?

Log in

No account? Create an account

Previous Entry | Next Entry

"You leave behind a trail that can be tracked not just by the NSA or a law enforcement agency, but by any kid in a basement with less than $500.”

That is a quote from Brendan O'Connor.  DefCon, the ultimate computer security conference is about to go down, and he's going to demonstrate who you can track people for less than $60 a device and “track everyone in a neighborhood, suburb, or city from the comfort of their sofa.”

O'Connor is someone you should listen to, he knows his shit.  He is the head of computer security company Malice Afterthought.  He's spent 18 months (with money and support from the Pentagon's Defense Advanced Research Projects Agency) developing a little device called the F-BOMB (Falling or Ballistically-launched Object that Makes Backdoors) that he showed off at Shmoocon in January 2012.  It's a small spy computer designed to be planted in a corporate network or dropped from a drone to wirelessly snoop on a target.  It collects the information from any cell phone or wireless device it can ping, then sends the data back to the administrator by piggybacking on any available wifi network.  This founded the cornerstone of his project, which uses the Unity game engine to build a user-friendly map interface showing the location of targets.  “With these F-BOMBs, I can gain creepy identity information pretty easily and passively.  I can track people over whole areas of a city just by tracking watching their wireless devices as they wander around.”

creepydolO'Connor calls it the Creepy Distributed Object Locator, or CreepyDOL.  It uses Linux and open source mapping software.  They are small enough to be hidden around urban or suburban areas, and each one costs you less than $60 to build.  The foundation is the Raspberry Pi microcontroller, which can be had for $25 each.  The tiny devices can be inconspicuously plugged into a power outlet anywhere with wifi, like the corner of a Starbucks.  When someone's phone or laptop connects with the wifi network, the unit scan the target device's MAC address and sends the data back.  It also uses the sniffing program Kismet to get user names, email addresses, and even what OS you are running if the application sends information unencrypted (like certain iOS programs do).  It will even grab the user's photo if they visit a certain dating site that doesn't implement SSL encryption and adds that to the newly constructed profile.  He says he will reveal which software and sites at DefCon.  “I take all this data, throw it together, and visualize it to show people with real faces and identities and histories moving around a map in 3D.”

Don't think, if you find one, you will know who's doing it.  Each device runs Tor, anonymity software that hides the location of the central server.  All data mined is encrypted -- the key is on a memory card that can be removed once the device is planted.  And because it's all common, standard parts, you're never going to track where they were bought or who bought them.

Don't think O'Connor's the only one.  Crackers have made similar devices that fit in an Altoids tin.  Really slick ones build them inside power strips to make them even more inconspicuous.  But most people are unaware of this.  This is why he's doing it.  “At some level I’m doing this because it’s interesting,” he says. “But I’m also doing it to prove that this level of knowledge and detail isn’t only the province of intelligence agencies anymore. If you think that only the government, with millions and billions to blow on watching someone can create this problem for privacy, then we’re not going to solve it.  If every person on the planet can use this surveillance technology, I think we should start to design things not to leak information at every level.”

Latest Month

June 2019
S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
30      

Tags

Powered by LiveJournal.com