Every day, billions of people around the globe connect wirelessly, leaving a veritable trail of identifiable breadcrumbs that can be followed, tracked and analyzed by security researchers. At the upcoming Black Hat Brazil event in November, researchers from security firm SensePost will debut an updated version of their distributed mobile tracking and analysis project, dubbed Snoopy.
Glenn Wilkinson, lead security analyst at SensePost, explained to eWEEK that Snoopy is a distributed tracking, data interception and profiling framework. SensePost researchers first built Snoopy in 2012 as a very rough proof of concept and have now rewritten the framework to be more modular and scalable.
The Snoopy system involves endpoint sensor devices that serve as data collection nodes, and then there is a back-end infrastructure that collects and helps make sense of all the collected data. The Snoopy node software, or Drone, can run on small Linux devices, including a BeagleBone Black, and the back end can run on Linux servers.
“Snoopy can be run on multiple devices over a large area, say the entire city of London, UK,” Wilkinson said. “The Snoopy framework can then also synchronize all the data in a centralized database.”
The first iteration of Snoopy specifically looked at WiFi signals but is now being expanded to include other types of wireless signals, including Bluetooth and near-field communications (NFC). At a basic level, Snoopy is looking for any kind signal emitted by an electronic device that can then be used to uniquely identify the device and perhaps the individual who owns the device.
Snoopy collects the data by abusing functionality that is part of most WiFi stacks on mobile devices. The way that WiFi works in nearly all cases is the system will always be probing for signals from access points it has previously connected to. As a feature, that means if a user has previously connected to his or her own office access point, then whenever the device is in range of the office access point, the device is connected.
“When your smartphone is looking for all of the access points it has previously connected to, it is revealing your wireless adapter’s MAC (Media Access Control) address,” Wilkinson said. “That’s a unique number for the device, so we can identify the device as being at a particular location at a point in time.”
So in a large-scale Snoopy deployment with nodes over a distributed area, Snoopy could track the movement of a device over time.
Snoopy also includes the Karma attack, a wireless attack that impersonates the name of previously connected access points. In a Karma attack, when the wireless device is looking for its previously connected access points, Karma responds, identifying itself as one of those access points, and tricks the user into connecting. Once the victim has been connected to the rogue access point via Karma, Snoopy can then intercept data and also manipulate the data the user sees.
From an analysis perspective, the new Snoopy Framework makes use of the open-source Maltego data visualization project to provide a graphical front end and tools to understand all the data that the Snoopy node can collect.
Daniel Cuthbert, chief operating officer at SensePost, told eWEEK that from a business standpoint, his company is still figuring out the best license and approach for the Snoopy project. Cuthbert said he would like to emulate the approach taken by the open-source Metasploit penetration testing framework. Metasploit has a core open-source project and then layers enterprise editions with additional reporting functionality and support on top.
There are a number of things individuals can do to limit the risk of being snooped on by Snoopy. Wilkinson suggests that users flush the recently connected networks list on their mobile devices. He noted that the Karma-style attacks only work effectively for recently connected open networks.
Wilkinson also suggests that users keep WiFi turned off until such time as they need to connect.
“People are carrying devices in their pockets that are emitting signals that allow them to be uniquely identified,” Wilkinson said. “So I suspect the bigger message going forward is for people to be aware of what they are carrying that might give away some unique identifier and leak information.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.