
      location data to other devices

3.  Security Considerations

   Incorporation of this threat analysis into the DULT protocol does not
   introduce any security risks not already inherent in the underlying
   Bluetooth tracking tag protocols.  Existing attempts to prevent
   unwanted tracking by the owner of a tag have been criticized as
   potentially making it easier to engage in unwanted tracking of the
   owner of a tag.  However, Beck et al. have demonstrated
   (https://eprint.iacr.org/2023/1332.pdf) a technological solution that
   employs secret sharing and error correction coding.

3.1.  Taxonomy of unwanted tracking

   To create a taxonomy of threat actors, we can borrow from Dev et
   al.’s Models of Applied Privacy (MAP) framework
   (https://dl.acm.org/doi/fullHtml/10.1145/3544548.3581484).  This
   framework is intended for organizations and includes organizational
   threats and taxonomies of potential privacy harms.  Therefore, it
   cannot be applied wholesale.  However, its flexibility, general
   approach to personas, and other elements, are applicable or can be
   modified to fit the DULT context.

Delano & Lowell           Expires 22 March 2025                 [Page 4]
Internet-Draft              DULT Threat Model             September 2024

   The characteristics of threat actors may be described as follows.
   This is not intended to be a full and definitive taxonomy, but an
   example of how existing persona modeling concepts can be applied and
   modified.

   *  Expertise level

      -  Expert: The attacker works in or is actively studying computer
         science, networking, computer applications, IT, or another
         technical field.

      -  Non-expert: The attacker does not work or study in, or is a
         novice in, a technical field.

   *  Proximity to victim

      -  High: Lives with victim or has easy physical access to victim
         and/or victim’s possessions.

      -  Medium: Has some physical access to the person and possessions
         of someone who lives with victim, such as when the attacker and
         victim are co-parenting a child.

      -  Low: Does not live with or have physical access to victim and/
         or victim’s possessions.

   *  Access to resources

      -  High: The attacker has access to resources that may amplify the
         impact of other characteristics.  These could include, but are
         not limited to, funds (or control over “shared” funds), persons
         assisting them in stalking behavior, or employment that
         provides privileged access to technology or individuals’
         personal information.

      -  Low: The attacker has access to few or no such resources.

   In addition, the victim also has characteristics which influence the
   threat analysis.  As with attacker characteristics, these are not
   intended as a definitive taxonomy.

   *  Expertise level

      -  Expert: The victim works in or is actively studying computer
         science, networking, computer applications, IT, or another
         technical field.

Delano & Lowell           Expires 22 March 2025                 [Page 5]
Internet-Draft              DULT Threat Model             September 2024

      -  Non-expert: The victim does not work or study in, or is a
         novice in, a technical field.

   *  Access to resources

      -  High: The victim is generally able to safely access practical
         and relevant resources.  These might include funds to pay a car
         mechanic or private investigator, law enforcement or legal
         assistance, or other resources.

      -  Low: The victim is generally unable to safely access practical
         and relevant resources.  These might include money to pay a car
         mechanic or private investigator, law enforcement or legal
         assistance, or other resources.

   *  Access to technological safeguards

      -  High: The victim is able to safely use, and has access to,
         technological safeguards such as active scanning apps.

      -  Limited: The victim is able to safely use, and has access to,
         technological safeguards such as active scanning apps, but is
         unable to use their full capacity.

      -  Low: The victim is not able to use technological safeguards
         such as active scanning apps, due to reasons of safety or
         access.

   It is also appropriate to define who is using the tracking tags and
   incorporate this into a model.  This is because if protocols overly
   deprioritize the privacy of tracking tags’ users, an attacker could
   use a victim’s own tag to track them.  Beck et al. describe a
   possible technological solution
   (https://eprint.iacr.org/2023/1332.pdf) to the problem of user
   privacy vs privacy of other potential victims.

   *  Tracking tag usage

      -  Attacker only: The attacker controls one or more tracking tags,
         but the victim does not.

      -  Victim only: The victim controls one or more tracking tags, but
         the attacker does not.

      -  Attacker and victim: Both the attacker and victim control one
         or more tracking tags.

Delano & Lowell           Expires 22 March 2025                 [Page 6]
Internet-Draft              DULT Threat Model             September 2024

3.1.1.  Example scenarios with analyses

   The following scenarios are composite cases based upon reports from
   the field.  They are intended to illustrate different angles of the
   problem.  They are not only technological, but meant to provide
   realistic insights into the constraints of people being targeted
   through these tags.  There is no identifying information for any real
   person contained within them.  In accordance with research on how
   designers understand personas (https://dl.acm.org/
   doi/10.1145/2207676.2208573), the characters are given non-human
   names without attributes such as gender or race.  The analysis of
   each scenario provides an example usage of the modeling framework
   described above.  It includes a tracking tag usage element for
   illustrative purposes.  However, as discussed previously, this
   element becomes more or less relevant depending on protocol
   evolution.  Note that once a given attacker persona has been modeled,
   it could be recombined with a different victim persona, or vice
   versa, to model a different scenario.  For example, a non-expert
   victim persona could be combined with both non-expert and expert
   attacker personas.

3.1.1.1.  Scenario 1

3.1.1.1.1.  Narrative

   Mango and Avocado have two young children.  Mango, Avocado, and the
   children all use smartphones, but have no specialized technical
   knowledge.  Mango left because Avocado was abusive.  They were
   homeless for a month, and the children have been living with Avocado.
   They now have an apartment two towns away.  They do not want Avocado
   to know where it is, but they do want to see the children.  They and
   Avocado meet at a public playground.  They get there early so that
   Avocado will not see which bus route they arrived on and keep playing
   with the children on the playground until after Avocado leaves, so
   that Avocado will not see which bus route they get on.  Two days
   later, Avocado shows up at Mango’s door, pounding on the door and
   shouting.

3.1.1.1.2.  Analysis

   In this case, the attacker has planted a tag on a child.  Co-
   parenting after separation is common in cases of intimate partner
   violence where the former partners have a child together.  Child
   visits can be an opportunity to introduce technology for purposes of
   stalking the victim.

Delano & Lowell           Expires 22 March 2025                 [Page 7]
Internet-Draft              DULT Threat Model             September 2024

   +=====================+============================================+
   | Attacker Profile    | Avocado                                    |
   +=====================+============================================+
   | Expertise Level     | Non-Expert                                 |
   +---------------------+--------------------------------------------+
   | Proximity to Victim | Medium                                     |
   +---------------------+--------------------------------------------+
   | Access to Resources | Unknown, but can be presumed higher than   |
   |                     | Mango’s due to Mango’s recent homelessness |
   +---------------------+--------------------------------------------+

                                 Table 1

            +====================================+============+
            | Victim Profile                     | Mango      |
            +====================================+============+
            | Expertise Level                    | Non-Expert |
            +------------------------------------+------------+
            | Access to Resources                | Low        |
            +------------------------------------+------------+
            | Access to Technological Safeguards | Normal     |
            +------------------------------------+------------+

                                  Table 2

               +=======================+===================+
               | Other Characteristics | Avocado and Mango |
               +=======================+===================+
               | Accessory Usage       | Attacker Only     |
               +-----------------------+-------------------+

                                  Table 3

3.1.1.2.  Scenario 2

3.1.1.2.1.  Narrative

   Strawberry and Elderberry live together.  Neither has any specialized
   technological knowledge.  Strawberry has noticed that Elderberry has
   become excessively jealous – every time they go to visit a friend by
   themselves, Elderberry accuses them of infidelity.  To their alarm,
   over the last week, on multiple occasions, Elderberry has somehow
   known which friend they visited at any given time and has started to
   harass the friends.  Strawberry eventually gets a notification that a
   tracker is traveling with them, and thinks it may be in their car,
   but they cannot find it.  They live in a car-dependent area and
   cannot visit friends without the car, and Elderberry controls all of
   the “family” money, so their cannot take the car to the mechanic

Delano & Lowell           Expires 22 March 2025                 [Page 8]
Internet-Draft              DULT Threat Model             September 2024

   without Elderberry knowing.

3.1.1.2.2.  Analysis

   Here, the attacker and the victim are still cohabiting, and the
   attacker is monitoring the victim’s independent activities.  This
   would allow the attacker to know if, for instance, the victim went to
   a police station or a domestic violence agency.  The victim has
   reason to think that they are being tracked, but they cannot find the
   device.  This can happen if the sound emitted by the device is
   insufficiently loud, and is particularly a risk in a car, where seat
   cushions or other typical features of a car may provide sound
   insulation for a hidden tag.  The victim could benefit from having a
   mechanism to increase the volume of the sound emitted by the tag.
   Another notable feature of this scenario is that because of the
   cohabitation, the tag will spend most of the time in “near-owner
   state” as defined by the proposed industry consortium specification
   [I-D.detecting-unwanted-location-trackers].  In near-owner state it
   would not provide alerts under that specification.

                   +=====================+============+
                   | Attacker Profile    | Elderberry |
                   +=====================+============+
                   | Expertise Level     | Non-Expert |
                   +---------------------+------------+
                   | Proximity to Victim | High       |
                   +---------------------+------------+
                   | Access to Resources | High       |
                   +---------------------+------------+

                                 Table 4

        +====================================+===================+
        | Victim Profile                     | Strawberry        |
        +====================================+===================+
        | Expertise Level                    | Non-Expert        |
        +------------------------------------+-------------------+
        | Access to Resources                | Low               |
        +------------------------------------+-------------------+
        | Access to Technological Safeguards | Impaired (cannot  |
        |                                    | hear alert sound) |
        +------------------------------------+-------------------+

                                 Table 5

Delano & Lowell           Expires 22 March 2025                 [Page 9]
Internet-Draft              DULT Threat Model             September 2024

           +=======================+===========================+
           | Other Characteristics | Elderberry and Strawberry |
           +=======================+===========================+
           | Accessory Usage       | Attacker Only             |
           +-----------------------+---------------------------+

                                  Table 6

3.1.1.3.  Scenario 3

3.1.1.3.1.  Narrative

   Lime and Lemon have been dating for two years.  Lemon works for a
   tech company and often emphasizes how much more they know about
   technology than Lime, who works at a restaurant.  Lemon insists on
   having access to Lime’s computer and Android phone so that they can
   “make sure they are working well and that there are no dangerous
   apps.” Lemon hits Lime when angry and has threatened to out Lime as
   gay to their conservative parents and report them to Immigration &
   Customs Enforcement if Lime “talks back.” Lime met with an advocate
   at a local domestic violence program to talk about going to their
   shelter once a bed was available.  The advocate did some safety
   planning with Lime, and mentioned that there is an app for Android
   that can scan for location trackers, but Lime did not feel safe
   installing this app because Lemon would see it.  The next time Lime
   went to see the advocate, they chose a time when they knew Lemon had
   to be at work until late to make sure that Lemon did not follow them,
   but when Lemon got home from work they knew where Lime had been.

3.1.1.3.2.  Analysis

   This is a case involving a high-skill attacker, with a large skill
   difference between attacker and victim.  This situation often arises
   in regions with a high concentration of technology industry workers.
   It also may be more common in ethnic-cultural communities with high
   representation in the technology industry.  In this case the victim
   is also subject to a very high level of control from the attacker due
   to their imbalances in technological skills and societal status, and
   is heavily constrained in their options as a result.  It is unsafe
   for the victim to engage in active scanning, or to receive alerts on
   their phone.  The victim might benefit from being able to log into an
   account on another phone or a computer and view logs of any recent
   alerts collected through passive scanning.

Delano & Lowell           Expires 22 March 2025                [Page 10]
Internet-Draft              DULT Threat Model             September 2024

                     +=====================+========+
                     | Attacker Profile    | Lemon  |
                     +=====================+========+
                     | Expertise Level     | Expert |
                     +---------------------+--------+
                     | Proximity to Victim | High   |
                     +---------------------+--------+
                     | Access to Resources | High   |
                     +---------------------+--------+

                                 Table 7

            +====================================+============+
            | Victim Profile                     | Lime       |
            +====================================+============+
            | Expertise Level                    | Non-Expert |
            +------------------------------------+------------+
            | Access to Resources                | Low        |
            +------------------------------------+------------+
            | Access to Technological Safeguards | Low        |
            +------------------------------------+------------+

                                  Table 8

                +=======================+================+
                | Other Characteristics | Lemon and Lime |
                +=======================+================+
                | Accessory Usage       | Attacker Only  |
                +-----------------------+----------------+

                                 Table 9

3.1.2.  Bluetooth vs. other technologies

   The above taxonomy and threat analysis focus on location tracking
   tags.  They are protocol-independent; if a tag were designed using a
   technology other than Bluetooth, they would still apply.  The key
   attributes are the functionalities and physical properties of the
   accessory from the user’s perspective.  The accessory must be small
   enough to be easily concealed, and able to broadcast its location to
   other consumer devices.

3.2.  What is in scope

Delano & Lowell           Expires 22 March 2025                [Page 11]
Internet-Draft              DULT Threat Model             September 2024

3.2.1.  Technologies

   The scope of this threat analysis includes any easily-concealable
   accessory that is able to broadcast its location to other consumer
   devices.

3.2.2.  Attacker Profiles

   An attacker who attempts to track a victim using a tracking tag and
   applications readily available for end-users (e.g. native tracking
   application) is in scope.  Additonally, an attacker who physically
   modifies a tracking tag (e.g. to disable a speaker) is in scope.  An
   atacker who makes non-nation-state level alterations to the firmware
   of an existing tracking tag or creates a custom device that leverages
   the crowdsourced tracking network is in scope.

3.2.3.  Victim Profiles

   All victims profiles are in scope regardless of their expertise,
   access to resources, or access to technological safeguards.  For
   example, protocols should account for a victim's lack of access to a
   smartphone, and scenarios in which victims cannot install separate
   software.

3.3.  What is out of scope

3.3.1.  Technologies

   There are many types of technology that can be used for location
   tracking.  In many cases, the threat analysis would be similar, as
   the contexts in which potential attackers and victims exist and use
   the technology are similar.  However, it would be infeasible to
   attempt to describe a threat analysis for each possible technology in
   this document.  We have therefore limited its scope to location-
   tracking accessories that are small enough to be easily concealed,
   and able to broadcast their locations to other devices.  The
   following are out of scope for this document:

   *  App-based technologies such as parental monitoring apps.

   *  Other Internet of Things (IoT) devices.

   *  Connected cars.

   *  User accounts for cloud services or social media.

Delano & Lowell           Expires 22 March 2025                [Page 12]
Internet-Draft              DULT Threat Model             September 2024

3.3.2.  Attack Profiles

   Attackers with nation-state level expertise and resources who deploy
   custom or altered tracking tags to bypass protocol safeguards or
   jailbreak a victim end-device (e.g. smartphone) are considered out of
   scope.

3.3.3.  Victim Profiles

   N/A

4.  Design Considerations

   As discussed in Section 3, unwanted location tracking can involve a
   variety of attacker, victim, and tracking tag profiles.  A successful
   implementation to preventing unwanted location tracking would:

   *  Include a variety of approaches to address different scenarios,
      including active and passive scanning and notifications or sounds

   *  Account for scenarios in which the attacker has high expertise,
      proximity, and/or access to resources within the scope defined in
      Section 3.2 and Section 3.3

   *  Account for scenarios in which the victim has low expertise,
      access to resources, and/or access to technological safeguards
      within the scope defined in Section 3.2 and Section 3.3

   *  Avoid privacy compromises for the tag owner when protecting
      against unwanted location tracking using tracking tags

5.  IANA Considerations

   This document has no IANA actions.

6.  Normative References

   [I-D.detecting-unwanted-location-trackers]
              Ledvina, B., Eddinger, Z., Detwiler, B., and S. P.
              Polatkan, "Detecting Unwanted Location Trackers", Work in
              Progress, Internet-Draft, draft-detecting-unwanted-
              location-trackers-01, 20 December 2023,
              <https://datatracker.ietf.org/doc/html/draft-detecting-
              unwanted-location-trackers-01>.

Delano & Lowell           Expires 22 March 2025                [Page 13]
Internet-Draft              DULT Threat Model             September 2024

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Maggie Delano
   Swarthmore College
   Email: mdelano1@swarthmore.edu

   Jessie Lowell
   National Network to End Domestic Violence
   Email: jlowell@nnedv.org

Delano & Lowell           Expires 22 March 2025                [Page 14]