If you use wireless networks, the drones are out to get you.
That’s one of the takeaways from a recent presentation by Glenn Wilkinson, lead security analyst for UK security research firm SensePost. The Black Hat Asia session, entitled “The Machines That Betrayed Their Masters,” addressed the problem of the special signals given off by devices that use or rely upon wireless connectivity – both the media access control [MAC] address that specifically identifies a given device and the wireless signals indicating the network or networks the device is looking for.
At this session, Wilkinson discussed “Snoopy,” a project he has been working on at SensePost for the past few years.
First unveiled in 2012 and updated in 2013, this Snoopy is far from the gluttonous, slothful dog with pithy insights into human nature who many of us know and love. Wilkinson’s Snoopy is a distributed tracking and profiling framework installed on a computer attached to a quadcopter. In other words, a spy drone.
Snoopy flies around and searches for wireless devices that are themselves searching for a wireless signal. This includes smartphones whose users have left the Wi-Fi option turned on. These phones are constantly on the lookout for available networks and looking to connect with familiar networks.
This setting enables a couple of major exploits. For starters, where a saved network name is unique, Snoopy can use this information – combined with the smartphone’s MAC address – to geo-locate the network (often the smartphone owner’s home or workplace). At Black Hat Asia, for instance, Wilkinson was able to show information on where frequent security conference attendees lived and worked, complete with photographs, all thanks to data collected by Snoopy over the course of several security conferences Wilkinson attended in the past 18 months.
Furthermore, Snoopy can impersonate one of the networks that a user’s smartphone is trying to join, whether it’s one of the unique networks Snoopy has identified or a network with a common name (such as “Linksys,” “attwifi,” or even “Starbucks”). Once the phone connects with the spoofed network (as it inevitably will if it has the Wi-fi option turned on and is not already connected to another wireless network), Snoopy can then intercept all Internet data passing to and from the phone – including usernames, passwords, emails, pictures, credit card information, financial and corporate data, and online account information.
Smartphones, ubiquitous as they are, are far from the only targets available to this exploitative technology. Every device with wireless connectivity emits some form of a unique signature and is thus potentially subject to the prying eyes of Snoopy. This can include computers, tablets, printers, RFID cards, “chip and PIN” smartchip credit cards, cars, televisions, baby monitors, and even pacemakers.
Distressingly, Snoopy does not make use of any genuinely new technology (indeed, Wilkinson began developing Snoopy three years ago). The vulnerabilities it exploits have long been known and exploited on smaller scales, some as far back as nine years ago. What Snoopy does is make spying on wireless devices more efficient – covering large swaths of land (and, accordingly, large numbers of people and organizations) quickly, quietly, efficiently, and undetectably.
“[Snoopy] can…fly out of audio-visual range,” reported Wilkinson, “so you can’t see or hear it, meaning you can bypass physical security[.]”
That said, one considerable worry is the notion that Snoopy itself is not a new invention. BBC News notes, for instance, that it would be easy to imagine a government making use of such data-swiping drones against those it considers enemies or threats. It is possible that Snoopy could be used as yet another new reconnaissance weapon in the escalating Cold War that is international cyber warfare – or it could be an old weapon that we just haven’t caught a government using yet. Similarly, it is just as easy to envision Snoopy or a Snoopy-like device being used against government entities by dissidents, terrorists, and foreign powers.
So how can those caught in the crossfire defend themselves? Daniel Cuthbert, COO of Sensepost, advises would-be victims, “Be discerning about when you switch Wi-Fi on[.] Check which Wi-Fi network you’re connecting to; if you’re connecting to Starbucks when you’re nowhere near a branch, something’s wrong[.]”
Cuthbert goes on to urge users to keep your device’s OS and apps updated, encrypt your email, and have your devices “forget” a given network once you’re done using it. Additionally, users should be reticent to use public unencrypted networks at all because of the host of security problems they present, even beyond those that Snoopy exploits.
Accordingly, enterprise IT departments would be well advised to incorporate these tips into their use policies. For corporate-issued or corporate-approved devices, keeping Wi-fi off except when connecting with a company-approved network should be basic protocol. So too for telling devices to “forget” said company-approved network once the user has finished his session, lest it be geo-located and/or otherwise compromised.
But even this much may not protect devices. “Wi-fi is only one avenue of attack,” Wilkinson states in a blog post. “[L]ook out for the next [Snoopy] release using Bluetooth, GSM, NFC, etc.”
Consider yourself warned.
Photo courtesy of Shutterstock.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.