Daniel Cuthbert and Glenn Wilkinson, SensePost
Chris - This week the 44 Con information security conference will be taking place in London; top international experts will be getting together to discuss the latest developments in information security.
Daniel - Smartphone usage in the UK has grown at such an alarming rate and we looked at Ofcom and in 2009, only 1.2 million smartphones were purchased. Now if we fast-forward to August 2012, 2/5 of UK adults now have a smartphone and 40% of those actually use it as their sole, primary internet device. If you look at traditional methods of connecting it is either 3G or Wi-Fi, and so, what we’ve done with this bit of research is to look at vulnerabilities in the Wi-Fi protocol and to see how we could use that gather as much information as we can do about the person they're tracking, their usage habits et cetera.
Meera - We’re located in Liverpool Street Station in the City of London at the moment, which sees 148 million people passing through here every year. Just around us now, there are thousands of people readily armed with their smartphones. How much can you know about all of these people walking around here, just busily emailing or potentially updating their Facebook?
Daniel - So, one of the flaws that was found back in 2004 was that a mobile device will probe for the last X number of connected access points. To put that in basic terms, when you go to your home and you connect to “home net” and you save that as a connection, that's stored in the device. A lot of people move around with their phone, right? So if you can imagine, you're probably connected to, let’s say conservatively, 8 access points. Every time you leave the house, your phone is going, where’s this? Where’s that? So what Glenn and I have done is build up a framework where we can now figure out where these people are, where they travel to, where they’ve been, and in places like Liverpool Street, where it’s got a high concentration of people, you can gather a lot of information in a short period of time.
Meera - Glenn, you’ve actually ldeveloped the technology that helps find out all of these information through people’s phones. I mean, what are the main things you're able to do?
Glenn - The project has two main components and I built software for two main areas. The one is tracking people and the other is profiling people. And as Daniel mentioned, your mobile phone or your laptop or any wireless devices, is constantly sending out these, what we call “probe requests”, looking for networks that they were previously connected to, and in that message, it discloses a unique serial number for that device. It’s called the MAC address. If someone walks past now with their Wi-Fi on and they send out a bunch of probe requests, I can see their MAC address, I can record it on some listing software I have and then if they walk past me later today, I would see that same unique serial number, same unique MAC address. What that means is that at any given location and point in time, I know if there is someone around me and later in time, at some other point in space and time, I can see them again. That’s perhaps nothing new, but what I built that is new is a distributed framework for this. So, what we can do is then drop what we call “drones” all over a certain location.
Meera - These are essentially devices that – this one here you’ve got is just a Nokia smartphone.
Glenn - So essentially, it’s any device that can run Linux, has a wireless card, and has drivers that support the kind of things that we’re doing. So in my hands here, I've got a Nokia N900 with some special software and some special drivers, a small access point called an alpha which is battery powered and solar powered. We can also plug devices into a wall socket and they will all collect this data, and upload it to a central server and process it.
Meera - So essentially, you're gathering information about thousands of smartphones in many different locations say, around London and just getting a good profile or tracking the movements of the people of London.
Glenn - Yes, exactly and where that becomes interesting is on the larger scale. So if you were to drop one of these devices in every underground station for a day say, you will then notice, okay, at 8:04 am, this Apple product walked past us. 40 minutes later, it popped up at Oxford station, and an hour later, it popped up outside Oxford Circus Station.
Meera - So, you're really seeing somebody’s daily movements?
Glenn - And that becomes quite interesting on the large scale when you have tens of thousands of people, and you can see the daily movement patterns between various locations.
Meera - Well, so this is very much, I guess, tracking movement, but you also mentioned profiling. So, having seen that there are these phones around, are you able to tap into them and actually get information off them?
Glenn - If we walk around some location with a device that has Wi-Fi and GPS capabilities, each time we notice a wireless network, we can note its GPS coordinates and put that in a big database for later. We have these say, 50 drones deployed in the field. They're all watching for these various people and all that data gets uploaded as one central webserver. On that central server, we can start looking, okay, here’s an Apple device. It’s looking for these 5 networks. Let’s see if we can map those two locations. So, BT home hub something, something - that maps to 6 Main Street London. So very quickly, I can work out, “Hey, that person who just walk pass me, they live at this address, they work at this address. We then interface that into Google APIs, get their street address, and a street-view photograph of their house.
Meera - Well, you’ve actually got something setup here and you’ve already mapped a range of phones that are nearby. One of which, you’ve even located down to a house in Yorkshire!
Glenn - Yeah, somebody walk past about 5 minutes ago and yeah, it maps to a location in Yorkshire. There's their street address, I won't say it on air.
Meera - And a picture of their house.
Glenn - Yup, yup.
Meera - And what about the actual information on their phone? So, I mean, they're using it to write emails, possibly do their banking. Can you actually tap into and get information there?
Glenn - Because your phone is constantly sending out these probe requests, what my drone can also do is it can pretend to be those networks. And then your iPhone or your Blackberry, your laptop, whatever will connect to this device and receive its internet via this device. Everyone’s network traffic will go through this one spot and I can monitor everyone’s communications on this one spot.
Meera - Now moving back to you Daniel then. So, you’ve got these various ways of tracking people, profiling people, but is this the kind of thing that we should be worried about at the moment? So, are there hackers potentially going out at these times, to try and find out information about people?
Daniel - I wouldn’t say no. I think it’s an exciting area for the scammers and the criminals to try and look at exploiting. We keep everything in our devices these days – your banking, your passwords, your social media stuff, your email accounts. So getting hold of these devices, there's such a wealth of information and I think as we evolve and use these devices, people are going to look at ways of exploiting it.
Meera - To summarise really, what's the main things people need to remember at the moment? I'm thinking, I just need to turn my Wi-Fi off when I'm not using it.
Daniel - I think we need to try to start treating smartphones as we would do at our laptops. We generally put everything onto the smartphone, we trust it a lot, but we also lose a lot of them. Smartphones, by nature are very chatty. There are people out there that try and abuse this. Be a bit more careful.
As far as spoofing the access point a phone is trying to find, how about the password? Will the connection be established even if the fake AP does not ask for the password (because it would not know it of course). In other words, does only an access point require password identification to establish the connection, or does the phone require it as well? rivergum, Sat, 24th Nov 2012