Hackers in London have invented a drone capable of stealing data, including passwords and location, straight from your smartphone.
Codenamed “Snoopy,” the drone is deployed above busy city streets and searches out target phones with WiFi settings switched on, taking advantage of a common smartphone feature to continuously search for networks that a user has already approved and accessed.
“Their phone will very noisily be shouting out the name of every network its ever connected to,” Snoopy developer Glenn Wilkinson said in a CNN report. “They’ll be shouting out, ‘Starbucks, are you there?… McDonald’s Free Wi-Fi, are you there?”
Snoopy’s onboard software then pretends to be one of those approved networks, and connects to multiple unsuspecting devices at one time, masquerading as different networks. Once connected to the quadcopter, Snoopy intercepts every transmission a phone sends and receives.
After isolating a phone’s individual media access control address, Snoopy can see and record a trove of sensitive information including usernames, passwords, location data, or even saved credit card information in frequently accessed websites or accounts.
“Your phone connects to me and then I can see all of your traffic,” Wilkinson said. “I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi. Now we know that that person works at that bank.”
During a demonstration for CNN, Snoopy identified the homes of multiple smartphone users after they walked underneath the drone, and within an hour collected the network information and GPS real-time location of 150 phones. It also picked up complete access information for PayPal, Amazon and Yahoo accounts created for the purpose of the test.
Wilkinson and Daniel Cuthbert, both of the London-based SensePost information security company built Snoopy, and plan to present their findings at the Black Hat Asia cybersecurity conference in Singapore beginning March 25.
SensePost, like many other information security companies, executed the experiment to highlight the vulnerabilities present in much of the technology we use daily — research that hopefully will lead to preventative solutions.
For the time being, most smartphone devices are equipped with a function to ascertain permission from the user before joining a network — a function that should undoubtedly be switched on after SensePost’s research.