[07/02/21 Note: This post does not discuss MAC address spoofing or ARP (Address Resolution Protocol) spoofing and how these techniques can hide the identity of transmitting and receiving devices. The prospect of address spoofing in mobbing adds complexity to the analysis of frame capture files that might be clarified to at least some extent by heat mapping.]
Real estate mobbing is a high-risk venture. Mobbing is a criminal platform that relies on subjecting victims to inescapable harassment over the air and over wired and wireless networks. Mobbing becomes even more risky as the technologies and devices that mobbers rely on to evict are brought to market and into our homes. But even as we learn to question the veracity of sound in the same way we learned that images are not truth, it can be difficult to decipher a criminally constructed soundscape or even to understand the causal relationship between the mobbing victim ending a sound stream that was being used to transport verbal abuse onto her speakers and the eruption of noise from the house of the nasty neighborhood watch lady across the way that soon follows. Like this afternoon, for example.
When you’re being mobbed, you’re not being believed. One of the most damning aspects of this civil and human rights crime is that mobbing is constructed to be witnessed by the victim alone. To ensure the crime is known only to the victim, mobbers construct an experience that not only plays to an audience of one, but cannot easily be recorded or otherwise documented.
Mobbing is difficult to document. This is what makes it attractive to those who want to break the law without risking their reputations. This is what makes it attractive to corrupt neighborhood watch groups whose members might hold influential positions in and even with the City of Seattle and other municipalities. This is what makes it attractive to developers who aren’t likely to be granted permits if it’s known that they “acquire” properties by harassing residents out of their legal contracts. And in turn, the good reputations of those who mob, support mobbing or stand by and watch it happen, protect this human rights crime and ensure its continued use as a clandestine tool by those who think power is a truncheon.
The best way to begin to stop this crime and to snuff out its component hacks and dirty tricks, is to document it using tools that can begin to expose the attacks the mobbers don’t want anyone to see, the weapons they don’t want anyone to hear. For attacks over the wire or attacks by wired devices, network tools make good sense.
Mobbers use proximity to stage their attacks, abusing the privileged relationship between neighbors to shorten attack vectors and enlarge your vulnerable attack surface. You can use this proximity to defend your position by quietly collecting data. And when you’re being monitored, the task of collecting data may fall to you alone.
When you’re being mobbed, you may well be monitored to protect the crime, and you might not even know it. This is because sneaky crooks like mobbers extend their IoT environments to include you. Motion-detecting lights alert the mobbers when you open a door, IoT devices like garage door openers or even barometers can alert them when you open a window. If you call the police, the mobbers shut off the blaring Sonos speakers in the back yard. The verbal abuse on your television stops by the time the police get to the door. But when mobbing victims collect data, we can begin to show why companies that make WiFi repeaters like Eero should be concerned not only with the security of their customers, but with the potential for malicious use of these devices by their customers. When mobbing victims collect data, we can begin to show why companies producing directional and wireless sound systems like Sonos should not only be concerned with the privacy of customers who purchase and install these systems because of specialized features that come in handy for turning over properties, but should be concerned with the potential for abuse and even criminal use of their technology. And when mobbing victims collect data, we can begin to show that drones are increasingly used in neighborhood crime, even when local attorneys roll their eyes when their female clients report as much.
Network data, including Wireshark capture, is probably the standard for forensic evidence of network exploits. Mobbing is a prolonged attack that includes varying types of exploits, on the network and off. Any siege of this kind generates a vast amount of data. Once we collect the data, we can use artificial intelligence to learn from the data, we can better secure neighborhood infrastructure, and we can design devices that recognize anomalous network and device behavior as well as configurations that pose security risks.
Because mobbing is a whole-house surveillance situation, mobbers think they can get away with it. The police aren’t going to collect the data. If you call your bandwidth provider and request service, customer support probably won’t know what you’re talking about and the mobbers will go quiet until they leave. Not to mention the fact that people who’ve gone to such great lengths to avoid getting caught probably won’t respond well to your attempts to report them. But these crooks are not prepared for victims to put the pieces of this Rube Goldberg machine together using data collection. To stop individual and predatory mobbing crimes, IoT crimes and other digital crime, we need to collect data.
Ω
Network data is chunked into frames. Devices use network protocols to exchange data as sequences or streams of data. The details of the data exchange are not visible to you the user; they take place, to use a bit of informal tech talk, “under the covers.” But even a casual user can take a peek. This is what tools like Airtool are all about. You can download Airtool at https://www.intuitbits.com/.
Airtool is a stripped-down tool for capturing wireless network data. It’s a highly recommended tool that runs on Apple OSX. On Windows or Mac, you can use a more fully featured tool called Wireshark (https://www.wireshark.org/) that has a steeper learning curve. Ultimately, if you’re on Mac and enduring a prolonged mobbing like I am, you may find it useful to pair the tools or even to run them at the same time to capture different types of information. For example, if you believe that you’re being mobbed using wireless devices you may want to use Airtool to capture wireless traffic while you use Wireshark to get a look at the network traffic coming in over Ethernet. You can do this because Airtool disconnects from your wireless network and puts your machine into “monitor mode” while Wireshark can listen on the specified Ethernet interface. You may also be able to complement your packet capture with other types of data capture. If you choose to do captures, you’ll probably have the most success if you use captures to show a regular pattern of behavior over time.
Mobbing is a data-heavy crime and analysis could show that mobbing, and perhaps other digital crimes, has a characteristic data or network signature hat could be helpful not only in detecting the crime, but in prosecuting it. Mobbing may not only include a characteristic pattern of data, but those who mob may prefer certain configurations of devices like the Sonos wireless sound system with Eero wireless network extenders or known “interferers” on the 2.4 GHz band like printers and walkie talkies. It’s not likely to be useful to have a network tech do a packet capture one time when you’re being mobbed. If you’re being monitored, the pattern likely changes when people enter your property; the sample data will not represent what happens to you when there are no potential witnesses. In cases where wireless sound systems like the Sonos are used to generate infrasound for purposes of harassment, prolonged frame capture might yield more interesting results than a short-term acoustic study for which an acoustician could be seen entering the property and placing equipment. So far as I can tell, acousticians offering such services use traditional meters that sense sound waves rather than the network frame data that represents sound that is digitally generated. If you are being harassed with sound and seek the services of an acoustician, you might be told that the results of an acoustic study are not guaranteed to be useful in the courtroom. We may find that appropriately analyzed network data is the best evidence. Crimes like mobbing give us reason to expand our view of an “exploit” and indicate the need for environmental monitoring services to bone up on tools that can bolster the veracity of test results with network data.
Many surveys could be done remotely by installing software on the victim machine depending on the level of monitoring underway; unfortunately, I do not know of such services being quietly offered to private individuals and, even if they were, trust would likely be an issue. This is also another case where those from whom you seek help may assume that you are “paranoid,” a conclusion unlikely to yield a productive investigation of any kind, although you’ll pay for it either way. It might be possible for network security companies, however, to offer an option for installed residential users to request network analysis services through the user interface of a firewall, for example, in cases like mine where the victim cannot discretely search for and retain expertise. Because mobbing is unfamiliar and there appear to be problems with assessing probable cause in speaker crimes and other digital crime, the onus is, unfortunately, on the mobbing victim to educate the officials and public agencies that should help.
Frame data is obscure and not easy to understand without advanced understanding of the network protocols that are being used to exchange the data. Airtool offers collection of varying types of data. For purposes of mobbing data, you may want to collect frames across all channels and to select the option to capture 802.11 plus radiotap header. There may be more sophisticated methods to capture the most useful data but I’ve had to learn about this under duress in a situation in which there is a cost for confiding in others or asking for help.
Frame data tends to be opaque and the volume of data captured tends to discourage unfocused analysis of capture files. But when you’re being mobbed, even the crude use of frame capture can be informative. Those who work with frame captures on a frequent basis might use Python or other programming languages to sift through capture data. But you can at least scan the files you create to learn about devices operating during certain hours when you’re subject to different kinds of harassment. For example, see Figure 6.1. Wireshark with a TCP packet selected for viewing on wireshark.org. Just scanning the columns No., Time, Source, and Destination can get you started. The No. column is the numbered order in which the frames were collected, beginning with 1. Here, Source and Destination show Internet Protocol (IP) version 4 addresses for the source and destination of the frame. Instead of IP addresses, you might see device identifiers that can be especially helpful, for example, Sonos smart speakers are often identified by the inclusion of the “Sonos” string. In this case, “Sonos” is the vendor identifier of the source device or “transmitter.” This won’t tell you that you’re being harassed using a Sonos sound system, and since Sonos components have come down in price they are increasingly common. But when you’re subject to infrasound in the wee hours and can identify active Sonos components transmitting data night after night, there might be a useful pattern. Sonos may not help you to identify whether the active components emit infrasound, but they might be more forthcoming if you can interest the police by showing them weeks of data. This kind of information could potentially also lead to a much more productive investigation than complaints of nocturnal noise. You can look up vendor identifiers and MAC addresses on reference websites like the one at https://udger.com/resources/mac-address-vendor-lookup.
Networked devices periodically transmit management frames called “beacons” or “beacon frames.” It’s important to be able to distinguish between devices that are generating beacons and devices that are transmitting data. You’ll want to ensure that the data you compile and share is relevant. If you don’t think your mobbers have visibility onto your desktop, or if you don’t care, you can use online training resources like forums to deepen your understanding. For more information about beacon frames, see the Wikipedia page at https://en.wikipedia.org/wiki/Beacon_frame.
You’ll have to spend some money or try to use the trial version, but you can also open capture files in MetaGeek’s Eye P.A. for a visual representation of the capture data. MetaGeek produces interactive charts and timelines that summarize the behavior of network devices. Data visualization tools like this also can help to educate local police and pique their curiosity. MetaGeek provides some basic analysis that can also be informative in a mobbing situation, for example, when Eye P.A. identified a drone on a nearby network, it became possible to track the appearances of that drone over time. In a situation like mine where the victim account is not being heard, data like this should help to make a difference. In a best case scenario, a proactive approach of sharing data with police and key attorneys may help to ensure that the defamatory statements the mobbers make to deflect suspicion onto you backfire. Even better, helping officials to better help you could contribute to the development of useful strategies for dealing with digital crime in the future. For a video demonstration of Eye P.A., visit the MetaGeek website at https://www.metageek.com/products/eye-pa/. Note that Eye P.A. is a Windows application but can run on a virtual machine installed on the Mac.
Packet captures may be most useful in mobbing to get at least some visibility into the devices in the environment at specific times and in specific circumstances, for example, whether there might be a drone around every night, whether walkie talkies crop up when you turn on the television or whether high-speed video cameras are deployed to interfere with your Roku whenever you turn it on. The presence of a device does not mean it is harassing you, of course. But the ability to establish the presence of devices during times when you are regularly harassed will hopefully be meaningful. You might not “see” the speaker the Seattle Police asked me about, but you will have data that makes it difficult to attribute your reports to delusions.
I resisted collecting data for years for various reasons. When you’re under attack and no one believes you, your hands are already full. Just worrying about how to survive is more than enough. And then there’s the cost of the tools or services that might help you, the difficulty of finding an attorney who has any concept of the situation you’re in and his potential reluctance to engage experts for a client with some wild story who is probably suffering from delusions. There’s also the fact that when rogue sound is all over your laptop, there’s no telling whether they can see your screen. This in and of itself, can dictate whether and how you seek help. Moreover, I thought it would be improper for me, the victim, to collect this data. Forensic evidence, I reasoned, is not collected by the victim. But, unfortunately, mobbing victims appear to be in the unusual situation of having to prove they are subject to a crime and not a delusional state. After surviving more than two years of being improperly prosecuted by the City of Seattle with my competence twice challenged based on my honest reports of being monitored and harassed, when the harassment continued even after the charges against me were finally dropped, I had little choice other than to finally capitulate to forced eviction or begin to collect data.
The problem with collecting data, is that collection does not guarantee review, especially not when you bear the stain of courtroom defamation. Even more difficult when it comes to little known “exploits” like mobbing, is the ability to locate an analyst who believes your story and uses it to guide his or her analysis of the data. In the long run, artificial intelligence can probably be used to recognize mobbing. For now, that task probably requires a network security expert or researcher with significant understanding of broadcast traffic and exploits based on it.
Because frame capture can be controversial, be sure you understand how to legally use tools like Airtool and Wireshark (https://arstechnica.com/tech-policy/2012/09/sniffing-open-wifi-networks-is-not-wiretapping-judge-says/ ). Hacking a mobbing network will only help the mobbers to turn over your home.
There are “packet analysts” who study captures to identify malicious behavior. They might be looking for unusual communication or suspicious addresses or the filenames of known malware. At this point in time, getting the time and attention of any sort of security expert or packet analyst appears to be difficult when you’re a private individual. This is saddening since predatory crimes like residential mobbing would probably not occur if it weren’t so easy. When I contacted a local “expert” for help, he was annoyed that I had the nerve to contact him directly instead of through an attorney. The woman who eventually agreed to help me did so with the proviso that she didn’t know much about wireless network communication, and her review was limited to what appeared to be a cursory check for communication between my devices and others. To properly assess the communication between devices, you need to have a deeper understanding of how the device operates and the communication interfaces it uses. For example, before you jump to the conclusion that the device transmitting data to your Roku is rogue, you need to establish if the MAC address of the unknown device belongs to your remote. You need to be able to identify the devices that belong to you.
In mobbing, however, especially when the malicious activity originates on nearby networks, analysis of packet captures must be informed by the physical configuration of networks, devices, and signal. In mobbing, capture information may not be helpful without complementary surveys. For example, in a house mobbing, heat maps may be useful to identify networks deployed to support the mobbing. For mobile harassment like audio diversion however, it might be possible to programmatically find common devices in wireless captures performed over a period of time or to use artificial intelligence to do so. This strategy could also be useful in criminal investigations. My next short post on how data can be used to stop mobbing crimes will provide an introduction to the use of tools like NetSpot to collect complementary data. For more information, see Stop mobbing crimes with data: Visualize nearby networks with NetSpot and Mobbing by WiFi range extender.
Note that I do still intend to finish up the blog series on mobbing with interference but have been trying to give my eyes a rest from the computer. This blog is a simplistic introduction to a complex subject. Those with greater expertise than I are welcome to use the data I’ve collected to solve the problem of mobbing so I can finally return to a more normal pandemic life. Contact me using the comment function on this blog page.
Leave a Reply