A year ago, the Snoopy Project was a neat research initiative that packaged a number of existing technologies into a framework to profile and track mobile devices. After a summer of Snowden revelations, something like Snoopy takes on a whole new meaning.
Snoopy devices, called drones by researchers Daniel Cuthbert and Glenn Wilkinson of Sensepost, not only collect mobile device data as a phone or tablet makes a Wi-Fi access point probe request, but also VPNs that data to a centralized server for correlation and analysis.
Like some other security tools, benevolence is in the eye of the beholder. The collected data can paint a vivid picture of the data leaking from devices as they connect to wireless networks, pointing out shortcomings with mobile OS configurations, for example. It can also be used to connect a lot of dots and understand where a device has been and where its owner might be going. The risks range from location-based marketing—which some view as a privacy violation—to dissident surveillance by oppressive governments.
“With old-school Wi-Fi hacking, you had to be in the right place at the right time; you couldn’t attack a whole lot of phones at once using a single laptop,” Cuthbert said. “With this, when you turn a drone into active interception mode—malicious mode—all of those phones connected to the drone and sharing the same internet are controlled by the same server. So if you wanted to run a Metasploit exploit module against them, you could do it from a central server and attack all the phones at once.”
The drone is a small embedded computer; in the updated Snoopy architecture, it’s the Google BeagleBone Black. Cuthbert and Wilkinson landed there after trying a number of other platforms including the Nokia N900 and Raspberry Pi. In a noteworthy experiment, the researchers collected 80,000 devices in a 60-minute span during rush hour at a number of busy London hotspots such as Kings Cross and Oxford Street Tube stations.
“You could do data profiling, figure out people’s movements, where their bases of operations were,” Cuthbert said. “If you were a black hat, you could go for Facebook profiles, figure out friends, intercept messages. You could position your drones anywhere.”
The drones are essentially an exploit similar to the Karma tool that listens for a device’s SSID as it probes for a wireless network on its preferred network list. Karma then allows the attacker to impersonate the wireless LAN and owns the user. Most mobile platforms don’t make it simple to flush that list; in iOS for example, you must first connect to a network and then forget it.
“You need a feature in iOS and Android that allows a person to control what their phone does on Wi-Fi,” Cuthbert said. “I’d love a way for me to turn on my iOS device, go to settings and privacy and there be a way to clear out all the networks my phone has ever connected to.”
While location-based marketing could be a boon for retailers who partner with carriers and device makers to send devices ads as they approach a retail location, devices that beacon out location data could make it simple to track a person’s movements.
“Say if you wanted to stalk [English soccer star David Beckham], you may not know his phone’s MAC address, but using various PR outlets, we could figure out where he’s going to be at a given time,” Cuthbert said. “It’s going to come down to time and money. If you went to every event David Beckham was showing, you would have a couple of devices appear at every single one. You could target those devices and go at them.”
The data analysis, meanwhile, Cuthbert said, is not difficult. The Snoopy front end is the Maltego interface, an open source forensics and intelligence tool, which cut down the labor of analyzing 80,000 devices captured in London by the Sensepost researchers.
“It allows us drill-downs,” Cuthbert said. “Give me Apple devices for a particular location on a data time, show me only those devices.”
The researchers will present their updates to Snoopy in the next month at Black Hat Sao Paulo in Brazil and ZeroNights in Russia.
“Commercially, we can’t talk about what we’re doing with the drone capabilities, but the architecture could make it a lot more usable for law enforcement, military and commercial,” Cuthbert said. “It’s more robust [Python] code; a lot more mature.”