(I always feel like) somebody’s watching me

Introduction

Rockwell was a true visionary of his time. His mega hit of the 80’s after which this post is titled always takes me back to my childhood and puts a smile on my face. OK, perhaps I’ve given him too much credit in my opening statement but I was recently reminded of this song at an InfoSec event I attended in January. There were some great presentations from vendors, professionals and amateur hackers alike. It was one of these sessions in particular that made me go ‘wow’ so I thought I’d write it up.

Snoopy

I would like, if I may, to take you on a strange journey. Imagine yourself walking through a busy city, perhaps on your daily commute or just sightseeing. How would you feel if at the end of the day, somebody who you had never met before approached you and showed you a picture of your house, told you where you worked and also which park you like to drop your kids off at each Saturday morning? Of course, things would be even more creepy if somebody had that information but decided to not tell you. It might sound like a bad movie plot. It might also sound like a scaremongering tale or at the very least, highly unlikely due to the assumed effort to collect such information.

Step in Snoopy, a distributed tracking and profiling framework. Using a geographical distribution of wireless access points (WAPs) called drones, they can track a person’s movements as they move around the catchment area. They do this using the MAC address of the mobile device you carry with you e.g. phone, iPad, etc. and take advantage of the chatty nature of WiFi enabled devices. Your device will broadcast on a regular basis trying to find every SSID it has connected to. To use some overly obvious examples, a phone could be trying to find the following wireless networks:

  • MyHomeHub3874
  • CompanyA-Guest
  • MoonBucksCoffee4242
  • CityYAirport

The drone devices themselves can be contained in a very small form factor. You could for example use a Raspberry Pi or even make a custom device. They can be battery powered but imagine one in a mains pluggable air freshener form factor. Blends in nicely and is continuously powered for free. They can be made for about £20-£30 so if anybody finds and removes one, the cost to replace is acceptable. By placing 50 or so of these around a city at key ‘people centric’ places such as train stations, shopping centres, sports stadiums etc., you can cover a large area very well.

The drones also have 3G or better to connect, via OpenVPN, to a server so that data collection can be centralised and also to provide Internet connectivity for clients when it wants to take things to the next level. Before I explore that though, you can see how the person mentioned at the start of this post could quickly glean the information he or she was after. As you walk past any of these droid APs, it detects the SSIDs that you have connected to and with a tip of the hat to Google with their massive war driving initiative as part of mapping the world, can determine the geographical locations of each of these. As long as the SSID is unique and has been mapped to a publicly accessible database, then it’s a breeze to link devices to locations. The next step, which is a bit more naughty is to use the AP as a classic rogue i.e. now allow the client to connect to it by spoofing the SSID. This only works on open networks i.e. those that haven’t been secured with WEP\WPA(2).

At this point, the mobile clients can start accessing the Internet via the rogue AP. This is bad enough yet to make matters worse the connection is proxied via the centralised server meaning that all traffic can be analysed further. That’s a lot of data being collated at the central server but the fun really begins when that data is processed for habits and patterns.

Maltego

Although Snoopy is lesser known, many of you may already have heard of or even used Maltego. It is touted as an intelligence and forensics application which can mine a source of data (in our case, the data collected from the drones on the central server) and present it in a visual form. It allows the creation of custom transforms which analyses relationships between people, networks, websites, social services etc.

Putting it all together

Now imagine how these two tools can be combined. As our unsuspecting victim, you walk in to MoonBucks located near a drone device which listens to your phone’s broadcasts. The AP easily becomes MoonBucksCoffee4242 and your phone connects. You buy yourself a mocha choca latte with an extra shot and decide to check a couple of things online whilst you fuel up. You first head over to Facebook, then check your Twitter feed. Perhaps you also log on to LinkedIn, Google+ and whatever else takes your fancy.

Between Snoopy and Maltego, there is all sorts of interesting pwnage that can be had. As stated in my initial paragraph covering Snoopy, it is easy to see which SSIDs you have connected to and where they are located but as soon as you connect and start browsing, it can soon be determined relatively easily who you are based on the sites and profiles you are viewing.

Taking it further and introducing time based data i.e.  going beyond a single session, it can now be determined who you are and where you are. Over a period of time, patterns may show up that suggest you take sick days after a big sports event on a Sunday, on Wednesdays you work in a different office, the first day after pay-day you tend to be running an hour later than usual, etc.

Let’s consider a scenario that doesn’t require as much data crunching. If somebody wanted to track a particular person, one way to determine the MAC address of his mobile device would be to set up a droid at an event that person was known to be attending. Do this a couple more times at other events and then use Maltego to extract the unique MAC addresses. You might get lucky and whittle this down to a single MAC after only two events (i.e. the tracked person is the only one to attend both events), perhaps three or four but if you can now get that device to connect to the Internet via your AP, you can link all activity to that one person. I’ll leave it up to your imagination as to what devastation could ensue.

Summary

This is all relatively cheap to get set up and working. As a hacking project, I find this fascinating but it should be obvious how, in the wrong hands, your privacy could easily be torn down. Once you mine the data to a deeper level and begin to correlate the movements of multiple people, both physically and online, then your habits basically become an open book.

We are all accustomed to a seamless mobile experience these days but how do you mitigate this kind of attack? Again, it’s the ongoing balancing act between security and usability. This post is highlighting the possibility of such an attack. There are certain steps you can take to make sure you are not connecting to a rogue AP but it’s difficult to block many mobile devices from advertising the networks they have already connected to. This is all posted as food for thought and I hope it was of as interest to you as it was to me.

Till the next time.

Please let me know your thoughts!