4. What this presentation is about
● How Mobile Devices can leak information;
● How an adversary can exploit it;
● How people can track you;
● Metrics and Results;
5. What this presentation is **NOT**
● Evidence on the court (hopefully);
● Mobile Phone Tracking 101;
● A cry out to do illegal stuff;
6. Warning
Any actions and or activities related to the material contained within this
presentation is solely your responsibility. The misuse of this information, can
result in criminal charges brought against the person(s) in question. The
author will not be held responsible in the event any criminal charges be
brought against any individuals misusing the information contained.
This presentation contains materials that can be potentially damaging or
dangerous. If you do not fully understand something, then DON'T DO IT!
Refer to the laws in your country before using, or in any other way utilizing
these materials. These materials are for educational and research purposes
only. Do not attempt to violate the law with anything contained here.
8. ● 3.5 millions;
● >50% per year;
● 40% of the mobile phone
users;
Smartphones by numbers (2013)
9. Smartphones by numbers (2013)
Roaming: ~23%
SMS: ~90%
Internet: ~45%
Email: ~33%
Banking: ~5%
Social Network: ~30%
10. Smartphones by numbers (2013)
Sex
– Male : 55%
– Female : 45%
Age
– 10/14 : 8%
– 15/24 : 25%
– 25/34 : 25%
– 35/44 : 20%
– 45/54 : 12%
– 55/64 : 7%
– >64 : 3%
Social Class
– Low/Low Middle : 44%
– Middle : 31%
– High/Middle High : 25%
Region
– Lisbon : 23%
– Oporto : 12%
– Litoral North : 17%
– Litoral Center : 15%
– South : 10%
– Islandss : 5%
11. “Just because something is publicly accessible does
not mean that people want it to be publicized”-
“Making Sense of Privacy and Publicity“
12. Let's talk...
There have been plenty of initiatives from numerous governments to
legalize the monitoring of citizens Internet based communications.
Several private organizations have developed technologies claiming to
facilitate the analysis of collected data with the goal of identifying
undesirable activities. Whether such technologies are used to identify
such activities, or rather to profile all citizens, is open to debate.
I will show how can be done (using IEEE 802.11).
14. Wifi
As per the RFC5418 documentation (i.e. not
down to individual vendors) client devices
send out 'probe requests' looking for
networks that the devices have previously
connected to (and the user chose to save).
18. Wifi tracking
● iOS : Saves the last 3 connected essid, and
leak it out;
● Android : Depend on vendors / versions;
● Windows Phone : Don't have any data;
20. ESSID?
● People tend to connect to networks that they can trust;
– Home, Workplace, Restaurants, Bars;
● They tend to be unique
– Thomson-<random>, MEO-<random> etc. (ignore Zon-FON,
PTWIFI or any public wifi networks);
● ESSID + GPS data = Profit (Google Maps, Google
Street View);
21. Analysis
"Hmm, you've previously connected to
mcdonalds_wifi, and elCheapoAirlines_wifi -
you must be an average Joe" vs
"Hmm, you've previously connected to
"BA_firstclass, ExpensiveRestaurant_wifi, etc -
you must be a high roller".
29. Mac Address
Mac Address are unique. If we match it to a
person, then GAME OVER.
– List of ESSID and information about is geolocation;
– Can determine if he's at range;
– Deploy drones and stalk him.
31. Attacks
● Evil Twin Attack;
– Create a rogue AP with an known ESSID of your target;
● Man In The Middle;
● Data Interception;
– Social Networks, Email, any kind of identifier;
● Code Injection;
– Malicious code;
● Tactical Exploitation;
– List of contacts, SMS, etc.
33. Evil Twin
“...Evil twin is a term for a rogue Wi-Fi access
point that appears to be a legitimate one
offered on the premises, but actually has been
set up to eavesdrop on wireless
communications....” - Wikipedia
38. Metrics
● Several devices probes were collect at:
– Lisbon Airport;
– Traffic Jams;
– Subway Stations;
– Malls;
– Tourist Spots;
● 1200-1500 unique devices per hour;
39. Metrics
● 8790 unique devices;
● 2296 leak at least 1 ESSID;
– ~26% of the Smartphone Universe;
● 706* vulnerable to the Evil Twin Attack
– ~8% of the Smartphone Universe;
– * Only counted the most common Open ESSID, this
number should be more high...
40. Protect Yourself
"I don't believe society understands
what happens
when everything is available, knowable
and
recorded by everyone all the time;"
41. Protect yourself
● Turn off your Wifi;
● Erase all the saved ESSID;
● Randomize your Mac Address;
42. Finish
● This is not new;
● Something quite similar was made by
SensePost in London in 2013;
● Some drones/raspberrypi were deployed on
several main streets/places;
● Check out the Snoopy Framework;
43. Future(?)
● Any Wireless technology that can be used to
identify “any” citizen:
– Bluetooth;
– Wifi;
– GSM;
– GPS;
– NFC;
– RFID;
44. Future(?)
HEX l2_data_out_B:296 Format Bbis (RR, MM or CC)
000: d6 a7 b5 cf 29 6f 38 ff - ea 55 55 bc e2 b8 80 d6
001: 83 59 cf 2d ef 38 d7 ea - 55 55 bc e2 b9 40 d0 73
002: 38 e2 ac f1 69 d5 61 e3 - 8f c3 78 80
0: d6 1------- Direction: To originating site
0: d6 -101---- 5 TransactionID
0: d6 ----0110 Radio Resouce Management
1: a7 0-100111 RRpagingResponse
1: a7 -x------ Send sequence number: 1
(...)
6: 38 ----1--- SoLSA Capability: supported
6: 38 ------0- A5/3 not available
6: 38 -------0 A5/2: not available
8: ea -----010 Type of identity: IMEI
9: 55 -------- ID(254/odd):
E5555CB2E8B086D3895FCD2FE837DAE5555CB2E9B040D37832ECA1F965D163EF83C8
708
