Clearing some things up.
Hey all,
Glenn from SensePost here. Sorry for the delayed response, I've only just noticed this article. Let me explain how the framework works, and then answer some specific questions.
"Snoopy is a distributed tracking and profiling framework."
1. Distributed?
We can deploy numerous small devices (N900s, Alfa R36 routers with battery packs, Sheeva plugs, etc) all over some location - say London. These devices connect via openvpn to a central sever, where all data is uploaded.
2. WiFi?
A large number of people leave their WiFi on. Even security savvy folk. For example, at BlackHat I observed >5,000 devices with their WiFi on. As per the RFC documentation (i.e. not down to individual vendors) client devices send out 'probe requests' looking for networks that the devices have previously connected to. The reason for this appears to be two fold; (i) to find hidden APs (not broadcasting beacons) and (ii) to aid quick transition when moving between APs with the same name (e.g. if you have 50 APs in your organisation with the same name). Fire up a terminal and bang out this command to see these probe requests:
tshark -n -i mon0 subtype probereq
(where mon0 is your wireless device, in monitor mode [1])
2. Tracking?
When a user walks past one of our monitoring stations we observe their device's MAC address. We now know that device X was at a certain location at a certain time. Given enough monitoring stations running over enough time, we can track devices based on this information.
3. Profiling?
We can profile device owners via the network SSIDs in their probe requests. This can be done in two ways; simple analysis, and geo-locating. Simple analysis could be along the lines of "Hmm, you've previously connected to hooters, mcdonalds_wifi, and elCheapoAirlines_wifi - you must be an average Joe" vs "Hmm, you've previously connected to "BA_firstclass, ExpensiveResataurant_wifi, etc - you must be a high roller".
Of more interest, we can potentially map network SSID to GPS coordinates via services like www.wigle.net, and then from GPS coordinates to street address and street view photographs via Google.
What's also interesting is that as security folk we've been telling users for users that picking unique SSIDs when using WPA[2] is a "good thing" because the SSID is used as a salt. A side-effect of this is that geo-locating your unique networks becomes much easier. Also, we can typically instantly tell where you work and where you live based on the network name (e.g BTBusinessHub-AB12 vs BTHomeHub-FG12).
Point being - you walk past, and I get a street view photograph of where you live and work and play.
4. Rogue Access Points, Data Interception, SSL things.
If your device is probing for "Starbucks", we'll pretend to be Starbucks, and your device will connect. This is not new, and dates back to Karma in 2005. What is new is having this setup in a distributed nature, where all devices route network traffic passes through a central server. This is roughly how the setup looks:
Victim <==WiFi==> SnoopyDrone <==openvpn==> SnoopyOnlineServer <==TransparentSquid--sslstrip--mitmproxy.py==> Intertubes
According to Moxie, sslstrip "will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links."
We could also use self signed certs via mitmproxy.py, but that would likely raise greater suspicion.
This is where the higher level profiling comes in. We intercept your Facebook/GMail/Twitter/general browsing and build up interesting profiles.
***FAQ***
Q. But I use WPA2 at home, you can't hack me!
A. True - if I pretend to be a WPA[2] network association will fail. However, I bet your device is probing for at least one open network, and when I pretend to be that one I'll get you.
Q. I use Apple/Android/Foobar - I'm safe!
A. This attack is not dependent on device/manufacture. It's a function of the WiFi specification. The vast majority of observed devices were in fact Apple (>75%).
Q. Your research is dated and has been done before!
A. The individual components, perhaps. Having them strung together in our distributed configuration is new (AFAIK).
Q. But I turn off WiFi, you'll never get me!
A. It was interesting to note how many people actually leave WiFi on. e.g. 30,000 people at a single London station during one day. WiFi is only one avenue of attack, look out for the next release using Bluetooth, GSM, NFC, etc :P
Q. You're doing illegal things and you're going to jail!
A. As mentioned earlier in this thread the broadcast nature of probe-requests means no laws (in the UK) are being broken. Furthermore, I spoke to a BT Engineer at 44Con, and he told me that there's no copyright on SSID names - i.e. there's nothing illegal about pretending to be "BTOpenzone" or "SkyHome-AFA1". However, I suspect at the point where you start monitoring/modifying network traffic you may get in trouble. Interesting to note that in the USA a judge ruled that data interception on an open network is not illegal [2].
Q. I want Snoopy!
A. I'm working on it. Currently tidying up code, writing documentation, etc. Soon :-)
I hope that helps. Feel free to email/tweep me (glenn@sensepost.com, @glennzw) or reply in this thread for further clarification.
[1] https://en.wikipedia.org/wiki/Monitor_mode
[2] http://arstechnica.com/tech-policy/2012/09/sniffing-open-wifi-networks-is-not-wiretapping-judge-says/