whoami miguel mota veiga 29 years old; infosec “pro” since 2006; @dognædis; pen testing,...
TRANSCRIPT
whoami
Miguel Mota Veiga 29 years old; Infosec “Pro” since 2006;
@Dognædis; Pen Testing, Security Audits, Forensic
Analysis, Malware Analysis, Incident Handling, System Administration, Perl...
Financial & IT, Telco, Government, Defense; Security/Privacy Lover;
Crypto-Anarchist; Three “...er”s guy:
Traveller, Backpacker, Geocacher;
What we'll talking about...
What this presentation is about
How Mobile Devices can leak information;How an adversary can exploit it;How people can track you;Metrics and Results;
What this presentation is **NOT**
Evidence on the court (hopefully);Mobile Phone Tracking 101;A cry out to do illegal stuff;
Warning
Any actions and or activities related to the material contained within this presentation is solely your responsibility. The misuse of this information, can result in criminal charges brought against the person(s) in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information contained.
This presentation contains materials that can be potentially damaging or dangerous. If you do not fully understand something, then DON'T DO IT! Refer to the laws in your country before using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Do not attempt to violate the law with anything contained here.
2004 - 2014
Portuguese data;3.5 millions;>50% per year;40% of the mobile phoneusers;
Smartphones by numbers (2013)
Smartphones by numbers (2013)
Roaming: ~23%SMS: ~90%Internet: ~45%Email: ~33%Banking: ~5%Social Network: ~30%
Smartphones by numbers (2013)
Sex Male : 55% Female : 45%
Age 10/14 : 8% 15/24 : 25% 25/34 : 25% 35/44 : 20% 45/54 : 12% 55/64 : 7% >64 : 3%
Social Class Low/Low Middle : 44% Middle : 31% High/Middle High : 25%
Region Lisbon : 23% Oporto : 12% Litoral North : 17% Litoral Center : 15% South : 10% Islandss : 5%
“Just because something is publicly accessible does not mean that people want it to be publicized”-
Making Sense of Privacy and Publicity
Let's talk...
There have been plenty of initiatives from numerous governments to legalize the monitoring of citizens Internet based communications. Several private organizations have developed technologies claiming to facilitate the analysis of collected data with the goal of identifying undesirable activities. Whether such technologies are used to identify such activities, or rather to profile all citizens, is open to debate. I will show how can be done (using IEEE 802.11).
Wifi
Wifi
As per the RFC5418 documentation (i.e. not down to individual vendors) client devices send out 'probe requests' looking for networks that the devices have previously connected to (and the user chose to save).
A device
A Unique Signature
9C:20:7B:8E:F7:E7
A Link to a Person
9C:20:7B:8E:F7:E7
Wifi tracking
iOS : Saves the last 3 connected essid, and leak it out;Android : Depend on vendors / versions;Windows Phone : Don't have any data;
Examples
Mac: 10:68:3F:79:XX:XX, ESSID: HOMEnetwork,ZON-03B0,MEO-983B37,MEO_CASA1,AndroidAP,PT-WIFI,NSN-BYOD,FreeWiFiCentroVascodaGama,Cabovisao-FCF5,CasaZero
Mac: 50:46:5D:1B:XX:XX, ESSID: ZON-D7C0,Thomson274A16,SAPO-ZL71193,Thomson4E835C,ZON-7A9C,MEO-6A9F51,MEO-08D1E6,MEO-45CBBD,ZON-6520
Mac: D0:51:62:E6:XX:XX, ESSID: MEO-8E8341,PROFESSORES,ZON-7760,PROFESSORES3
ESSID?
People tend to connect to networks that they can trust;
Home, Workplace, Restaurants, Bars;
They tend to be unique Thomson-<random>, MEO-<random> etc. (ignore
Zon-FON, PTWIFI or any public wifi networks);
ESSID + GPS data = Profit (Google Maps, Google Street View);
Analysis
“Hmm, this guy was connected to McDonalds_Free_Wifi and to Cheap_Coffee_Shop_Free Wifi. Must be an average Joe..." or "Okay... Looks like you have been connected to FirstClass_LuxuaryAirline and to 500Company-IntraWifi... - you must be a hot shot...".
Examples
“You already have zero privacy. Get over it.” - Scott G. McNealy CEO of Sun Microsystems
ESSID
ESSID
ESSID
ESSID
ESSID
Cheap laptop (250€); OpenSource Apps;
Kismet and Airodump supports GPSd;GPS dongle (30€);Bag (20€);Hiking shoes/boots (30€);
Mac Address
Mac Address are unique. If we match it to a person, then GAME OVER.
List of ESSID and GPS data about is geolocation; Can determine if he's at range; Deploy drones and stalk him.
Architecture - Passive
Linux;Kismet / Airodump-ng;GPSd;MySQL;
Attacks
Evil Twin Attack; Create a rogue AP with an known ESSID of your
target;Man In The Middle;Data Interception;
Social Networks, Email, any kind of identifier;Code Injection;
Malicious code;Tactical Exploitation;
List of contacts, SMS, etc.
Evil twin
Evil Twin
“...Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications....” - Wikipedia
Architecture - Aggressive
DHCP Server;Bind;Squid;Airodump-ng;Beef / (Kar)Metasploit / sslstrip;Mysql Database;Drone(s)
Laptops, Android, Raspberry Pi
“We know where you are. We know where you’ve been.
We can more or less know what you’re thinking about.” - Eric Schmidt
Usage
Collecting anonymized statistics;Identify and follow criminals;Track a single individual;Track us all;
Architecture
Metrics
Several devices probes were collect at: Lisbon Airport; Traffic Jams; Subway Stations; Malls; Tourist Spots;
1200-1500 unique devices per hour;
Metrics
8790 unique devices;2296 leak at least 1 ESSID;
~26% of the Smartphone Universe;706* vulnerable to the Evil Twin Attack
~8% of the Smartphone Universe; * Only counted the most common Open ESSID, this
number should be more high...
Protect Yourself
"I don't believe society understands what happens
when everything is available, knowable and
recorded by everyone all the time;"
Protect yourself
Turn off your Wifi;Erase all the saved ESSID;Randomize your Mac Address;
Finish
This is nothing new;This problem has been talked since the first half of 2000;Something quite similar was made by SensePost in London in 2013;Electronic Frontier Foundation is creating a database with the all the mobile devices that leak this kind of information;
Future(?)
Any Wireless technology that can be used to identify “any” citizen:
Bluetooth; Wifi; GSM; GPS; NFC; RFID;
Future(?)
HEX l2_data_out_B:296 Format Bbis (RR, MM or CC)000: d6 a7 b5 cf 29 6f 38 ff - ea 55 55 bc e2 b8 80 d6 001: 83 59 cf 2d ef 38 d7 ea - 55 55 bc e2 b9 40 d0 73 002: 38 e2 ac f1 69 d5 61 e3 - 8f c3 78 80 0: d6 1------- Direction: To originating site 0: d6 -101---- 5 TransactionID 0: d6 ----0110 Radio Resouce Management 1: a7 0-100111 RRpagingResponse 1: a7 -x------ Send sequence number: 1 (...) 6: 38 ----1--- SoLSA Capability: supported 6: 38 ------0- A5/3 not available 6: 38 -------0 A5/2: not available 8: ea -----010 Type of identity: IMEI 9: 55 -------- ID(254/odd): E5555CB2E8B086D3895FCD2FE837DAE5555CB2E9B040D37832ECA1F965D163EF83C8708
Demo
Demo
Demo