Snoopy Drone Shows Lax Smartphone Security

Snoopy Drone Data

A remote-controlled quadcopter named “Snoopy” prowled the streets of London in late March, collecting confidential data from the smartphones of passersby at the rate of about 150 victims per hour.

Included in the haul were usernames and passwords to PayPal, Amazon, Yahoo and other sites that represent concentration points for the financial and identity-management data of millions of users.

Click here to find mobile security jobs.

Snoopy is the cutting edge of mobile-security technology, but not in the way most might think. The drone was built and operated by Glenn Wilkinson and Daniel Cuthbert of SensePost Research Labs, who call themselves “ethical hackers” but are actually in business to foil crackers: those who use hacking techniques to steal from consumers or businesses. The pair hack commercially available security products so they can tell their business customers which security products are reliable, and how to plug the holes that inevitably show up in even the good ones. They also spend a lot of time publicizing security weaknesses, mostly to security specialists, for whom they publish detailed results of their own research.

SensePost first revealed Snoopy in 2012 as a research project into testing the effectiveness of a smartphone-eavesdropping system built from off-the-shelf hardware and hacking software. The original system relied on accomplices who would roam through a crowd while the doctored smartphones in their pockets “listened” to the overly chatty Wi-Fi networking software in the smartphones around them.

The doctored phones were able to pick up not only the signals of the target phones, but also SSIDs and other contact data for wireless networks to which the latter devices had connected; the doctored phones then passed that contact data back to a server—the first step to setting up a man-in-the-middle attack that could vacuum up sensitive data shared between victims and legitimate sites.

Man-in-the-middle attacks shouldn’t be so easy that a few doctored phones can snarf up logins for hundreds of thousands of other devices—exactly the point of building and publicizing Snoopy in the first place, Wilkinson and Cuthbert told journalists.

“People are carrying devices in their pockets that are emitting signals that allow them to be uniquely identified,” Wilkinson told eWeek just before SensPost pulled a similar roundup on crowds of hackers at the Black Hat conferences in Las Vegas and Brazil in 2013, where they also presented the results of a six-month study showing it’s possible to inexpensively conduct cutting-edge surveillance on specific groups or locations. “The bigger message going forward is for people to be aware of what they are carrying that might give away some unique identifier and leak information.”

Snoopy needed an update for 2014, so Cuthbert and Wilkinson gave the job of collecting data to a drone that not only attracts more attention from consumers, but can also “bypass physical security—men with guns, that sort of thing,” Wilkinson told the BBC.

“Their phone[s] will very noisily be shouting out the name of every network it’s ever connected to. Your phone connects to me and then I can see all of your traffic.” Wilkinson also told CNN.

His advice to ordinary users? Turn off the Wi-Fi on your smartphone, and make sure your device asks before connecting to any nearby hotspots—whether or not you think there’s a drone trying to listen in.

Related Stories

Image: SensePost Research Labs