Malicious Mobile Tracking Made Easy
Exploits and hacking tools in the mobile space will get ample airtime at next month’s first Black Hat Regional Summit in Brazil. Among the presenters: a researcher who developed an affordable, distributed mobile tracking network that could take advantage of weaknesses in the way mobile devices probe for Wi-Fi signals to keep tabs on users’ physical and digital movements and intercept data from their devices.
Unlike other similar systems of the past, this one didn’t depend on bulky laptops or large antennae, says the speaker, Daniel Cuthbert, COO of SensePost.
“We thought, could we build a framework that moved to more of a distributed, smaller sneaky surveillance-style approach?” he says. “We did it by making a couple of prototypes — our first was a Nokia N900 phone.”
The first prototype gave Cuthbert all of the capabilities he needed to run the surveillance project he calls Snoopy: It was a Linux-based device with an IEEE 802.11 adapter supporting packet injection and general Internet connectivity. And it was small enough to be spread around public places without attracting attention. The idea was to create a “dumb drone” out of the device so that it would take data collected from victim devices and push it to a central server using a VPN.
[Your organization’s been breached. Now what? See Establishing The New Normal After A Breach.]
“So even if we lost a drone or it got stolen, it didn’t matter — without the data on the drone it was useless,” Cuthbert says.
Using a very old vulnerability found back in 2005 that enables an attacker to look at probe requests made by devices looking for Wi-Fi networks it had previously connected to, the drones could find probe signals constantly sent out by devices and start to collect MAC addresses and other information that would make it possible to develop profiles about the user who owns such devices. For example, by placing a number of drones in popular London Underground stations, Cuthbert was able to collect enough information to start physically tracking the whereabouts of users as they passed through the stations — tracking when they went to work and came home, and even where they lived.
“We listened out for all the probe requests, connected to them, and then used a Wi-Fi war-driving service like Wigle to see if we could do a profile on that user. If you did it over a period of two or three days, you could figure out where their home was, where their work was, and where some of the common places they’d go with their phone,” he says. The drones assume Wi-Fi was turned on, the phone was connected to Wi-Fi at home, and that the home address had been mapped by a Wigle volunteer, he added.
Taking things a step further, the drones could also be set up to impersonate a Wi-Fi access point already predefined in victims’ phones, so that when the probe request is made, a connection is automatically made to the malicious drone. This was done at Black Hat Las Vegas, a place where the majority of the crowd ostensibly should know better than to walk around with Wi-Fi turned on. And yet Cuthbert was able to use it effectively; once the devices were connected, it was possible for the drones to collect information about push notifications, email, social media, and more.
Whether it was physical or Internet traffic data, the Snoopy project was able to dive into it using Maltego to examine patterns for detailed analysis about the user’s behavior and habits online and in the real world.
According to Cuthbert, while many other projects have performed similar tasks in the past, Snoopy’s comprehensive approach should raise eyebrows about how much we trust a device that could become such an effective surveillance tool for those around us.
“I think the key thing that we got out of this was how trusting people were of their devices,” he says. “There’s a hell of a lot on your phone at the moment, and generally speaking you’re logged into a whole lot of services.”
He also says that a project such as Snoopy can make it possible to effectively commit mass attacks against phones and easily develop, for example, a mobile botnet quite easily.
“Imagine you wanted to build a botnet of mobile phones — we would go to a large area, we’d set up a fake AP that listened out for common APs that people connected to, and the nice thing is if you then wanted to drop malicious ads into all the HTML streams, or if you just wanted to run Metasploit, you can do that because everything is controlled from a central server,” he says. “So, whereas before [when] you wanted to attack a phone you had to do a man-in-the-middle on that phone, and it is a very manual process, here it’s very easy to attack a lot of phones at once.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.