Stalker finds victim through reflection in selfies
2.12.2019
Translation: machine translated
Singer Ena Matsuoka has been attacked by a fan. The 26-year-old attacker found her place of residence by analysing the reflection in her eyes, among other things.
Ena Matsuoka is a star. The 21-year-old Japanese girl is a singer and dancer in the band Tenshi Tsukinukeni Yomi. She may be little known outside of Japan and select J-pop circles, but Ena can't complain. In her official biography, she describes herself as a lover of the colour pink and recommends the book "The Foam of Days" by French author Boris Vian. On her Twitter account, she presents herself as charmingly lively, posting announcements of her upcoming concerts and selfies several times a day, rarely including pictures of her neighbourhood, taken with her iPhone.
Sato Hibiki has also been famous since his crime. The 26-year-old Japanese man can neither sing nor dance. But he loves listening to music. One of his favourite bands is Tenshi Tsukinukeni Yomi. He is particularly fond of Ena Matsuoka. He follows her on Twitter and takes a close look at her pictures. Sato is dreaming. He wants to be close to Ena, to have her all to himself. Sato is a fan. Obsessed and a so-called sasaeng. Sato knows no boundaries.
On 1 September 2019, there is radio silence.
The following day, Shonan Matsuoka posted on Ena's Twitter. Ena was feeling poorly, so social media was silent for the time being.
The pupils as traitors
For days, weeks, Sato looked at Ena's pictures, gazing into her big brown eyes, until he noticed something.
Sato forges a plan.
The iPhone XR's selfie camera delivers a resolution of 7 megapixels. It is not known whether Ena has an iPhone XR or another model. The phone's software gets amazing results from the images. Sato even more. He can tell roughly which floor Ena lives on. Or where she regularly spends time and takes selfies. Because the backgrounds of many of her selfies show the same beige and pink wall and the same socket on the left edge of the picture.
Sato zooms in.
Source: Twitter/Ena Matsuoka
He looks at the reflections in the singer's pupils. In those brown eyes that look back at him from the screen and into which he has gazed so often. He recognises houses. That doesn't help him. Because there are houses everywhere in Tokyo. In every other city in the world too. He needs something more concrete. He needs something that can only exist in one place. In one picture he recognises a bus stop or underground station.
Sato gets to work and correlates the data.
To do this, he needs as much identifying data as possible. In Information Security, researcher Flavio Gerbino categorises this information into three categories.
The reflections in the singer's eyes show a row of houses. So he is looking for a multi-storey building opposite a row of houses near the bus stop. His employees' work is made easier with every picture and video Ena posts. In videos, he sees curtains with open windows. The sun is shining and shadows are being cast. Sato can tell from this which direction Ena's room is facing. So he looks for a multi-storey building opposite a row of houses near the bus stop that faces a certain cardinal direction. To avoid having to walk long distances, he looks at blocks of houses on Google Street View. He therefore correlates a large amount of potentially indirectly identifying data, which ultimately spits out an address.
Sato knows where Ena lives.
Source: Twitter/Ena Matsuoka
Ena has no idea about any of this. Ena practises her dance moves, does her shopping, goes home, posts pictures and videos and thinks she's safe.
Danger selfie
It is not the first time that a published selfie has caused harm to a person. Of course, Sato is one of very few who goes so far in her obsession that she leaves the internet, but here's a heretical question: do we really want to risk becoming cautious only when we know, confirmed, that there are hordes of obsessives out there?
But the problem must not be the selfie per se. Because Ena has no choice. As a star, she lives in the public eye. To please her fans, which is part of her job, she has to show pictures of herself and her world. She has to continuously draw attention to herself and her band. A story a day on Instagram, a tweet every few hours and so on.
Source: Twitter/Ena Matsuoka
A few words on "it's your own fault"
Sooner or later it happens in the comment columns on articles like these: a commenter writes something that sounds like "it's your own fault". Or it boils down to. "She should have paid more attention to the reflections" or "She shouldn't have posted selfies from her flat". This should not be used as an argument, as it puts the discussion firmly in the territory of victim blaming. The term probably comes from the world of rape and is often used in the defence of a perpetrator. A lawyer or judge or other official argues with something like "Her skirt was too short, she wanted it that way" and thus blames the victim for the harm done to her. She was too attractive, too irresistible. The perpetrator couldn't help himself.
No one deserves to have their dignity or health threatened or violated. No matter the circumstances.
However, selfies are a risk. Ena Matsuoka's case shows that selfies can reveal your home address, among other things. Or damage your reputation. The same applies to videos (see case Brooke Houts, attention: video autoplay warning) or any other bit of information that a person publishes online. Enough information can lead to unpleasant side effects. Even as an author at digitec and Galaxus, I think every day about what I reveal about myself as a person, where I take pictures and what I say in videos.
When images lead to attacks
In order to make people think more actively about the risks of their images, information security professionals work every day to make you as an end user aware of the danger, to show you the risks and to hope that you don't end up like Ena Matsuoka. Hacker Jan Krissler, alias Starbug, has made a name for himself since the introduction of the fingerprint sensor on smartphones by leveraging the systems.
One of his most impressive achievements is the perfect reproduction of German Defence Minister Ursula von der Leyen's fingerprints by analysing images of the woman and recreating them using software such as VeriFinger. The media subsequently warned against making the peace sign on camera.
Source: Twitter/Ena Matsuoka
In Asia in particular, the two raised fingers are a widespread gesture. Bollocks, eh? So all that remains is to hope that no obsessed person takes action.
In his proof-of-concepts, Krissler has recreated entire hands in order to outwit fingerprint sensors. The attacks are not only effective against smartphones, but also against all systems that require fingerprints as an authentication factor. In other words, smart locks or the doors to the offices of Digitec Galaxus AG.
So what does this mean?
So does that mean you shouldn't use your fingerprint as authentication under any circumstances? No. But it's something you should keep in mind. You have ten fingerprints, two eyes. They only change in extreme cases. Once stolen, the authentication factor is forever insecure. You can change a password or PIN as often as you like.
Furthermore, you need to be aware of who is after you, i.e. create a threat model. Your best mate, who would like to order a pizza in your name, will not be able to forge your fingerprint in the vast majority of cases. The Chinese government probably doesn't want to get their hands on you either. The Illuminati have already passed your data on to the Reptilians anyway, who want to replace you in everyday life. Because your CT position is exactly what they need to take over the world for good. Joking aside: you're probably not so important that you're in any great danger.
On the other hand, you don't have to be an internationally recognised star to be the victim of an attack that generally comes from the field of information security. Ena Matsuoka, singer and dancer with Tenshi Tsukinukeni Yomi, is no superstar. She belongs to the so-called "Chika Aidoru". This can be loosely translated as "underground idol", whereby "idol" is generally used as a word for "star" in Japan. Chika Aidoru are all singers and dancers who have exactly the same job as the big stars of the scene, but without the support of a gigantic label. Bands like AKB48 are currently the really big ones. And when we look to Korea, we can't avoid the name BTS
Just because an attack is theoretically possible doesn't mean you're necessarily in danger. But you are taking a risk. Be it with selfies or with your fingerprint.
The attack
Sato has had enough of dreaming shortly after 11 pm on 1 September. He wants to be close to his sweetheart, who probably doesn't even know he exists. His research pays off. Sato sees Ena coming home after a concert. Sato knows when and where the concert is taking place and roughly when he has to wait outside her front door to meet her.
His moment has come.
The problem: Sato knows that Ena doesn't know him and will probably send him into the desert. So his obsession leaves him with only one option: violence.
Source: Twitter/NHK
He puts a cloth on her face, gags her and drags the young woman into a side alley, where he touches her indecently. According to the Japanese daily Sankei Shimbun, he made this statement after his arrest on 16 or 17 September. Sato has confessed.
Ena puts up a defence.
Sato probably didn't expect this, but he fights back. In the end, she manages to put him to flight. She has managed to avert the worst. She may have been beaten and groped, but it didn't come to rape or murder. The minor injuries to her face healed within a week. There are calls for better protection for idols. Because the Sato/Ena case is not the first of its kind.
Singer Mayu Tomita was stabbed over 60 times with a knife by two sasaeng in 2016, but survived. She has now sued for compensation, but has been left with scars on her face, lost part of her eyesight and had to give up her career. Even more humiliating is the case of NGT48 singer Maho Yamaguchi. She claims to have been attacked by two men in January 2019. The police investigation has resulted in two arrests, but there is no word yet on any punishment. Maho has subsequently had to publicly apologise. For causing so much trouble.
As people interested in IT security, there's only one thing left to do: try it ourselves. Over the course of the week, I will be working with a small team to try and create selfies in such a way that an object in a reflection can be identified beyond doubt.
Ena Matsuoka is still active on Twitter, sings and dances.
Journalist. Author. Hacker. A storyteller searching for boundaries, secrets and taboos – putting the world to paper. Not because I can but because I can’t not.
