Drone that can steal what's on your phone
This drone can steal what's on your phone
By Erica Fink
@EricaFink March 20, 2014: 8:10 AM ET
NEW YORK (CNNMoney)
The next threat to your privacy could be hovering over
head while you walk down the street.
Hackers have developed a drone that can steal the
contents of your smartphone -- from your location data to your Amazon password
-- and they've been testing it out in the skies of London. The research will be
presented next week at the Black Hat Asia cybersecurity conference in
Singapore.
The technology equipped on the drone, known as Snoopy,
looks for mobile devices with Wi-Fi settings turned on.
Snoopy takes advantage of a feature built into all
smartphones and tablets: When mobile devices try to connect to the Internet,
they look for networks they've accessed in the past.
"Their phone will very noisily be shouting out the
name of every network its ever connected to," Sensepost security
researcher Glenn Wilkinson said. "They'll be shouting out, 'Starbucks, are
you there?...McDonald's Free Wi-Fi, are you there?"
That's when Snoopy can swoop into action (and be its most
devious, even more than the cartoon dog): the drone can send back a signal
pretending to be networks you've connected to in the past. Devices two feet
apart could both make connections with the quadcopter, each thinking it is a
different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy
will intercept everything they send and receive.
"Your phone connects to me and then I can see all of
your traffic," Wilkinson said.
That includes the sites you visit, credit card
information entered or saved on different sites, location data, usernames and
passwords. Each phone has a unique identification number, or MAC address, which
the drone uses to tie the traffic to the device.
The names of the networks the phones visit can also be
telling.
"I've seen somebody looking for 'Bank X' corporate
Wi-Fi," Wilkinson said. "Now we know that that person works at that
bank."
CNNMoney took Snoopy out for a spin in London on a
Saturday afternoon in March and Wilkinson was able to show us what he believed
to be the homes of several people who had walked underneath the drone. In less
than an hour of flying, he obtained network names and GPS coordinates for about
150 mobile devices.
He was also able to obtain usernames and passwords for
Amazon, PayPal and Yahoo accounts created for the purposes of our reporting so
that we could verify the claims without stealing from passersby.
Collecting metadata, or the device IDs and network names,
is probably not illegal, according to the Electronic Frontier Foundation.
Intercepting usernames, passwords and credit card information with the intent
of using them would likely violate wiretapping and identity theft laws.
Wilkinson, who developed the technology with Daniel
Cuthbert at Sensepost Research Labs, says he is an ethical hacker. The purpose
of this research is to raise awareness of the vulnerabilities of smart devices.
Installing the technology on drones creates a powerful
threat because drones are mobile and often out of sight for pedestrians,
enabling them to follow people undetected.
While most of the applications of this hack are creepy,
it could also be used for law enforcement and public safety. During a riot, a
drone could fly overhead and identify looters, for example.
Users can protect themselves by shutting off Wi-Fi
connections and forcing their devices to ask before they join networks.
First Published: March 20, 2014: 8:10 AM ET
Comments
Post a Comment