0 Members and 1 Guest are viewing this topic.
You may not know it, but the smartphone in your pocket is spilling some of your deepest secrets to anyone who takes the time to listen. It knows what time you left the bar last night, the number of times per day you take a cappuccino break, and even the dating website you use. And because the information is leaked in dribs and drabs, no one seems to notice. Until now.Enter CreepyDOL, a low-cost, distributed network of Wi-Fi sensors that stalks people as they move about neighborhoods or even entire cities. At 4.5 inches by 3.5 inches by 1.25 inches, each node is small enough to be slipped into a wall socket at the nearby gym, cafe, or break room. And with the ability for each one to share the Internet traffic it collects with every other node, the system can assemble a detailed dossier of personal data, including the schedules, e-mail addresses, personal photos, and current or past whereabouts of the person or people it monitors.Short for Creepy Distributed Object Locator, CreepyDOL is the brainchild of 27-year-old Brendan O'Connor, a law student at the University of Wisconsin at Madison and a researcher at a consultancy called Malice Afterthought. After a reading binge of science fiction novels, he began wondering how the growing ubiquity of mobile computing was affecting people's ability to remain anonymous, or at least untracked or unidentified, as they went about their work and social routines each day.You can run, but you can not hide"I was wondering if it would be possible [to break] the fundamental assumption about blending into crowds," said O'Connor, who recently demonstrated CreepyDOL at the Black Hat security conference in Las Vegas. "That is, could you design a system that could make it basically impossible in the real world for the scene you see in every action movie where the guy ducks into a mall. There are 10,000 people in there [so] we'll never find him."A sanitized screenshot from CreepyDOL showing some of the data it collected on its creator, Brendan O'Connor.To his horror, he soon learned the answer was almost certainly yes. Using CreepyDOL to stalk himself as he went about his normal iPhone routine, he was distressed to see just how effectively the system vacuumed up his personal information. His use of a popular dating website (he's not saying which one) was there, as was the photo of him the site sends in the clear, his first and last name sent over a popular RSS service, and the unique MAC address Wi-Fi devices constantly send whenever they're turned on."What a lot of people don't realize is it's talking all the time, whether or not it's connected," O'Connor said of Wi-Fi enabled mobile devices, which in his case happens to be an iPhone. "Every couple of seconds, every wireless device that's on is sending out a huge amount of personally identifiable information. If we have sensors spread out over an area, that means it's sending out both an identifier and its location." And of course, he added, there's often a vast amount of personal data sent in the clear over the Wi-Fi connection itself.Use of a virtual private networking app—which pipes data through an encrypted channel so it can't be monitored by other Wi-Fi devices nearby—does less than many may think to limit the information that CreepyDOL can collect. That's because the iOS-supplied VPN O'Connor used couldn't be activated until after his iPhone connected to the Wi-Fi network first."It takes you five seconds to bring your VPN online," he said. "During that time, iMessage has already pinged for updates, Dropbox has already pinged for updates, your mail client has already pinged for updates. This is incredibly saddening to me. VPNs—the usual solution we all use—don't work because you need an operating-system level of support for saying: 'None shall pass until the VPN is online.' iOS is not set up this way." Other data CreepyDOL can mine includes the apple hardware identifier (model and version) and iOS version he uses. He believes other mobile operating systems, including Google's Android, do no better of a job, although he didn't test them.Enlarge / Packets showing the hardware model and iOS version are sent unencrypted each time Apple's iMessage checks for new messages. Services and hardware from Apple competitors often leak similar details.And even when people use their mobile devices to connect only to password-protected Wi-Fi networks, there's still a fair amount of data CreepyDOL can collect. That's because the Wi-Fi protocol broadcasts MAC addresses, the names of recently connected networks, and other data whenever Wi-Fi is turned on. At a minimum, that's enough information to track the physical movement of specific devices through a neighborhood or entire city over an extended period of time. And depending on the names of the wireless networks a device has recently connected to, CreepyDOL may be able to know where its owner works, lives, or hangs out.