Transcript Slide 1
whoami Miguel Mota Veiga 29 years old; Infosec “Pro” since 2006; @Dognædis; Pen Testing, Security Audits, Forensic Analysis, Malware Analysis, Incident Handling, System Administration, Perl... Financial & IT, Telco, Government, Defense; Security/Privacy Lover; Crypto-Anarchist; Three “...er”s guy: Traveller, Backpacker, Geocacher; What we'll talking about... What this presentation is about How Mobile Devices can leak information; How an adversary can exploit it; How people can track you; Metrics and Results; What this presentation is **NOT** Evidence on the court (hopefully); Mobile Phone Tracking 101; A cry out to do illegal stuff; Warning Any actions and or activities related to the material contained within this presentation is solely your responsibility. The misuse of this information, can result in criminal charges brought against the person(s) in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information contained. This presentation contains materials that can be potentially damaging or dangerous. If you do not fully understand something, then DON'T DO IT! 2004 - 2014 Smartphones by numbers (2013) Portuguese data; 3.5 millions; >50% per year; 40% of the mobile phone users; Smartphones by numbers (2013) Roaming: ~23% SMS: ~90% Internet: ~45% Email: ~33% Banking: ~5% Social Network: ~30% Smartphones by numbers (2013) Sex Male : 55% Female : 45% Age 10/14 : 8% 15/24 : 25% 25/34 : 25% 35/44 : 20% 45/54 : 12% 55/64 : 7% >64 : 3% Social Class Low/Low Middle : 44% “Just because something is publicly accessible does not mean that people want it to be publicized”Making Sense of Privacy and Publicity Let's talk... There have been plenty of initiatives from numerous governments to legalize the monitoring of citizens Internet based communications. Several private organizations have developed technologies claiming to facilitate the analysis of collected data with the goal of identifying undesirable activities. Whether such technologies are used to identify such activities, or rather to profile all citizens, is open to debate. I will show how can be done (using IEEE 802.11). Wifi Wifi As per the RFC5418 documentation (i.e. not down to individual vendors) client devices send out 'probe requests' looking for networks that the devices have previously connected to (and the user chose to save). A device A Unique Signature 9C:20:7B:8E:F7:E7 A Link to a Person 9C:20:7B:8E:F7:E7 Wifi tracking iOS : Saves the last 3 connected essid, and leak it out; Android : Depend on vendors / versions; Windows Phone : Don't have any data; Examples Mac: 10:68:3F:79:XX:XX, ESSID: HOMEnetwork,ZON-03B0,MEO983B37,MEO_CASA1,AndroidAP,PT-WIFI,NSNBYOD,FreeWiFiCentroVascodaGama,Cabovisao-FCF5,CasaZero Mac: 50:46:5D:1B:XX:XX, ESSID: ZON-D7C0,Thomson274A16,SAPOZL71193,Thomson4E835C,ZON-7A9C,MEO-6A9F51,MEO08D1E6,MEO-45CBBD,ZON-6520 Mac: D0:51:62:E6:XX:XX, ESSID: MEO-8E8341,PROFESSORES,ZON-7760,PROFESSORES3 ESSID? People tend to connect to networks that they can trust; Home, Workplace, Restaurants, Bars; They tend to be unique Thomson-<random>, MEO-<random> etc. (ignore Zon-FON, PTWIFI or any public wifi networks); ESSID + GPS data = Profit (Google Maps, Google Street View); Analysis “Hmm, this guy was connected to McDonalds_Free_Wifi and to Cheap_Coffee_Shop_Free Wifi. Must be an average Joe..." or "Okay... Looks like you have been connected to FirstClass_LuxuaryAirline and to 500CompanyIntraWifi... - you must be a hot shot...". Examples “You already have zero privacy. Get over it.” Scott G. McNealy CEO of Sun Microsystems ESSID ESSID ESSID ESSID ESSID Cheap laptop (250€); OpenSource Apps; Kismet and Airodump supports GPSd; GPS dongle (30€); Bag (20€); Hiking shoes/boots (30€); Mac Address Mac Address are unique. If we match it to a person, then GAME OVER. List of ESSID and GPS data about is geolocation; Can determine if he's at range; Deploy drones and stalk him. Architecture - Passive Linux; Kismet / Airodump-ng; GPSd; MySQL; Attacks Evil Twin Attack; Create a rogue AP with an known ESSID of your target; Man In The Middle; Data Interception; Social Networks, Email, any kind of identifier; Code Injection; Malicious code; Tactical Exploitation; List of contacts, SMS, etc. Evil twin Evil Twin “...Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications....” Wikipedia Architecture - Aggressive DHCP Server; Bind; Squid; Airodump-ng; Beef / (Kar)Metasploit / sslstrip; Mysql Database; “We know where you are. We know where you’ve been. We can more or less know what you’re thinking about.” - Eric Schmidt Usage Collecting anonymized statistics; Identify and follow criminals; Track a single individual; Track us all; Architecture Metrics Several devices probes were collect at: Lisbon Airport; Traffic Jams; Subway Stations; Malls; Tourist Spots; 1200-1500 unique devices per hour; Metrics 8790 unique devices; 2296 leak at least 1 ESSID; ~26% of the Smartphone Universe; 706* vulnerable to the Evil Twin Attack ~8% of the Smartphone Universe; * Only counted the most common Open ESSID, this number should be more high... Protect Yourself "I don't believe society understands what happens when everything is available, knowable and recorded by everyone all the time;" Protect yourself Turn off your Wifi; Erase all the saved ESSID; Randomize your Mac Address; Finish This is nothing new; This problem has been talked since the first half of 2000; Something quite similar was made by SensePost in London in 2013; Electronic Frontier Foundation is creating a database with the all the mobile devices that leak this kind of information; Future(?) Any Wireless technology that can be used to identify “any” citizen: Bluetooth; Wifi; GSM; GPS; NFC; RFID; Future(?) HEX l2_data_out_B:296 Format Bbis (RR, MM or CC) 000: d6 a7 b5 cf 29 6f 38 ff - ea 55 55 bc e2 b8 80 d6 001: 83 59 cf 2d ef 38 d7 ea - 55 55 bc e2 b9 40 d0 73 002: 38 e2 ac f1 69 d5 61 e3 - 8f c3 78 80 0: d6 1------- Direction: To originating site 0: d6 -101---- 5 TransactionID 0: d6 ----0110 Radio Resouce Management 1: a7 0-100111 RRpagingResponse 1: a7 -x------ Send sequence number: 1 Demo Demo Demo