Smartphones leak far more personal information about their users than previously imagined, according to new research. Security researchers at Sensepost were able to track and profile punters and their devices by observing the phones' attempts to join Wi-Fi networks. Daniel Cuthbert and Glenn Wilkinson created their own …
>The security bod advised users to use more common sense and disabling Wi-Fi scanning until they needed to actually access the web.
Many people already do - not because of security concerns, but rather to eke out their phones' underwhelming battery life. The law of unintended consequences...
"This would allow us to dump all credentials, strip down SSL connections, "
I'm more interested in the researchers explaining how they would "strip down SSL connections" via what would amount to a man in the middle attack, without adding a custom root CA on the users' devices.
Given some of the root CA that common browsers include you wouldn't have to do much.
I'm sure there is Russian/Liberian/etc CA that would issue you a cert for google.com with no questions asked.
The same way you can inspect SSL data via a proxy. Say you go to your banking website. The proxy server handles the connection setup, pretending to be the client and passes the information back to the user. The user thinks they have a secure connection, but at the proxy you can see everything.
Not the best explanation of the technique, but it serves to illustrate how the man in the middle can work without needed a certificate.
So in that situation, where does the browser look for its certificate?
That's right, it has to get it from the site it has connected to, the man-in-the-middle, the proxy server. Which doesn't have a valid certificate for the bank.
That's exactly the point of the posts before yours. To do a MITM invisibly you have to be able to generate a certificate for the target site (the bank) from one of the Certificate Authorities which the clients browser already knows about. Otherwise the browser will popup a box saying that there is something wrong with it...
...which the user will then happily click on without reading it, but that's a whole different problem!
You do not need to stick a CA
Just ask for WiFi sign-up with certs pretending to be a particular high-profile site - amazon, yahoo, paypal, when the user asks to connect to that site.
Broken AP sign-up certificates and broken AP sign-up screens are endemic and most users accept them without thinking and without _LOOKING_ at what the cert pretends to be. You can even pretend to offer "free" for giving a mail or answering a questionnaire so it looks realistic.
After that transparently proxy with a MIM any connections to that site. Capture credentials. No need to stick a CA at all.
Not breaking the law
>only passively listening to Wi-Fi network requests, rather than complete interception, making it legal under UK law.
It does seem an odd way around. My wifi asking to connect is equivalent to me going house-house trying the door to see if it's unlocked. Yet the person who invites me in is the one who is acting illegally?
Re: Not breaking the law
That's the problem with analogies.
A closer analogy for network interception would be If I created a duplicate of your house, tricked you into coming inside, then took photos of you in the shower.
Re: Not breaking the law
So it was you !
How did the pictures come out ?
"If we wanted to do illegal activities, we could pretend to be one of those networks"
Unencrypted WiFi, such as you would find at Starbucks etc, is already insecure so being able to trick my phone into joining their AP seems like merely a factor of convenience for the would-be eavesdropper.
Also this seems like it would only apply to networks that hide their SSID since you don't need to probe blindly for networks that aren't hidden. Or do I not understand how this exploit works?
SSID broadcasts (aka beacon frames) are not relevant to what is described in the article.
WiFi adaptors periodically send probe requests in an attempt to connect to the closest "friendly" network which is to say one that the device has previously been connected to. The trick here is that the researchers setup multiple access points that listen for these probes and then recorded the MAC address (this is a guess on my part but it's the most obvious method of tracking a single device). As the device is moved from one place to another they simply follow the trail of probe requests that contain the same MAC address and voila you can track a device, and by extension a person's, movement in a completely passive way.
Well, the good news is neither the FBI or Apple will be collecting that leaky info from the denials over the last week.
What manner of people are these, that can spare enough juice to pointlessly poll for wifi whilst they are out and about? In the UK at least, it seems a majority of 'open' networks are not open at all, but merely direct you to a site where you can pay for access.
I used to run Tasker on my phone, and one of it's tasks was to turn Wifi off whenever the GPS told it I had left home. A recent '3' upgrade has given me a reliable uncapped mobile data connection that is 50-75% of the bandwidth of my landline ADSL, and now I never turn wifi on at all.
"... banking insecurity expert ..."
satan has used wifi in the past
HE IS USING WIFI NOW
and he will use wifi on the future.
what you need to understand is that the FEAR you are feeling is normal
Ofcom and the Wireless Telegraphy Act anyone?
My understanding was that any "interception (including reception) of any "broadcast" that is/are "not intended for the recipient" are "illegal" in the strict interpretation of the Wireless Telegraphy Act.
Device service providers may have something to say about the potential abuse of the license terms and condition.
Genuine researchers whilst providing an admirable service and holding industry "weakness" to account, are on dodgy ground here.
Maybe Bill Ray can confirm this..?
Re: Ofcom and the Wireless Telegraphy Act anyone?
That rule doesn't apply to the ISM "unlicensed" bands like the 2.4GHz that WiFi uses.
Especially if you think that you can't determine whether it's for you unless you listen!
That rule is intended to stop people listening to police/military frequencies (before they went digital)
Re: Ofcom and the Wireless Telegraphy Act anyone?
No, it's not illegal to listen, neither was it illegal to listen to police messages prior to their encryption - pointless since. The crime is using equipment to get information.
If you inadvertently intercept a 'private' message It's what you do next that determines the legality - passing information on is likely to be illegal, (although you can go to police/testify in court) if the information is itself of an illicit nature.
Does Bluetooth broadcast a UUID if it's left in discoverable mode?
Mind you, as Dave216 implied, most people will turn that off as well, to save the batteries.
Scanning open networks for access
Basically doing a Gary McKinnon, then. Be careful out there.
Intersting the most leaky are likely used by the used technically minded..
Just an observation.
But I like the idea of shutting off WiFi when your phone recognizes you've left home.
Re: Intersting the most leaky are likely used by the used technically minded..
That's already possible with various bits of software, for both iOS and Android :) All sorts of clever geofencing based on cell ID and things can be achieved without having to bring the GPS up. Of course, if all the baddies are living around your home within range of the same cell, that's a slight flaw... :D
I don't get it
Surely it's the base station that is sending out a "I am here" signal, which the phone then collates into that little list you see on your screen. Why would a phone (or other device) repeatedly send out connection requests for networks which aren't there?
Clearing some things up.
Glenn from SensePost here. Sorry for the delayed response, I've only just noticed this article. Let me explain how the framework works, and then answer some specific questions.
"Snoopy is a distributed tracking and profiling framework."
We can deploy numerous small devices (N900s, Alfa R36 routers with battery packs, Sheeva plugs, etc) all over some location - say London. These devices connect via openvpn to a central sever, where all data is uploaded.
A large number of people leave their WiFi on. Even security savvy folk. For example, at BlackHat I observed >5,000 devices with their WiFi on. As per the RFC documentation (i.e. not down to individual vendors) client devices send out 'probe requests' looking for networks that the devices have previously connected to. The reason for this appears to be two fold; (i) to find hidden APs (not broadcasting beacons) and (ii) to aid quick transition when moving between APs with the same name (e.g. if you have 50 APs in your organisation with the same name). Fire up a terminal and bang out this command to see these probe requests:
tshark -n -i mon0 subtype probereq
(where mon0 is your wireless device, in monitor mode )
When a user walks past one of our monitoring stations we observe their device's MAC address. We now know that device X was at a certain location at a certain time. Given enough monitoring stations running over enough time, we can track devices based on this information.
We can profile device owners via the network SSIDs in their probe requests. This can be done in two ways; simple analysis, and geo-locating. Simple analysis could be along the lines of "Hmm, you've previously connected to hooters, mcdonalds_wifi, and elCheapoAirlines_wifi - you must be an average Joe" vs "Hmm, you've previously connected to "BA_firstclass, ExpensiveResataurant_wifi, etc - you must be a high roller".
Of more interest, we can potentially map network SSID to GPS coordinates via services like www.wigle.net, and then from GPS coordinates to street address and street view photographs via Google.
What's also interesting is that as security folk we've been telling users for users that picking unique SSIDs when using WPA is a "good thing" because the SSID is used as a salt. A side-effect of this is that geo-locating your unique networks becomes much easier. Also, we can typically instantly tell where you work and where you live based on the network name (e.g BTBusinessHub-AB12 vs BTHomeHub-FG12).
Point being - you walk past, and I get a street view photograph of where you live and work and play.
4. Rogue Access Points, Data Interception, SSL things.
If your device is probing for "Starbucks", we'll pretend to be Starbucks, and your device will connect. This is not new, and dates back to Karma in 2005. What is new is having this setup in a distributed nature, where all devices route network traffic passes through a central server. This is roughly how the setup looks:
Victim <==WiFi==> SnoopyDrone <==openvpn==> SnoopyOnlineServer <==TransparentSquid--sslstrip--mitmproxy.py==> Intertubes
According to Moxie, sslstrip "will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links."
We could also use self signed certs via mitmproxy.py, but that would likely raise greater suspicion.
This is where the higher level profiling comes in. We intercept your Facebook/GMail/Twitter/general browsing and build up interesting profiles.
Q. But I use WPA2 at home, you can't hack me!
A. True - if I pretend to be a WPA network association will fail. However, I bet your device is probing for at least one open network, and when I pretend to be that one I'll get you.
Q. I use Apple/Android/Foobar - I'm safe!
A. This attack is not dependent on device/manufacture. It's a function of the WiFi specification. The vast majority of observed devices were in fact Apple (>75%).
Q. Your research is dated and has been done before!
A. The individual components, perhaps. Having them strung together in our distributed configuration is new (AFAIK).
Q. But I turn off WiFi, you'll never get me!
A. It was interesting to note how many people actually leave WiFi on. e.g. 30,000 people at a single London station during one day. WiFi is only one avenue of attack, look out for the next release using Bluetooth, GSM, NFC, etc :P
Q. You're doing illegal things and you're going to jail!
A. As mentioned earlier in this thread the broadcast nature of probe-requests means no laws (in the UK) are being broken. Furthermore, I spoke to a BT Engineer at 44Con, and he told me that there's no copyright on SSID names - i.e. there's nothing illegal about pretending to be "BTOpenzone" or "SkyHome-AFA1". However, I suspect at the point where you start monitoring/modifying network traffic you may get in trouble. Interesting to note that in the USA a judge ruled that data interception on an open network is not illegal .
Q. I want Snoopy!
A. I'm working on it. Currently tidying up code, writing documentation, etc. Soon :-)
I hope that helps. Feel free to email/tweep me (email@example.com, @glennzw) or reply in this thread for further clarification.
Re: Clearing some things up.
A strong motivation for turning on WiFi in some locations (e.g. city centres) is to improve the accuracy of positioning information where tall buildings hide GPS satellite transmissions.
So is there a simple way to tell my iphone or android phone to forget all of the WiFi networks it has previously connected to, so that these probe requests are not sent?
Or any other way to leave WiFi on (for improved location) while disabling the probe requests?
Re: Clearing some things up.
Thanks for the info. It is interesting to think that it is likely that within a few years these hacker fake hotspots could dominate in major cities, stations, airports, sports venues, etc, built by criminals to steal but providing a potentially useful service in providing free connectivity (at the cost that the connection is actively trying to steal from you). I can see a potential in devices (or apps) which use these free, but compromised, services and provide a safe environment layered on top (e.g. a VPN) and then, of course, an arms race as the hackers try to break into that, etc.
I wonder if during that war, legitimate paid for hotspots will die out completely?
Re: Clearing some things up.
Fascinating research. When you think this through, it really is a horror story, particularly in the implications for physical world surveillance and tracking. A large logistical effort, granted, but it could give more swivel eyed regimes, for example, a means of potentially gaining a good deal more info on foreign visitors that would not be available through normal cellphone tracking, some of which might have coercive value. Or perhaps checking on their own nationals visits when overseas, although that coverage would have to be targeted at particular locations. The point is it can be done without local authorisation and at relatively low cost.
It's about wifi was tightened up to remove such polling as the default option, and that an option for wifi to turn off automatically when outside a designated area was introduced.
capturing open wifi.
While the ability to track people by the wifi transmissions of there mobile device and to even be able to profile them by the sites they connect to is really fascinating. The ability to impersonate open wifi hotspots and capture the connection has been available for some time in Jasager devices like the wifi Pineapple. that’s why I always keep my wifi turned off unless I know I can trust the wifi I am connecting too. The pineapple also has the ability to intercept SSL built in.
Re: capturing open wifi.
johno - True on the Pineapple. And they took their idea from Karma circa 2005. The tricky business with the Pineapple (and numerous other tools) is inspecting the captured traffic, as it saves it locally. The nice thing with Snoopy is that all traffic is routed through a central server for easy inspection. It also saves overhead on the device - e.g. we can run numerous 'heavy' tools on the server, no worries. For example, I didn't mention earlier; given that we have an openvpn connection from the drone to the server, it is possible for the server to directly access the victims - you could fire Metasploit from the server directly at connected victims.