Two British security researchers, Glenn Wilkinson and Daniel Cuthbert of SensePost, have built a flying drone - called Snoopy - that can steal the data from anyone below who is using a mobile device connected to an open WiFi network.
Snoopy can be hidden inside someone's pocket on the ground or, in its latest test, installed on-board a drone that flew over London and captured data from around 150 mobile devices in less than an hour. The invention highlights once more the danger of using WiFi hotspots.
Snoopy is a compact tracking, profiling and data-capture device that targets mobiles and the people who own them. SensePost first announced it in 2012 with a proof of concept and have been developing it since then.
Glenn Wilkinson, a security researcher with independent security consultancy SensePost, explained: “Snoopy can run on small computers - Raspberry Pi or BeagleBone - certain smartphones (Nokia N900) or laptops. It's designed to collect information from devices that people carry – smartphones, tablets, Google Glasses, even NFC cards and RFID tags and sync that data back to a server where it can be explored.”
Snoopy works by imitating any free WiFi network that the victim has connected to in the past and then intercepting all the data they send and receive. It can also be used to infect the user's device, either by injecting malicious web traffic or by firing exploits at the device from the Snoopy server.
Numerous drones can be deployed over a wide area, with each device uploading its data to a central server. And Wilkinson said that taking Snoopy airborne was “not just stunt hacking".
He told SCMagazineUK.com via email: “There are several benefits - data collection from a height beyond audible/visual range, very quick collection over a large area, ability to bypass physical security - walls, men with guns, etc – and autonomous searching for known devices.”
Daniel Cuthbert, who is COO at SensePost, described the “completely illegal” part of Snoopy, telling us: “If a network is an open network - and generally most people connect to open free WiFi hotspots - the Snoopy drone pretends to be that network. It connects up and we give you internet access routed through our servers and that's when the full-on interception happens. Everything that's going over your phone to the internet will be routed by our servers.”
Cuthbert gave the example of hijacking Yahoo email. “Yahoo has a terrible security record. This is one of the big internet giants and it still doesn't do enough to make us secure. If you've got personal information coming into your Yahoo account, someone can gain access to it with some drones. It's a waiting game - what information will you get emailed eventually? Could there be credit card information, could there be passwords, or other financial parts of your life? Once you know the username and password to the Yahoo account it's yours.”
The drone's development has emphasised the vulnerability of open WiFi hotpots in particular. Wilkinson told us: “The best results we have had so far are around WiFi because of inherent weaknesses in the way WiFi works, and the verbosity of the information that is sent out. The techniques we use aren't new, but the manner in which they are deployed is novel.”
Laura Aylward, senior consultant at Context Information Security, underlined the problems revealed by the device. She told SCMagazineUK.com via email: “There is always a risk that sensitive data is made available from mobile devices over a WiFi network. The use of a drone is just a rather dramatic way of highlighting the risk when users connect to untrusted access points.”
She advised: “It is possible to reduce the amount of sensitive data sent from the phone by ensuring that personal information is only entered into secure sites and enabling SSL for applications where possible. Organisations can also enforce VPNs to further protect sensitive data from mobile devices.”
Cuthbert warned: “In a normal secure environment, the company has an IT security department and there's policies that enforce the security of the device, so you can't just install any software on your mandated Windows operating system or whatever. The problem with the smartphone is that there is no such thing, so if you walk in with a phone that has got a malicious application installed and you connect to your company's internal WiFi network, you've just walked in with a Trojan device.
“I'm still not convinced on Bring Your Own Device – you're effectively taking the old secure network model and breaking it and allowing anyone to come into it. People need to be aware that these free WiFi networks often come with a big risk.”
Wilkinson and Cuthbert are demonstrating Snoopy at the Black Hat Asia cyber security conference in Singapore on 25-28 March.
In a previous test by SensePost in 2012, four people sat unnoticed in different London underground stations with Snoopy drones running for two hours, while Wilkinson sat at King's Cross station for 13 hours collecting data.