Your machine (mobile phone, bluetooth device, router etc etc) may betrayed you and can be used to detect your position or even invade your privacy. They are watching you, stay alert.

1. The Machines That
Betrayed Their Masters
ZeroNights 2013

2. @glennzw
SensePost.com
Glenn Wilkinson
@glennzw

3. •2-y Donskoy proyezd, 7/1, Moscow
•Leninskiy prospekt., 2А, Moscow
•Ulitsa Bakhrushina, 24 строение 1, Moscow
•Rublevskoye shosse, 44, Moscow
•Krylatskaya ulitsa, 23, Moscow
•Ulitsa Sushchevskiy Val, 46 строение, Moscow
•Ulitsa Krasina, 3, Moscow
•Bolshaya Sadovaya ulitsa, Moscow
@glennzw

4. •Nevsky Prospect, 114, Saint Petersburg
•Prospekt Medikov, St Petersburg
•Ulitsa 8 Marta, 41, Yekaterinburg
@glennzw
•P132, Kaluzhskaya

5. •North 16th Street, Philadelphia, USA
•Captain Cook Drive, Australia
•Trillerpark, 1210 Viena, Austria
•3 Luvianpuistokatu, Satakunta, Finland
@glennzw

6. @glennzw
•Wingate by Wyndham, Dallas, Texas, USA
•Hotel Strata, California, USA
•Hotel Hacienda, Spain
•Sunrise Diamond Beach Resort, Egypt
•5Footway Inn, Singapore
•H2O Hostel Ljubljana, Slovenia

7. @glennzw

8. @glennzw

9. @glennzw

10. Machines? Betrayal?

11. @glennzw

12. @glennzw
Machines?

13. @glennzw
Betrayal?

14. A Device

15. A Unique Signature

16. A Link from
Signature to a Human

17. @glennzw
Snoopy Framework

18. @glennzw

19. @glennzw

20. @glennzw

21. @glennzw
XBee
XBee 3G
XBee

22. @glennzw
XBee
XBee 3G
XBee
XBee
XBee 3G
XBee
Ethernet
Ethernet

23. @glennzw

24. A Unique Signature

25. 98:03:ab:32:11:33

26. Linking the Signature

27. Linking the Signature
1. Passive Linking

28. BTHomeHub-AFV1, are you there?
Starbucks, are you there?
Virgin-AFVT, are you there?
Is anyone out there?
98:03:ab:32:11:33

29. BTBusinessHub-2DF1
Virgin-AFVT
Starbucks
Starbucks
SSID GPS Lat GPS Long
Virgin-AFVT 50.507 -0.128
Starbucks 50.408 -0.041
BTBusinessHub-2DF1 50.601 -0.045
Starbucks 50.391 -0.050

30. @glennzw
BTHomeHub-AFV1, are you there?
Starbucks, are you there?
Virgin-AFVT, are you there?
Is anyone out there?
98:03:ab:32:11:33

31. Linking the Signature?
@glennzw
2. Active Linking

32. @glennzw
BTHomeHub-AFV1, are you there?
Starbucks, are you there?
Virgin-AFVT, are you there?
Is anyone out there?
Hey iPhone! It’s me, Starbucks!
98:03:ab:32:11:33

33. Intertubes
BTOpenzone
VirginMedia-AR45
BTHomeHub-BHA7
Starbucks
IP= 10.2.0.45
Site= www.facebook.com
Site= www.facebook.com
Cookie = supersecretcookie
00:11:22:33:44:55
00:22:33:44:55:66
Drone001
Client001
00:11:22:33:44:55
Client002
00:22:33:44:55:66
Drone002
Client003
11:22:33:44:55:66
Client004
44:55:66:77:88:99
IP= 10.2.0.45
username: joe
password: secret
<script src=profiler.jsp>
mitmproxy sslstrip squid
Traffic Inspector
Social Media APIs
Snoopy
Server

34. @glennzw

35. @glennzw

36. @glennzw

37. @glennzw

38. @glennzw
Scenarios

39. @glennzw
Conference Unique
Devices Number
of
A4endees
Device
Per
Person
BlackHatVegas2012 4778 6500 0.74
ITWeb2012 1106 400 2.77
44CON2012 969 350 2.77
BlackHatEU2013 681 607 1.12
Securitay2013 375 100 3.75
BSides2013 208 474 0.44
Hackito2013 309 400 0.77
CERT
Poland2013 598 500 1.2
ZeroNights2013 507 ?

40. @glennzw
glenn@sensepost.com
jobs@sensepost.com
http://research.sensepost.com/