“The next threat to your privacy could be hovering over head while you walk down the street,” Erica Fink reports for CNNMoney. “Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.”
“The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on,” Fink reports. “Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past. ‘Their phone will very noisily be shouting out the name of every network its ever connected to,’ Sensepost security researcher Glenn Wilkinson said. ‘They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?'”
“That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive,” Fink reports. “That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords. Each phone has a unique identification number, or MAC address, which the drone uses to tie the traffic to the device. The names of the networks the phones visit can also be telling. ‘I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi,’ Wilkinson said. ‘Now we know that that person works at that bank.'”
Read more in the full article here.
[Thanks to MacDailyNews readers too numerous to mention individually for the heads up.]
This is total BS. Never happen. Next topic
CAN and DOES happen. It can happen INSIDE the Starbucks as well. Some guy in a corner spoofing the WiFi.
It’s the reason both facebook and google (and hopefully, your bank) do everything behind https, which encrypts the traffic.
You should ALWAYS, ALWAYS, ALWAYS make sure you’re on an https network when sending your passwords or credentials of any kind on a network that you don’t control.
Do you mean an https connection? I’ve not heard of an https network. You can do that in your browser, but you can’t do it with everything that makes a network connection.
Hmmm, I would think you could hack an android phone pretty easy. They are the most hacked. But an iPhone??
If there is a new network, my phone asks if I want to use it. If it spoofs an existing wifi, would the passwords NOT match??? I mean really, my phone looks for network, and waits for password request that does not happen???
Too many if and thens in this article.
PS, I read many of the commentors on the article page. What a bunch of totally ignorant people. Conspiracy type, magic happens types, and just people that don’t think….. you know android lovers cause they are cheap. LOL
Just saying.
You really didn’t get the article, did you? Your phone automatically looks for previous networks it has used and tries to connect to them. If the drone is overhead and shows a public wifi spot, your phone will connect because most public wifi networks won’t have passwords, so the drone doesn’t need to know one.
The password doesn’t matter. The drone will simply accept any password.
would a VPN help?
Yes, as long as you connected through the VPN the whole time.
Never going to happen? You mean from a drone flying overhead? Possibly, but here’s your foundation: http://www.theta44.org/karma/
Turn off the setting to automatically join networks as a first step.
I’ll bet this would be an easy security problem to solve.
Sorry, I think you will have to turn off the Wi-Fi to avoid this one. Turn it on when you are ready to use it in locations you know. Don’t know if Apple will let you stop looking for a better connection while you have one you are using. Once on, your device is always looking so you can walk between Wi-Fi network connections dropping the weaker for the stronger one you are moving towards. This sucks. You would have to be asked if it is Ok to jump to the next known network. Maybe the device can learn the acceptable jumps so you are not asked again and use the GPS and iBeacon to flag the need to safely jump between Wi-Fi networks.
There is no way at the moment to specify the order of preference in which you wish to connect to WiFi networks for iOS devices.
In a Mac, you can open up network settings in system preferences to specify the order in which you wish your Mac to connect to preferred WiFi networks and to discard (forget) those networks that you feel are no longer useful or present a security risk.
In iOS drag your preferred network to the top of the list, and place them in order of priority. This is not only possible but easy to do. I have done it for all my frequent locations.
Sorry, but what you’re writing is wrong. Prove it to me you can prioritise WiFi networks on iOS devices.
Actually I was intrigued (and didn’t know it) by his post, so I tried it. iOS does in fact run the list in order, so he is correct you can order the list and determine the search priority.
Thanks ET
BTW Solid Snake, it took me literally 2 minutes to test that, are you really that lazy, or is it (perhaps more likely) that you don’t actually own an iOS device to check it on? )
Sorry, Tessellator, you are not only a bullshitter but a liar. You absolutely cannot prioritise a WiFi network in an iOS device, except listing it alphabetically, which is the default order.
I don’t believe that you own an iOS device but are pretending to own one to make yourself bigger than you are. You’re worse than pathetic and a sorry excuse for a human being.
See sources below.
http://www.ipadforums.net/ipad-os/111373-wifi-priority.html
http://apple.stackexchange.com/questions/87761/how-to-prioritize-wifi-networks-on-iphone
http://www.neilturner.me.uk/2013/07/25/how-to-rank-wifi-networks-iphone.html
https://discussions.apple.com/message/21986322#21986322
I don’t know what Tessellator’s problem is, but for some reason he comments here and is wrong about pretty much everything.
The fact is, as you’ve seen, you can’t directly edit your WiFi priority history on iOS the same way as you can on OS X. There’s no listing of WiFi history to prioritize or to delete items from the history. You can of course “Forget Networks” or decide which network will be chosen if that network is actually present, but if you connect to a network that you can’t see anymore, you can’t remove it directly.
In fact, your WiFi history carries over with you even when you buy a new iPhone and set up the new one as a restore from the old one. In other words, you could have WiFi history that dates back a few years.
However, there is technically a way to deal with this. One, the nuclear option, would be to Restore as New with your iPhone and then connect to the WiFi hotspots you want in your history.
That’s not going to be much fun, especially if you want to do it often. There’s another way that I know how to do it, and that’s to edit the com.apple.wifi.plist at /var/preferences/SystemConfiguration/. Each hotspot in your history is listed under the SSID_STR key. You can sort or delete them.
I might just write an app to do this, but it would only work on jailbroken iPhones.
It’s a shame Apple doesn’t provide this functionality directly like they do in OS X.
This is all beginning to sound like a plot from Shakespeare.
Huh? The link doesn’t say the networks can be prioritized in iOS.
Not so fast. The automatically join networks setting is just for new networks. Your iPhone already automatically joins known networks. What this drone Snoopy does is spoof a known network (Starbucks, McDonalds, Public WiFi, Guest, etc.) and tricks your phone into joining a not-known network, which then copies all of your data.
The only way to stop from joining known networks is to turn off WiFi. The good news is it will preserve battery life.
One real problem is that devices volunteer the name of the networks they’re looking for. It ought to be the other way around. The network should identify itself, and the device should only say “I want to connect”.
It wouldn’t stop this completely, as it could still pose as widely-used networks, but it would certainly mitigate it.
The way it’s done now is akin to a you walking around shouting out the names of everyone you know until someone comes up and says “oh yeah, that’s me!” Seems like a poorly conceived approach to me.
Ok, I will keep my “Ask to Join Networks” off and maybe turn off my Wi-Fi off until I am ready to use it.
Also, at what point will these continuous hacking attacks, fishing attacks and SPAMing attacks be treated as “attacks”? If countries can’t control their people, the country’s networks should be isolated until they do. Shut them off 5 minutes, then 10 minutes, then 20 minutes, … until they get their shit together. This is being treated as acceptable national GNP (Gross National Product) in these countries. Our government knows where this data is going to. Shut it down and get serious about this. If they were robbing homes and banks, you would treat it as the crime it is!
‘If countries can’t control its people…’. Where have I heard that language before. Would be great fun every country cutting off every other one rightfully or wrongfully or is there one that ‘rightfully’ has or is given control over the technology to do so because it is so morally superior. Cant imagine what country or organisation for that matter that would be.
I think this is a crock… all of that stuff is encrypted.
No, WiFi signals are encrypted only as regards the payload between the device and access point. The header which identifies the device corresponding to its MAC address and assigned IP, whether dynamically or statically, is broadcast in the clear so that an access point can identify and accept connections from a device that is requesting for one.
Only if it’s encrypted first on your iPhone before being broadcast over WiFi.
If anyone is stupid enough to use a credit card or check their bank account from Starbuck’s or McDonald’s wi-fi they deserve to have problems.
Oh come on… we used to do this in Starbucks. You could intercept a connect, and people would connect to your server running on your innocent looking little macbook. They’d try to go to Facebook, only your very real looking Facebook page would pop up, etc. Now from there chances were they’d used the same password for their computer also. You could turn around connect back to their computer look around and snigger like an idiot in your coffee.
Did I say “we?” I mean “they.” MDN needs the ability to edit posts badly.
Whatever happened to Nelly Furtado?
The solution is obvious: send the Red Baron after Snoopy. Talk about dogfights!
@hannajs – maybe the Red Baron could use the drone to return a e-payload back to the mother ship. That’s an “e” as in electronic, explosive, “enfectious”, or expensive… 😉
Here’s the solution:
Nice, although I’ve always had a penchant for the 50.cal …portability could be an issue though.
I never recalled Snoopy being that devious. Sarcastic yes, but not devious. Devious was Lucy!
Of course, nobody will notice a quadcopter hovering just above their head…
And most of the ‘free’ wifi hotspots I try either won’t connect to the Internet, or force me to go through tedious set-up procedures.
Or censor me when I try to get onto perfectly legal websites that sell outdoor equipment, including knives.
I rarely bother with hotspots now, too much hassle using them.
In a large city (it’s being tested in London), with cars rushing by, lots of people walking and talking, and all other kinds of noise? The drone doesn’t have to be 10 ft. overhead, it could be 100 ft. up where they would never hear it.
I have learned to stay away from Starbucks that have drones flying in or around them. I also keep a spare roll of Reynolds Aluminum Wrap in my backpack for just these occasions. I can fashion head gear for myself (first) and then for every one else in the coffee shop within less than 5 minutes. Them thar government men ain’t gonna get me!!!
I use free wifi’s at the library, Starbucks, etc but I never log into anything. I do all that when I am at home. Whatever it is, it can wait till then. It just seems very foolish to be sending passwords over an open network.
I know there are folks on MDN who know their tech well enough to be able to explain this to me: how does someone knowing my FB password or email password give them access to the contents of my phone?
Because many people use the same password for everything. So once you get one password you get them all. If you have strong, individual passwords for each site you log into you are much safer than someone using one password. It is a pain to remember all those passwords so you either have a crib sheet or you use Keychain or a third party app that remembers passwords.
I have one password for all forums and news comment sites, but each banking, health, insurance, credit card, investing, eBay, Amazon, Facebook, all more critical ones each have individual, difficult, passwords.
The security question to sites is often “What is your mother’s maiden name?” Which is a really insecure question. Esp. if you are from a small town you know the maiden name of just about everyone’s mother you graduated with. Give your father’s mother’s maiden name instead. That’s tougher to find.
@John: Dialtone’s question was: “how does someone knowing my FB password or email password give them access to the contents of my phone?” but you answered a different question. The answer is that knowing any password, even the iCloud password, does not give anyone access to the contents of your phone via a wireless network. TV shows which show spies “force cloning” your phone wirelessly are fictional nonsense. The fact is, your iPhone contents are by and large quite safe, even if hacked using the technique written about in this article. Someone having actual physical access to your device is a different matter.
Good information all round.
Simple. Just shoot down drones hovering above the house :). Seriously turning on ask to join networks is a start an I think reset all settings on iOS Forgets all previously joined networks if I am not mistaken
Just one thought why would such an ability need to be tied to a drone. I can see why that would enhance and expand the ability to use this technique but surely it could be used almost anywhere in range of people with mobile phones? Seems to me the drone aspect is just to make it all sound rather sexier. Just that it seems to me there is far more danger from non drone use of this technique than the likelihood of being followed around by radio controlled drones through busy streets which would present serious control problems unless they remained pretty static.
Good point. In a large city, you could just sit the device up in your NYC apartment above Wall Street. Although the drone thing would allow for variety of people clusters, like hovering over a State Fair.
I never do banking or any mission critical stuff over a public WiFi.