Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

7/27/2013
09:22 AM
50%
50%

Cheap Monitoring Highlights Dangers Of Internet Of Things

Using a network of cheap sensors, the home-brewed CreepyDOL system can track people by signals sent from their mobile devices

While consumers and workers typically know that their mobile devices are frequently sending off data to the Internet, most do not understand the implications of carrying around an always-on connection in their pockets.

Click here for more of Dark Reading's Black Hat articles.

A University of Wisconsin at Madison law student and security researcher plans to highlight the privacy and security problems by demonstrating a monitoring system that uses a network of inexpensive sensors to track people using their smartphones and other wireless devices. The system, known as CreepyDOL, uses a network of air-dropped sensors that listen for wireless traffic, allowing the tracking of anyone with a wireless-enabled mobile device.

"The CreepyDOL system takes the fundamental assumption of hiding in the crowd and does away with it," says Brendan O'Connor, the founder of security consultancy Malice Afterthought and the creator of the system. "Even if you don't connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money."

While many privacy activists focus on the massive amounts of data collected by Google and other Internet firms, and the widespread collection of metadata by the National Security Agency, CreepyDOL underscores that many of the problems are with fast development of the "Internet of things."

"This is really going to get out of control, but it's the future," says Chris Wysopal, chief technology officer for Veracode, an application-security firm. "Everyone is going to be able to track anyone, unless there are regulations."

[A spate of research into mobile devices as sensor platforms has shown that compromised smartphones can be turned into insiders -- eavesdropping on phone calls, 'shoulder-surfing' for passwords, or looking around an office. See Mobile Trojans Can Give Attackers An Inside Look.]

O'Connor put together a "Frankensteinian" collection of technologies to create the sensor platform. He created a disposable sensor platform that can be air-dropped on the rooftops of buildings in the targeted area. Dubbed F-BOMB, the platform costs less than $60 and can last for five days or more on two AA batteries. The sensors connect to each other using a wireless command-and-control protocol, called Reticle, that O'Connor created to connect to open wireless networks and use the Tor anonymizing network to send data and receive commands.

The two technologies scramble communications and also encrypt information about the other nodes in a way that makes forensics analysis difficult. Even if a CreepyDOL node is found, a defender should not be able to gain information about the attacker, O'Connor says.

The system listens for the control signals sent from smartphones that are looking to connect to a wireless network. Any smartphone or tablet with WiFi enabled will occasionally send information about itself and the networks it knows about. In addition, if the phone is connected to an open wireless network, the sensors can listen in. Many mobile applications send enough data in the clear to gain additional information on the user.

Finally, O'Connor used a popular 3-D graphics engine to track the whereabouts and additional information about users. The security researcher created a number of filters to grab data and turn that data into information about the user. The sensors do not send any data, only listening for data sent in the clear, he says.

With the proliferation of mobile devices that broadcast information about the user, systems that try to take advantage of the publicly accessible signals will increasingly be developed, says Wolfgang Kandek, chief technology officer of Qualys, a cloud security firm. The wireless technology embedded in an increasing array of devices -- from exercise monitors to bicycle handlebars -- will enable the easy monitoring of everyday activities, he says.

"There is going to be an explosion of sensor data driven by these types of devices," he says.

While people are worried about Google and the NSA, they should be concerned that they are carrying around the equivalent of an easy-to-track sensor system, O'Connor says.

"This isn't even hard, and it should be hard, and that is pretty disturbing to me," he says. "People fix vulnerabilities when the kid on the street corner can abuse it. Maybe it's time to fix this now."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
gev
50%
50%
gev,
User Rank: Moderator
8/1/2013 | 4:58:28 PM
re: Cheap Monitoring Highlights Dangers Of Internet Of Things
Well, we all know that phones can be tracked. So, someone will know that I went to a pharmacy on my way from work. Then what? That same person can just follow me around, or stick a gps tracker to my car - why bother air dropping?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.