Massive Wi-Fi Vulnerability Exposed, Hackers Spoof Trusted Wi-Fi Networks

This drone can steal what’s on your phone

By Erica Fink
CNNMoney: March 20, 2014

The next threat to your privacy could be hovering over head while you walk down the street.

Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.

The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on.

Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.

“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”

That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.

“Your phone connects to me and then I can see all of your traffic,” Wilkinson said.

That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords. Each phone has a unique identification number, or MAC address, which the drone uses to tie the traffic to the device.

The names of the networks the phones visit can also be telling.

“I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi,” Wilkinson said. “Now we know that that person works at that bank.”

CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.

He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.

Collecting metadata, or the device IDs and network names, is probably not illegal, according to the Electronic Frontier Foundation. Intercepting usernames, passwords and credit card information with the intent of using them would likely violate wiretapping and identity theft laws.

(read the full article at CNNMoney)

—-
Alternative Free Press -fair use-