Aug 06, 2013

    Spying on others is easy - and cheap

    SECURITY researcher Brendan O'Connor has discovered how easy it is to monitor the activities of everyone on the street - and that's not by a government intelligence agency, but by a private citizen with a few hundred dollars to spare.

    Mr O'Connor, 27, bought some plastic boxes and put in each one a US$25 (S$32), credit-card size Raspberry Pi Model A computer and a few over-the-counter sensors, including Wi-Fi adapters.

    He connected each of the boxes to a command-and-control system and built a data-visualisation system to monitor what the sensors picked up - all the wireless traffic emitted by every nearby wireless device, including smartphones.

    Each box cost US$57. He produced 10 of them, then switched them on to spy on himself. He could pick up the websites he browsed when he was connected to a public Wi-Fi network, and scooped up the unique identifier linked to his phone and iPad.

    Gobs of information travelled over the Internet in the clear, meaning they were entirely unencrypted and simple to scoop up.

    Even when he wasn't connected to a Wi-Fi network, his sensors could track his location through Wi-Fi "pings". His iPhone pinged the iMessage server to check for new messages.

    When he logged on to an unsecured Wi-Fi network, it revealed what operating system and type of device he was using, and whether he was using Dropbox, went on a dating site or browsed for shoes on an e-commerce site. One site might leak his e-mail address, another his photo.

    "It's terrifyingly easy," he said. It's also creepy - which is why he called his contraption "creepyDOL".

    "It could be used for anything, depending on how creepy you want to be," he said.

    You could spy on your ex or your teenage child by placing the sensor boxes near the places the person frequents.

    Their phones and tablets, Mr O'Connor argued, would surely leak some information about them. The boxes are small enough to be tucked under a cafe table. They could be scattered around a city and go unnoticed.

    He added that he did none of that - in addition to being a security researcher and founder of a consultancy called Malice Afterthought, he is a law student at the University of Wisconsin at Madison.

    He presented his findings at two security conferences in Las Vegas, including at a session for young people. It was a window into how cheap and easy it is to erect a surveillance apparatus.

    "If you have a wireless device (like a phone or iPad), even if you're not connected to a network, CreepyDOL will see you, track your movements and report home," he said.

    Can individual consumers guard against such a prospect? Not really, he concluded. Applications leak more information than they should.

    And those who care about security and use things like VPN have to connect to their tunnelling software after connecting to a Wi-Fi hub, meaning that - at least for a few seconds - their Web traffic is known to anyone who cares to know, and VPN does nothing to mask one's device identifier.

    In addition, every Wi-Fi network that your mobile phone has connected to in the past is also stored in the device, meaning that as you wander by every other network, you share details of the Wi-Fi networks you've connected to in the past.

    "These are fundamental design flaws in the way pretty much everything works," he said.