Markdown Version | Session Recording

Session Date/Time: 07 Aug 2025 16:00

DULT

Summary

The DULT Working Group met to discuss updates to the threat model document and a detailed proposal for remote tag disablement. Shesh presented recent changes to the threat matrix and new attack scenarios, including account compromise and impersonation. Maggie then presented a collaborative proposal for remote disablement, outlining conditions for disablement and re-enablement, and discussing security considerations. Significant discussion ensued regarding the enforceability of proposed disablement conditions and the effectiveness of deterrents against malicious actors, particularly the role of sound alerts.

Key Discussion Points

• Threat Model Document Updates:

  • The "feasibility" metric was merged into "likelihood" in the threat matrix, as they are closely correlated in practice. Feasibility will now serve as a justification for likelihood values.
  • The impact of the "deploy multiple tags" attack was reduced from High to Moderate, acknowledging that impact depends on deployment scale (e.g., often less than 10 tags).
  • The impact of "remote advertisement monitoring" was reduced from High to Moderate/Medium, as identifier rotation intervals can vary (e.g., 24 hours when away from owner), reducing continuous tracking.
  • Two new attack scenarios were added:
    • Abuse via victim's own tag: An attacker compromises the victim's account to track their location silently. This was assigned High impact and Medium likelihood due to common account compromises.
    • Impersonation attack: An attacker pretends to be a user's device (High impact, Medium likelihood) or part of the crowdsource network (Medium impact) to disrupt safety, enable malicious tracking, or send fake location data.
  • It was noted that while the analysis belongs in the threat document, some issues might be beyond the IETF's scope to fix.

• Remote Disablement Proposal:

  • Goal: To disable physically unlocatable trackers that remain active despite alerts (e.g., hidden in a car).
  • Proposed conditions for a tag to be disabled (enforceable by the tag):
    • The tag is away from its owner (using the existing "owner bit" in the accessory protocol).
    • A user has successfully triggered the "play sound" command five times (number subject to change).
    • If the accessory has finding capabilities (e.g., UWB), the user has attempted to use them.
    • The tag has been in range of the disabling device for at least 10 minutes.
  • Mechanism: An op code is sent to the tag using the non-owner device protocol.
  • Effect: The disabled tag continues to advertise but sets a specific bit, indicating its location should not be used for crowdsourcing.
  • Conditions for re-enablement:
    • The tag owner connects to the tag or returns into range.
    • The tag is power cycled.
    • The crowdsource network directs re-enablement (e.g., due to a valid court order), though legal details are out of scope.
  • Notifications: The user who disabled the tag is notified with the last known location. No notification is sent to the tag owner upon disablement to protect the safety of the person performing the disablement.
  • Security Considerations: Requirements are designed to be enforceable by the tag itself to mitigate non-conformant device abuse. The requirements aim to be sufficiently onerous to deter mass disablement events, and re-enablement mechanisms address erroneous or abusive disablement.
  • Options Considered but Not Recommended: Restricting disablement to suspected unwanted tracking (not enforceable by tag), knowledge of tag moving with device (difficult to implement), or a temporary "snooze" feature (continuous user stress).

• Discussion on Remote Disablement Enforceability and Deterrents:

  • Ultra-Wideband (UWB) Enforceability: A question was raised whether a non-conformant device could simulate not having UWB. It was clarified that a tag could determine if a host device has a UWB chip by attempting ranging, as successful ranging requires two-way communication.
  • "In-range for 10 minutes" Enforceability: Concern was raised about how a low-power beaconing tag would know it was continuously in range of a specific disabling device for 10 minutes without excessive power consumption. It was suggested repeated commands from the disabling device could provide this.
  • "Play Sound" as a Deterrent: Skepticism was expressed about the effectiveness of a sound alert as a deterrent against a malicious mass disablement (e.g., at an airport baggage claim), where the attacker may not care about being surreptitious. It was acknowledged that while it alerts nearby individuals, it may not stop the disablement if all other conditions are met.
  • Guiding Principles: A suggestion was made to step back and clarify the guiding principles for disablement features, focusing on properties that genuinely distinguish a defender (being stalked) from an attacker (trying to disable the system), rather than just focusing on mechanisms.
  • Two-way Crowdsourcing Networks: A question was raised about whether two-way communication in crowdsourcing networks was within the charter's scope, leading to a discussion that it was not explicitly defined.

Decisions and Action Items

• Decisions:
  • The threat model document was updated to merge "feasibility" into "likelihood" metrics and reflect reduced impact for certain attacks.
  • New attack scenarios ("Abuse via victim's own tag," "Impersonation attack") were added to the threat model document.
  • A sense of those present was that two-way communication in crowdsourcing networks would be a difficult design goal, suggesting a focus on simpler approaches first.
• Action Items:
  • Maggie (and co-authors) will refine the remote disablement proposal, focusing on the core principles that distinguish legitimate use from abuse, and re-evaluating the enforceability of UWB and in-range requirements.
  • The Chair will follow up with designated reviewers to actively engage in reviewing the significantly updated threat model document.

Next Steps

• Continue refinement of the remote disablement proposal based on the discussed feedback.
• Active review of the updated threat model document by the designated reviewers.
• Once the threat model document approaches completion, the Working Group will shift focus to other related documents.