A drone that can hack into your phone?

Written by

This is really no different than the danger you face when you go out in any crowded public space. But that doesn’t mean the danger is not real. Pretty interesting.

The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on. Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.

“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”

That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.

CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.

He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo (YAHOF) accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.

To me, the takeaway from this (if the article is correct, of course) is that you should always set your phone to ask before it joins any networks. iOS makes this trivial. Go to Settings > Wi-Fi, and tap the Ask to Join Networks switch.

UPDATE: Reader Sam Hutchings points out that the iOS Ask to Join Networks feature will not prevent your phone from joining networks about which it already is aware. So what’s the solution? Feel free to post in comments or tweet @davemark.