Analytics // Security Monitoring
7/27/2013
09:22 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Cheap Monitoring Highlights Dangers Of Internet Of Things

Using a network of cheap sensors, the home-brewed CreepyDOL system can track people by signals sent from their mobile devices

While consumers and workers typically know that their mobile devices are frequently sending off data to the Internet, most do not understand the implications of carrying around an always-on connection in their pockets.

Click here for more of Dark Reading's Black Hat articles.

A University of Wisconsin at Madison law student and security researcher plans to highlight the privacy and security problems by demonstrating a monitoring system that uses a network of inexpensive sensors to track people using their smartphones and other wireless devices. The system, known as CreepyDOL, uses a network of air-dropped sensors that listen for wireless traffic, allowing the tracking of anyone with a wireless-enabled mobile device.

"The CreepyDOL system takes the fundamental assumption of hiding in the crowd and does away with it," says Brendan O'Connor, the founder of security consultancy Malice Afterthought and the creator of the system. "Even if you don't connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money."

While many privacy activists focus on the massive amounts of data collected by Google and other Internet firms, and the widespread collection of metadata by the National Security Agency, CreepyDOL underscores that many of the problems are with fast development of the "Internet of things."

"This is really going to get out of control, but it's the future," says Chris Wysopal, chief technology officer for Veracode, an application-security firm. "Everyone is going to be able to track anyone, unless there are regulations."

[A spate of research into mobile devices as sensor platforms has shown that compromised smartphones can be turned into insiders -- eavesdropping on phone calls, 'shoulder-surfing' for passwords, or looking around an office. See Mobile Trojans Can Give Attackers An Inside Look.]

O'Connor put together a "Frankensteinian" collection of technologies to create the sensor platform. He created a disposable sensor platform that can be air-dropped on the rooftops of buildings in the targeted area. Dubbed F-BOMB, the platform costs less than $60 and can last for five days or more on two AA batteries. The sensors connect to each other using a wireless command-and-control protocol, called Reticle, that O'Connor created to connect to open wireless networks and use the Tor anonymizing network to send data and receive commands.

The two technologies scramble communications and also encrypt information about the other nodes in a way that makes forensics analysis difficult. Even if a CreepyDOL node is found, a defender should not be able to gain information about the attacker, O'Connor says.

The system listens for the control signals sent from smartphones that are looking to connect to a wireless network. Any smartphone or tablet with WiFi enabled will occasionally send information about itself and the networks it knows about. In addition, if the phone is connected to an open wireless network, the sensors can listen in. Many mobile applications send enough data in the clear to gain additional information on the user.

Finally, O'Connor used a popular 3-D graphics engine to track the whereabouts and additional information about users. The security researcher created a number of filters to grab data and turn that data into information about the user. The sensors do not send any data, only listening for data sent in the clear, he says.

With the proliferation of mobile devices that broadcast information about the user, systems that try to take advantage of the publicly accessible signals will increasingly be developed, says Wolfgang Kandek, chief technology officer of Qualys, a cloud security firm. The wireless technology embedded in an increasing array of devices -- from exercise monitors to bicycle handlebars -- will enable the easy monitoring of everyday activities, he says.

"There is going to be an explosion of sensor data driven by these types of devices," he says.

While people are worried about Google and the NSA, they should be concerned that they are carrying around the equivalent of an easy-to-track sensor system, O'Connor says.

"This isn't even hard, and it should be hard, and that is pretty disturbing to me," he says. "People fix vulnerabilities when the kid on the street corner can abuse it. Maybe it's time to fix this now."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ForeverSPb
50%
50%
ForeverSPb,
User Rank: Apprentice
8/1/2013 | 4:58:28 PM
re: Cheap Monitoring Highlights Dangers Of Internet Of Things
Well, we all know that phones can be tracked. So, someone will know that I went to a pharmacy on my way from work. Then what? That same person can just follow me around, or stick a gps tracker to my car - why bother air dropping?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web