Attacks/Breaches

10/23/2013
04:33 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Malicious Mobile Tracking Made Easy

Black Hat Sao Paulo speaker discusses Snoopy, a distributed mobile tracking network that can profile users online and in the real world

Exploits and hacking tools in the mobile space will get ample airtime at next month's first Black Hat Regional Summit in Brazil. Among the presenters: a researcher who developed an affordable, distributed mobile tracking network that could take advantage of weaknesses in the way mobile devices probe for Wi-Fi signals to keep tabs on users' physical and digital movements and intercept data from their devices.

Unlike other similar systems of the past, this one didn't depend on bulky laptops or large antennae, says the speaker, Daniel Cuthbert, COO of SensePost.

"We thought, could we build a framework that moved to more of a distributed, smaller sneaky surveillance-style approach?" he says. "We did it by making a couple of prototypes -- our first was a Nokia N900 phone."

The first prototype gave Cuthbert all of the capabilities he needed to run the surveillance project he calls Snoopy: It was a Linux-based device with an IEEE 802.11 adapter supporting packet injection and general Internet connectivity. And it was small enough to be spread around public places without attracting attention. The idea was to create a "dumb drone" out of the device so that it would take data collected from victim devices and push it to a central server using a VPN.

[Your organization's been breached. Now what? See Establishing The New Normal After A Breach.]

"So even if we lost a drone or it got stolen, it didn't matter -- without the data on the drone it was useless," Cuthbert says.

Using a very old vulnerability found back in 2005 that enables an attacker to look at probe requests made by devices looking for Wi-Fi networks it had previously connected to, the drones could find probe signals constantly sent out by devices and start to collect MAC addresses and other information that would make it possible to develop profiles about the user who owns such devices. For example, by placing a number of drones in popular London Underground stations, Cuthbert was able to collect enough information to start physically tracking the whereabouts of users as they passed through the stations -- tracking when they went to work and came home, and even where they lived.

"We listened out for all the probe requests, connected to them, and then used a Wi-Fi war-driving service like Wigle to see if we could do a profile on that user. If you did it over a period of two or three days, you could figure out where their home was, where their work was, and where some of the common places they'd go with their phone," he says. The drones assume Wi-Fi was turned on, the phone was connected to Wi-Fi at home, and that the home address had been mapped by a Wigle volunteer, he added.

Taking things a step further, the drones could also be set up to impersonate a Wi-Fi access point already predefined in victims' phones, so that when the probe request is made, a connection is automatically made to the malicious drone. This was done at Black Hat Las Vegas, a place where the majority of the crowd ostensibly should know better than to walk around with Wi-Fi turned on. And yet Cuthbert was able to use it effectively; once the devices were connected, it was possible for the drones to collect information about push notifications, email, social media, and more.

Whether it was physical or Internet traffic data, the Snoopy project was able to dive into it using Maltego to examine patterns for detailed analysis about the user's behavior and habits online and in the real world.

According to Cuthbert, while many other projects have performed similar tasks in the past, Snoopy's comprehensive approach should raise eyebrows about how much we trust a device that could become such an effective surveillance tool for those around us.

"I think the key thing that we got out of this was how trusting people were of their devices," he says. "There's a hell of a lot on your phone at the moment, and generally speaking you're logged into a whole lot of services."

He also says that a project such as Snoopy can make it possible to effectively commit mass attacks against phones and easily develop, for example, a mobile botnet quite easily.

"Imagine you wanted to build a botnet of mobile phones -- we would go to a large area, we'd set up a fake AP that listened out for common APs that people connected to, and the nice thing is if you then wanted to drop malicious ads into all the HTML streams, or if you just wanted to run Metasploit, you can do that because everything is controlled from a central server," he says. "So, whereas before [when] you wanted to attack a phone you had to do a man-in-the-middle on that phone, and it is a very manual process, here it's very easy to attack a lot of phones at once."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/23/2013 | 11:17:18 PM
re: Malicious Mobile Tracking Made Easy
That this was enabled using an eight-year-old vulnerability is depressing.
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.