by Andrew Brehaut
Modern technologies, such as cellphones and the internet, are often a thorn in the side of the horror or thriller GM. Typical responses involve negating the use of this technology, be it through remote locations (no signal), dead batteries, villainous forethought (the cell towers have been damaged), the people contacted simply not believing the PCs’ story, or simply setting the game prior to the existence of such technology.
An alternative to outright negation is to look for ways that the technology may work only partially: the web of trust breaks and confidential information gets into the wrong hands, or information is corrupted or misunderstood. This is particularly suited to thriller games with espionage elements. Games with active magical forces can obviously go above and beyond the suggestions presented here.
These suggests are not intended to be used to hose the players; instead, when they use modern technology, they open themselves up to new problems. Consider these suggests to be “Yes, and” twists.
In keeping with the spirit of GUMSHOE, try to choose twists that not only cause trouble for the players, but introduce new information. The type of attack reveals something about the enemy. If the attackers reach through corrupt authorities to track your cell, that says something different to a black-bag job on an assets computer.
The following suggestions are based on generalities about cryptography and encryption. As I am not a cryptographer I am certain to have misconstrued some some of the fine points.
Characters in Fear Itself are typically less competent at the technical necessities required to keep communications private and concealed than the agents in a Night’s Black Agents game. As a result, you have more latitude for Fear Itself characters to be the instigators of their own failures than you do in Night’s Black Agents.
A simple guideline to consider is that if the character should be competent, then the failure should only come from depending on a (compromised or lazy) asset or NPC, or when a failed die roll presents an opportunity.
An example of this might be that the player blows a preparedness test for a cellphone in a tight spot. Instead of failing and not getting the phone, the GM might rule that they have a phone, but it has been compromised.
In Nights Black Agents, any network contacts whose pool has dropped to zero – or in a Mirror mode game, any flipped contacts (NBA pg 32) – are perfectly placed to be the weak link in the security chain. They may reveal cellphone numbers, secure keys, passwords, or any other secret information the character uses.
Less competent characters are unlikely to use secure methods at all. The GM has more latitude to hand-wave the details in this context.
Trust and Authenticity
The backbone of digital secret sharing is authenticity; sophisticated mathematical tools provide ways of ensuring that a communication is from who you think it is from, and that only the intended recipient can access it. Authenticity allows an increase in trust in the communications. Typically these schemes require a non-secret ‘key’ (part of a key pair, with one key secret, and the other non-secret) to be shared between the appropriate parties. Given an opportunity to trade encryption keys, and sufficient bits in those keys, this encryption is sufficiently secure that it will not be feasible to break using brute force in a reasonable amount of time. Not to mention, brute force cracking is lazy story telling, especially in a spy game1.
The math involved is the strongest part of any cryptographic system. Instead, the system is more easily broken by attacking the humans involved, or any secondary mechanisms used. While the math is typically tough, it requires that its process is followed strictly; deviation may introduce subtle weaknesses. Not only does the human angle make for a more believable story, it makes for a more interesting one.
A good guideline here is that the human link that breaks should never be the player characters. If they are competent enough to be using secure methods to begin with, it undermines the characters to suddenly cause them to make a mistake. Only in a crunch (e.g. if preparedness is involved) might they not use a secure channel, and in that instance they clearly know. This also means that PC to PC communication is guaranteed to be secure, which avoids an always check for hidden doors situation where the players waste time worrying about their intra-party communications.
The takeaway here is that you need to trust every link in the chain that has access to the secret keys. If the chain is secure, then any secret communicated with those keys is secure. Adding links to the chain increases the chances that the chain is compromised. As mentioned above, these mistakes and unnecessary links should occur at the NPC end.
When unsecured communications are being used, especially textual, there is little guarantee that whoever is at the other end of the system is who they claim to be. Snooping and supplying misinformation are trivial.
Secure communication relies on the sender having the recipient’s public key, and the recipient being able to get the sender’s in a trusted way. Without this, unsecured methods have to be used. The implication here is that communicating with people outside the existing circle of trust leaves you wide open: the police can’t be called without eavesdroppers having an opportunity to listen in.
One final point: Cryptography is extraordinarily hard. Cryptographers typically cannot see the flaws in a system of their own devising. Competent characters should know that they cannot invent their own cryptography safely, but if players push for it, then they are wide open and asking for trouble.
Aliens and Brute Force
Aliens present a reasonable excuse for brute force encryption breaking. Presumably their computational war chest vastly outstrips our own, so they would be able to brute force nearly all encryption with relative ease. The exception here is one-time pads which are still likely to be secure assuming aliens obey our same mathematical laws.
With people as the weak link in a cryptographic system, it helps to know some potential attacks that may be deployed against them:
- Probably the most common method for acquiring secrets is via social engineering. This is basically a confidence game. Email phishing is a blunt form of this. When the target works out of a large organisation, posing as a network administrator will often get easy physical access to a machine, and the willing cooperation of the target.
- Extortion, threats or torture that leverage vices, family, friends or debts is a very direct method for extracting secrets, but effective.
- Another direct method is the black bag job. Simply break in to the physical location containing a computer or device and either copying data or just stealing it.
Sometimes communications must travel through an insecure network. In this case, even when a message is communicated securely, an observer may still be able to gain information. Examples of an insecure network include wireless networks, cell networks, the wider internet, and local wired networks controlled by a third party.
Establishing a secure network on top of an insecure network (a tunnel, or a virtual private network) is possible, but is subject to the same secret sharing challenges sending the message in the first place. One development here is anonymizing networks such as Tor; with Tor, an observer could see you connect to Tor, but have no idea where the information goes2.
Transmitting secrets over an insecure network allows an observer to collect “meta” details about the communication. Things like: when the message was sent, the duration of connection and/or size of the message, where the message was sent from, and possibly where it was sent to. Proxy networks and other tools may be used to obscure the specific details, but with less latitude than true security.
In more complex systems (such as server software like websites or email systems), information inadvertently disclosed by the system may allow an attacker to find weak points or, in a particularly egregious situation, piece together information from the revealed pieces. This is especially dangerous when the information can be correlated with other sources.
Cellphones, especially smartphones, provide many options for problematic twists.
SMS messages and phone calls are not encrypted end to end, and can be accessed relatively easily via the network. Users of iPhones have access to Apple’s iMessage network which sends arbitrarily large messages and images with end to end encryption. However, if an iPhone cannot access the iMessage server for any reason, it falls back to unencrypted SMS by default. Harried characters may forget to check this, or assets may be lax at checking the setting. One other potential weak point of iMessage is that multiple devices can be configured to receive messages at a given address; someone may snoop on encrypted conversations without you realising. You can safely assume similar foibles of any consumer messaging service.
Competent agents can be assumed to have installed apps on smart phones they control to let them securely communicate and that avoid the risks of using consumer messaging. However, the phone itself is still vulnerable to attack at levels lower than the messaging application.
Smartphones such as Android phones, and jail-broken iPhones, allow for arbitrary software to be installed, and in doing so can replace or augment the operating system’s core software. A simple example of an attack at this layer is a key logger: by planting listening code into the software keyboard, the phone can record every piece of text entered system-wide, and secretly broadcast it, thus circumventing any encryption used. A compromised device may also use the device’s cameras, microphone and GPS to capture a broad range of additional ‘passive’ data.
Jailbreaking a phone is done by taking advantage of security vulnerabilities in the phone’s operating system. While typical jailbreaking does require some user intervention (partly as it is intended to be an intentional attack), there have been jailbreaks that only required visiting a website. If a smartphone that is considered secure has been used to access untrusted websites (and any website that is not delivered securely with known-good certificates can be considered untrusted) then it could possibly have been compromised by a malicious site. In the real world the chances of such an attack vector being viable are extremely narrow, but in the fictional world of a spy thriller where agents may not have opportunities to keep their devices up-to-date and are frequently accessing servers in the seedy underside of the internet, the risks rise. A competent agent with time and access is going to use a disposable or public computer to access these sites, but under pressure there may be no choice.
Obviously, if a smartphone with secret keys on it is stolen or lost, it is a serious risk until it can be remotely deactivated. Lock screens are a weak defence against an attacker; iOS and Android have both suffered multiple security holes allowing lock screens to be bypassed.
Light, Sound and other Emissions
Modern mobile devices have more direct ways of creating trouble too. To function they must emit radio waves on various frequency bands, as well as light and/or sound to be functional.
With phones from sloppy assets, or that have been appropriated, there is also a risk of alarms and other sounds occurring. The iPhone, for example, has a switch that disables the ringer but does not disable all sound system wide. The system’s policy allows some sounds, such as alarms, to occur even when the ringer is disabled. This is a particularly appropriate “gotcha” for normal people thrust into dire situations without warning, such as in Fear Itself.
Another class of potential attack in the modern world (and form of information leakage) is that devices such as cellphones that connect to wireless and cell systems broadcast unique device IDs to those networks. In both cases the attacker could compromise the network itself, but because these devices must broadcast their communication, it is often easier to use malicious base stations and traffic snoopers. For wifi this can easily be achieved with cheap plug computers. In both cases basic identifying information can be harvested without the target being aware.
This is possible because the devices need to maintain a low level of background traffic to maintain a presence on a given network (e.g. so that calls or data can be routed to the device). This information can then be pooled over time. For instance if the same IDs appear in networks of two or three geographically separate locations, a conspirator could reasonably assume that it is not a coincidence.
Particularly with wifi, the range of each network is small enough that with a collection of networks or malicious base-stations, a particular device’s movements could reliably be tracked in a known area.
TEMPEST Monitors (NBA Pg 100) are another risk of carrying a cellphone or other broadcasting device.
In games with supernatural, in addition to creatures being extra sensitive to light and sound, they may perceive frequency ranges well above even ultra violet; In these spectrums the radio signals from cell and wifi systems would be clearly visible bursts emanating from the characters.
If the creatures communicate with each other in these frequency ranges, it is possible that may even mask cell or wifi signal for short bursts.
In a situation where a character must be separated from a device, such as at a meeting with criminal elements, they should be concerned about tampering. The question is what could have been tampered with in the time window, and what the signs of it would be.
Some devices are easier to tamper with than others. Those with battery access for instance; a matter of seconds may be all that is needed. Phones without user accessible batteries may seem less vulnerable to tampering, but with the appropriate tools (such as the right screwdriver, a special prybar and a suction cup for an iPhone) you can have it open and closed again in a couple of minutes. The easiest way to check for physical tampering is to open the device and examine it.
Software tampering is harder to identify, but may take longer to perform. This is the equivalent of a jailbreak. It may be achieved over a network, or by connecting the device to a computer. Between five and fifteen minutes for a competent attacker to determine and use the correct attack vector and required waiting for software installs and device restarts would not be unreasonable. Tampered devices may run hotter and/or use battery faster than the usage would suggest. With the appropriate hardware and software tools and some time, the image of a device can be checked against a known good copy and if need be restored.
Finally, devices with SIM cards are vulnerable to tampering. It takes only a couple of minutes and some text messages. This allows trivial call and message snooping.
Back of the sticks?
An alternative to just denying characters use of cellphones due to lack of signal in the remote locations is to allow them to find a patch of poor signal; if they use it, they may be pinned in one spot while making a call, or waiting for their encrypted data to transfer. Maybe not your first choice when being stalked by a vampire.
An alternative to smart phones is cheap, disposable ‘feature’ phones (called ‘burners’) with prepaid data. These can be purchased with cash, no personal information, and can be trivially disposed of after use.
Relying on burners allows trivial anonymity as long as the burners only contact other burners, and do not contact a device known by the observer (that allows the entire network to then be unravelled).
The main downsides to burners is that they can’t have cryptographic keys or software loaded onto them easily. This means that communications are necessarily insecure, but it also means that there is no reliable (cryptographically speaking) way to authenticate with others. Anonymity and trust are naturally opposed. Weak secrets such as pass phrases or PINs can be trivially snooped by any observer that has either compromised the network or has the target surveilled.
Some smartphone burners exist. These often suffer from antiquated operating system versions with plentiful known vulnerabilities and no way to upgrade.
Accessing the wider internet is relatively safe; you can do so anonymously from a variety of publicly accessible computers (Libraries, internet cafés etc) without needing to put your own hardware at risk, with limited chance of your location being uncovered beyond the typical physical risks, and without too much concern about key logging or other snooping.
The biggest restriction is that the character may not be able to get the machine out of its kiosk mode, which means being limited to only the web browser, and potentially some coarse filtered view of the web (administered at a firewall).
If the machine can be accessed out of a kiosk mode (surreptitiously), then it is relatively trivial to connect more securely and directly to known good machines (perhaps virtual machines) to then access out into wider internet unobstructed.
One potential problem here is that the character may need to relay their secret key via USB stick. Beyond the dangers inherent to carrying the key (leaving the key behind would be a potential disaster), there is the risk of any malware on the computer infecting the USB stick, and then in turn the characters own computers. This is more likely to cause a computer to run sluggishly and/or unreliably than it is specifically going to leak information to the enemy.
Characters with heat (see Night’s Black Agents pg 87-88) from government agencies may experience difficulty crossing borders: a failed heat roll may result in laptops and phones being seized for searching (and copying or tampering). While consumer operating systems now provide full disk encryption, characters may be subjected to extra scrutiny due to its presence (“If you have nothing to hide, why do you need the encryption?”); the characters will of course be able to manufacture convincing reasons, but the argument may still be leveraged as an excuse to detain them.
Alerting the Authorities
Players may at some stage wish to call in reinforcements in the form of law enforcement, or media. Instead of ruling it out completely, consider allowing it. Keep in mind that the characters are unlikely to be able (or want) to use authenticated channels to make this communication, so there is limited trust involved. Any respondents will act accordingly.
The characters will probably do one of two things: lie about the situation, or come off sounding like cranks. If they lie, then whoever investigates is likely to be wildly unprepared for what is happening. Meat for the grinder, and stability tests for the characters. With the crank option, the response is likely to be slower arriving.
For law enforcement, consider having a couple of uniforms roll up to investigate. The characters will have to work extra hard to achieve their original objective and keep them alive. If the officers die at the scene, the characters can expect their heat to rise, and attached with it records of the call and tags for any weirdness mentioned. These unexplained deaths will surely crop up again later, too, perhaps pinned to the characters.
In the case of media, a reporter given a crazy but potentially promising tip may wish to do some initial research, and perhaps meet up with the informants. Again, the characters are going to have to work to keep the reporter alive. In a Night’s Black Agents game offering up a small story may only take out a single low level cell of the conspiracy, but is reasonably achievable. Tip offs with larger scope take a lot more time to come to fruition, and will end up endangering more people.
Competent characters will be aware of the security risk of most of these problems. Don’t try to hide this from the players to spring on them later; let them stew in their own juices and make the decision in the heat of the moment. They always get their message in or out, but they know they have let something slip in the process. Allow Sense Trouble rolls to alert characters, particularly if they have points in the appropriate abilities (Cryptography, Electronic Surveillance, etc)
When a network contact is turned, an agent may see telltale signs that their communications have been breached, but not know what exactly.
- If you are interested in reading more about the strength of cryptography, check out the PGP FAQ. While some weaker keys have been cracked, the amount of computing power needed is phenomenal. Using strong keys, and regular secure key rotation should mitigate most of the risk.
1.The default setting of Night’s Black Agents (pg 28) assumes that government agencies do possess tools to crack even the strongest keys. You may prefer to assume this in your games.
- Tor is not perfect though. This article is an interesting read about one attack on Tor using malicious end points.