'Snoopy' Hacker Drone Steals Smartphone Data By Spoofing WiFi Networks
Hackers in London have been testing out drones that can plunder information from WiFi-enabled smartphones. Built on an innocuous-sounding technology called Snoopy, the hacker drones spoof WiFi networks in order to steal user data. But don't go and switch off your phone's WiFi quite yet: the hacker drones are part of a research project, the findings of which will be presented in Singapore at next week's Black Hat Asia conference.
Like Us on Facebook
The hacker drone works by exploiting "remembered" WiFi networks on smartphones. When a smartphone connects to a WiFi network at Starbucks, for instance, the phone remembers that the network is safe to join, and will automatically connect to the Starbucks WiFi next time. Smartphones broadcast remembered networks when searching for WiFi, essentially sending out a signal that says, "Hey, which of my trusted networks are around right now? Oh cool, I know Starbucks, I'll join that one."
Rather than joining the Starbucks network, though, the smartphone is actually joining a spoofed Starbucks network, courtesy of the hacker drone. At that point, any data the smartphone sends--passwords, usernames, credit card info--can be read by the hacker drone; the hackers, who work at the information security services firm Sensepost, say they've been able to grab random Londoners' Amazon and PayPal credentials, among others. What's more, the drone can siphon off traffic from two different devices at the same time, with the two devices thinking they're connected to two different trusted networks.
A 2012 Sensepost blog post written by Glenn Wilkinson, one of the hacker drone creators, explains how a hacker drone could be used to profile users in order to see who would be the most desirable to hack. "Simple analysis could be along the lines of 'Hmm, you've previously connected to hooters, mcdonalds_wifi, and elCheapoAirlines_wifi--you must be an average Joe' vs 'Hmm, you've previously connected to "BA_firstclass, ExpensiveResataurant_wifi, etc--you must be a high roller.'"
"I've seen somebody looking for 'Bank X' corporate Wi-Fi," Wilkinson recently told CNNMoney. "Now we know that that person works at that bank." CNNMoney tested out the hacker drone in London with Wilkinson, and report that the drone was able to find the names and GPS coordinates of 150 mobiles devices in under an hour.
The silver lining to all of this is that by presenting their findings at the Black Hat Asia conference next week, Sensepost is actually trying to help improve cellphone and WiFi security. If a hacker drone was in the hands of a more sinister operator, though, it could be quite scary.
© 2012 iScience Times All rights reserved. Do not reproduce without permission.