Tracking device technology: A double-edged sword for CISOs

The transportation industry has doubled down in the area of fleet tracking in recent years, which has come with great benefits and not a few security headaches. On the consumer side, we’ve spoken of Apple’s AirTag and how it has been used to find personal items of import — and also its potential to be abused by the nefarious to track and trace individuals. Now we see that Google is jumping into the fray, with the soon-to-be-released tracking device in development apparently codenamed “Grogu” (after the Baby Yoda character in the “Star Wars” spinoff “The Mandalorian”). The astute cybersecurity leader is no doubt thinking: “This is a CISO nightmare.”

From a market perspective, an Android-based tracking system makes eminent sense. Given that the AirTag is designed for iOS devices and Apple Maps, the Android device is being designed to work with the three billion Android smartphones in use and take advantage of Google’s already established Geo Tools.

With its arrival (believed to be in late 2023) the Android device will combined with the AirTag, effectively enable more than 99% of the mobile market (Android 71.7% and iOS 27.6%) to interact with tagging devices. Ideally, it will usher in a new age in which we never have to lose anything again, from dogs to suitcases to car keys.

How will tracking devices be used?

Yet the field is crowded. Invoxia has brought to market their “vehicle tracker”, operating off the cellular network and providing continuous GPS location between a device and the control application. Their pitch: “A car is stolen every 38 seconds.”

Within the fear-marketing message rests the nightmare for CISOs. How will these devices be used? Clearly, the logistics side of the equation means vehicles and things can be tagged and tracked with relative ease. Not only will it help with locating and counting inventory, but the technology can also be used to ensure an alert occurs when those things which are supposed to stay within a specific geographic footprint leave that footprint.

Then there is the negative side of the equation, on which employees might use the corporate tracking capability for nefarious purposes or bring their own tracking devices into the corporate environment. But don’t stop with the employee. What of the vendor or the competition? How might they wish to use these tracking devices to garner a bit of competitive intelligence?

Tracking technology used for evil

Tracking the movements of gear or people might be prudent in a specific circumstance — visitors to a corporate building, for example. A badge outfitted with the technology can be monitored to ensure visitors stay within the areas to which they are granted access and, if escorts are required, an escort tag can be issued to provide confirmation that their corporate escort is within proximity. On the less scrupulous side of the equation, the tracking device can be dropped into the backpack, briefcase, computer bag, or purse of a targeted individual and that individual’s movements tracked.

To illustrate how dangerous this technology can be, in Ankeny, Iowa a restaurant owner was charged with stalking a woman using the Invoxia-brand GPS device. The man allegedly placed it inside her car and then tracked her movements. The criminal complaint notes that the victim was confronted by the restaurant owner in December 2022 in a location that could have only been known from tracking information. Twelve days later, the woman was allegedly surveilled by a friend of the accused as she walked her dog in a park. The complaint continues that the victim discovered the tracking device when cleaning her car.

Tracking as corporate espionage

In the corporate world, the devices could be used as simple tools of espionage. For example, every company’s sales team has closers, individuals who seal the deal, often brought in to wrap things up, especially in complex and intricate engagements. Imagine a competitor being able to track your closer from location to location simply by dropping a tag in his or her luggage. What type of competitive advantage might be drawn from that piece of data? Far more precise than tracking corporate jet tail numbers and their travel patterns.

When used properly, tracking tags can reduce pilferage, monitor independent cargo shipments, and track equipment and personnel. But they say the devil is in the details, and they are correct — one doesn’t need to be a rocket scientist to understand the downside of having these devices readily available, and thus any corporate usage must have processes and procedures in place surrounding the technology.

CISOs will be well served to include their legal department and their privacy officer in all discussions on tracking personnel and/or equipment issued to personnel using these technologies. They must also have in place a playbook for those instances when insiders use the capability for their own purposes, as shown in the aforementioned example.