whoami

Miguel Mota Veiga 29 years old; Infosec “Pro” since 2006;

@Dognædis; Pen Testing, Security Audits, Forensic

Analysis, Malware Analysis, Incident Handling, System Administration, Perl...

Financial & IT, Telco, Government, Defense; Security/Privacy Lover;

Crypto-Anarchist; Three “...er”s guy:

Traveller, Backpacker, Geocacher;

What we'll talking about...

What this presentation is about

How Mobile Devices can leak information;How an adversary can exploit it;How people can track you;Metrics and Results;

What this presentation is **NOT**

Evidence on the court (hopefully);Mobile Phone Tracking 101;A cry out to do illegal stuff;

Warning

Any actions and or activities related to the material contained within this presentation is solely your responsibility. The misuse of this information, can result in criminal charges brought against the person(s) in question. The author will not be held responsible in the event any criminal charges be brought against any individuals misusing the information contained.

This presentation contains materials that can be potentially damaging or dangerous. If you do not fully understand something, then DON'T DO IT! Refer to the laws in your country before using, or in any other way utilizing these materials. These materials are for educational and research purposes only. Do not attempt to violate the law with anything contained here.

2004 - 2014

Portuguese data;3.5 millions;>50% per year;40% of the mobile phoneusers;

Smartphones by numbers (2013)

Smartphones by numbers (2013)

Roaming: ~23%SMS: ~90%Internet: ~45%Email: ~33%Banking: ~5%Social Network: ~30%

Smartphones by numbers (2013)

Sex Male : 55% Female : 45%

Age 10/14 : 8% 15/24 : 25% 25/34 : 25% 35/44 : 20% 45/54 : 12% 55/64 : 7% >64 : 3%

Social Class Low/Low Middle : 44% Middle : 31% High/Middle High : 25%

Region Lisbon : 23% Oporto : 12% Litoral North : 17% Litoral Center : 15% South : 10% Islandss : 5%

“Just because something is publicly accessible does not mean that people want it to be publicized”-

Making Sense of Privacy and Publicity

Let's talk...

There have been plenty of initiatives from numerous governments to legalize the monitoring of citizens Internet based communications. Several private organizations have developed technologies claiming to facilitate the analysis of collected data with the goal of identifying undesirable activities. Whether such technologies are used to identify such activities, or rather to profile all citizens, is open to debate. I will show how can be done (using IEEE 802.11).

Wifi

Wifi

As per the RFC5418 documentation (i.e. not down to individual vendors) client devices send out 'probe requests' looking for networks that the devices have previously connected to (and the user chose to save).

A device

A Unique Signature

9C:20:7B:8E:F7:E7

A Link to a Person

9C:20:7B:8E:F7:E7

Wifi tracking

iOS : Saves the last 3 connected essid, and leak it out;Android : Depend on vendors / versions;Windows Phone : Don't have any data;

Examples

Mac: 10:68:3F:79:XX:XX, ESSID: HOMEnetwork,ZON-03B0,MEO-983B37,MEO_CASA1,AndroidAP,PT-WIFI,NSN-BYOD,FreeWiFiCentroVascodaGama,Cabovisao-FCF5,CasaZero

Mac: 50:46:5D:1B:XX:XX, ESSID: ZON-D7C0,Thomson274A16,SAPO-ZL71193,Thomson4E835C,ZON-7A9C,MEO-6A9F51,MEO-08D1E6,MEO-45CBBD,ZON-6520

Mac: D0:51:62:E6:XX:XX, ESSID: MEO-8E8341,PROFESSORES,ZON-7760,PROFESSORES3

ESSID?

People tend to connect to networks that they can trust;

Home, Workplace, Restaurants, Bars;

They tend to be unique Thomson-<random>, MEO-<random> etc. (ignore

Zon-FON, PTWIFI or any public wifi networks);

ESSID + GPS data = Profit (Google Maps, Google Street View);

Analysis

“Hmm, this guy was connected to McDonalds_Free_Wifi and to Cheap_Coffee_Shop_Free Wifi. Must be an average Joe..." or "Okay... Looks like you have been connected to FirstClass_LuxuaryAirline and to 500Company-IntraWifi... - you must be a hot shot...".

Examples

“You already have zero privacy. Get over it.” - Scott G. McNealy CEO of Sun Microsystems

ESSID

ESSID

ESSID

ESSID

ESSID

Cheap laptop (250€); OpenSource Apps;

Kismet and Airodump supports GPSd;GPS dongle (30€);Bag (20€);Hiking shoes/boots (30€);

Mac Address

Mac Address are unique. If we match it to a person, then GAME OVER.

List of ESSID and GPS data about is geolocation; Can determine if he's at range; Deploy drones and stalk him.

Architecture - Passive

Linux;Kismet / Airodump-ng;GPSd;MySQL;

Attacks

Evil Twin Attack; Create a rogue AP with an known ESSID of your

target;Man In The Middle;Data Interception;

Social Networks, Email, any kind of identifier;Code Injection;

Malicious code;Tactical Exploitation;

List of contacts, SMS, etc.

Evil twin

Evil Twin

“...Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications....” - Wikipedia

Architecture - Aggressive

DHCP Server;Bind;Squid;Airodump-ng;Beef / (Kar)Metasploit / sslstrip;Mysql Database;Drone(s)

Laptops, Android, Raspberry Pi

“We know where you are. We know where you’ve been.

We can more or less know what you’re thinking about.” - Eric Schmidt

Usage

Collecting anonymized statistics;Identify and follow criminals;Track a single individual;Track us all;

Architecture

Metrics

Several devices probes were collect at: Lisbon Airport; Traffic Jams; Subway Stations; Malls; Tourist Spots;

1200-1500 unique devices per hour;

Metrics

8790 unique devices;2296 leak at least 1 ESSID;

~26% of the Smartphone Universe;706* vulnerable to the Evil Twin Attack

~8% of the Smartphone Universe; * Only counted the most common Open ESSID, this

number should be more high...

Protect Yourself

"I don't believe society understands what happens

when everything is available, knowable and

recorded by everyone all the time;"

Protect yourself

Turn off your Wifi;Erase all the saved ESSID;Randomize your Mac Address;

Finish

This is nothing new;This problem has been talked since the first half of 2000;Something quite similar was made by SensePost in London in 2013;Electronic Frontier Foundation is creating a database with the all the mobile devices that leak this kind of information;

Future(?)

Any Wireless technology that can be used to identify “any” citizen:

Bluetooth; Wifi; GSM; GPS; NFC; RFID;

Future(?)

HEX l2_data_out_B:296 Format Bbis (RR, MM or CC)000: d6 a7 b5 cf 29 6f 38 ff - ea 55 55 bc e2 b8 80 d6 001: 83 59 cf 2d ef 38 d7 ea - 55 55 bc e2 b9 40 d0 73 002: 38 e2 ac f1 69 d5 61 e3 - 8f c3 78 80 0: d6 1------- Direction: To originating site 0: d6 -101---- 5 TransactionID 0: d6 ----0110 Radio Resouce Management 1: a7 0-100111 RRpagingResponse 1: a7 -x------ Send sequence number: 1 (...) 6: 38 ----1--- SoLSA Capability: supported 6: 38 ------0- A5/3 not available 6: 38 -------0 A5/2: not available 8: ea -----010 Type of identity: IMEI 9: 55 -------- ID(254/odd): E5555CB2E8B086D3895FCD2FE837DAE5555CB2E9B040D37832ECA1F965D163EF83C8708

Demo

Demo

Demo