Tracking devices are a boon to organizations with vast logistical operations and anyone who has ever lost a set of car keys. But trackers can also be a nightmare for cybersecurity, opening up a whole new world of opportunity for intruders. Credit: Gorodenkoff/Shutterstock The transportation industry has doubled down in the area of fleet tracking in recent years, which has come with great benefits and not a few security headaches. On the consumer side, we’ve spoken of Apple’s AirTag and how it has been used to find personal items of import — and also its potential to be abused by the nefarious to track and trace individuals. Now we see that Google is jumping into the fray, with the soon-to-be-released tracking device in development apparently codenamed “Grogu” (after the Baby Yoda character in the “Star Wars” spinoff “The Mandalorian”). The astute cybersecurity leader is no doubt thinking: “This is a CISO nightmare.”From a market perspective, an Android-based tracking system makes eminent sense. Given that the AirTag is designed for iOS devices and Apple Maps, the Android device is being designed to work with the three billion Android smartphones in use and take advantage of Google’s already established Geo Tools.With its arrival (believed to be in late 2023) the Android device will combined with the AirTag, effectively enable more than 99% of the mobile market (Android 71.7% and iOS 27.6%) to interact with tagging devices. Ideally, it will usher in a new age in which we never have to lose anything again, from dogs to suitcases to car keys.How will tracking devices be used?Yet the field is crowded. Invoxia has brought to market their “vehicle tracker”, operating off the cellular network and providing continuous GPS location between a device and the control application. Their pitch: “A car is stolen every 38 seconds.” Within the fear-marketing message rests the nightmare for CISOs. How will these devices be used? Clearly, the logistics side of the equation means vehicles and things can be tagged and tracked with relative ease. Not only will it help with locating and counting inventory, but the technology can also be used to ensure an alert occurs when those things which are supposed to stay within a specific geographic footprint leave that footprint.Then there is the negative side of the equation, on which employees might use the corporate tracking capability for nefarious purposes or bring their own tracking devices into the corporate environment. But don’t stop with the employee. What of the vendor or the competition? How might they wish to use these tracking devices to garner a bit of competitive intelligence? Tracking technology used for evilTracking the movements of gear or people might be prudent in a specific circumstance — visitors to a corporate building, for example. A badge outfitted with the technology can be monitored to ensure visitors stay within the areas to which they are granted access and, if escorts are required, an escort tag can be issued to provide confirmation that their corporate escort is within proximity. On the less scrupulous side of the equation, the tracking device can be dropped into the backpack, briefcase, computer bag, or purse of a targeted individual and that individual’s movements tracked.To illustrate how dangerous this technology can be, in Ankeny, Iowa a restaurant owner was charged with stalking a woman using the Invoxia-brand GPS device. The man allegedly placed it inside her car and then tracked her movements. The criminal complaint notes that the victim was confronted by the restaurant owner in December 2022 in a location that could have only been known from tracking information. Twelve days later, the woman was allegedly surveilled by a friend of the accused as she walked her dog in a park. The complaint continues that the victim discovered the tracking device when cleaning her car.Tracking as corporate espionageIn the corporate world, the devices could be used as simple tools of espionage. For example, every company’s sales team has closers, individuals who seal the deal, often brought in to wrap things up, especially in complex and intricate engagements. Imagine a competitor being able to track your closer from location to location simply by dropping a tag in his or her luggage. What type of competitive advantage might be drawn from that piece of data? Far more precise than tracking corporate jet tail numbers and their travel patterns.When used properly, tracking tags can reduce pilferage, monitor independent cargo shipments, and track equipment and personnel. But they say the devil is in the details, and they are correct — one doesn’t need to be a rocket scientist to understand the downside of having these devices readily available, and thus any corporate usage must have processes and procedures in place surrounding the technology.CISOs will be well served to include their legal department and their privacy officer in all discussions on tracking personnel and/or equipment issued to personnel using these technologies. They must also have in place a playbook for those instances when insiders use the capability for their own purposes, as shown in the aforementioned example. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Data and Information Security IT Leadership brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe