A drone that can hack into your phone?

This is really no different than the danger you face when you go out in any crowded public space. But that doesn’t mean the danger is not real. Pretty interesting.

The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on. Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.

“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”

That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.

CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.

He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo (YAHOF) accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.

To me, the takeaway from this (if the article is correct, of course) is that you should always set your phone to ask before it joins any networks. iOS makes this trivial. Go to Settings > Wi-Fi, and tap the Ask to Join Networks switch.

UPDATE: Reader Sam Hutchings points out that the iOS Ask to Join Networks feature will not prevent your phone from joining networks about which it already is aware. So what’s the solution? Feel free to post in comments or tweet @davemark.

  • Sam

    The solution presented wouldn’t work in this scenario. Snoopy looks for networks your phone has already connected to, then presents itself as that network and your phone connects.

    iOS is designed to always connect to networks it knows or has connected to before. Setting to ask “Ask to Join Networks” would not solve this, as the auto-connect functionality for known networks is not disabled by enabling this option.

    • Dave Mark

      Thanks for the comment Sam. Updated the post. So is there a solution? If not, why isn’t this a major ongoing headline? Seems to me this specific form of identity theft is not happening all that often. Am I wrong?

      • Sam

        As far as I know, the only current solution would be to turn WiFi off when out and about (much easier in iOS 7).

        I’m not a security expert, just an Apple nerd. I would like to think that these sorts of attacks are few and far between, but it’s impossible to know. Those doing the attacks won’t tell you, and those reporting on it (the mainstream tech media more than sites like this) will blow the number out of proportion as part of their sensationalised headlines strategy.

        • You could probably run a secure proxy to encrypt all your traffic.

        • Zepfhyr

          If I’m not mistaken, you could also never connect to unsecured Wi-Fi networks, or forget them immediately once you’re done using them.

          • Well, that just trusts the person running the secured Wi-Fi network. (I assume here you mean “password protected.”)

          • Can you successfully impersonate your home or business Wi-Fi, which should be thoroughly WPA encrypted? I have no guest network on my router. At the Starbucks, on public wifi and no password, you’re naked as a jay bird.

          • Should make that an easy option. Indicate the type of connection it is, and program the password to be forgotten after you leave the network. A Starbucks would have a 24-hour password. When you’re half a block away, your phone forgets the password.

  • Scott Falkner

    Why would your phone need to broadcast network names? The network names are already broadcast by the routers so all a phone needs to do is read them and look for one it knows.

    Still, there are a few names one can reasonably expect to pay off, like Starbucks and McDonald’s.

    • lucascott

      That might be the solution then. Have devices listen, not speak. Can’t imagine that would be all that difficult to change in the software.

      • My expectation is this is already how it works. Broadcasting SSIDs while looking for them seems silly/useless to me. But I want to read how this works now.

        • Anthony Visceglia

          It cannot work this way, mostly due to “closed” networks. If the AP is not broadcasting an SSID, the device needs to broadcast it and then listen for a response. to determine if the network is available.

          • Does iOS assume every network is “closed” when trying to reconnect, then?

          • Anthony Visceglia

            No, it doesn’t. But there are several practical reasons why a client device (in this case, an iOS mobile device) will broadcast even open SSIDs. Most notably, a client device needs to be able to connect on-demand. The only way it can do that effectively and immediately is to look for the router; relying on the router to constantly look for client devices would be horribly inefficient.

          • Sigivald

            Yeah, but none of the big targetable ones mentioned are hiding SSIDs; that’s exactly what “public” internet never does.

            It would be very interesting to know, on an OS-by-OS level, how the process really works.

            I wouldn’t think it’d be a blind broadcast of a possible SSID, precisely because you don’t need to broadcast a name to “detect” a “hidden” SSID; it’s there in the network packets anyway, and your phone can see them anyway if it’s in range and the network is actually doing anything.

            (I disapprove of the headline, too – it’s not “hacking into your phone”, it’s “snooping on unsecure network traffic”.

            When the “researcher” says “Your phone connects to me and then I can see all of your traffic. […] That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords.”, I don’t take him seriously.

            He’s (deliberately?) conflating mere traffic with normally-secured data.

            And how his ability to see the network traffic lets him see a CC “saved on different sites” is beyond me, since the entire point of that is that they aren’t sending it over the network, just last-four.

            Any website doing login without an SSL wrapper is dangerously incompetent; any site doing CC data entry without it is both incompetent and liable to have PCI and their transaction processor come down on them like a ton of bricks.)

          • Absolutely. The header packets are there all the time. Not broadcasting SSID makes the hacker’s job easier, because the user has a false sense of security.

  • S. Foster

    I always manually ‘forget this network’ after using public wi-fi at the airport. It’s a kludge but it is my belief this prevents the autojoin Sam pointed out.

  • David Zentgraf

    Just connecting to an untrusted network by itself should not lead to a lot of data disclosure. It’s true that the router (in this case, the drone) can see all traffic that goes by. But, any sensitive traffic should always exclusively be sent over HTTPS secured connections, which will prohibit the drone from collecting any data.

    The problem likely comes in when people are ignoring warnings that the validity of the HTTPS certificate could not be established (in case the drone actively forges certificates), when companies are not enforcing HTTPS connections as they should, when applications are not enforcing HTTPS security properly or when you have the recent “goto fail” bug.

    If security was done properly, such a drone in and of itself couldn’t do much more than collect names of your preferred Wifi networks or other non-sensitive data. Enabling a malicious middleman to collect sensitive information such as credit cards is a failure of user behaviour or buggy client software, not really of Wifi auto-connect.

  • jon

    At first glance it seems like you can minimize your exposure by always deleting remembered networks that don’t require a password. And perhaps go a step further and delete all public networks.

  • It’s funny how people worry about stuff more when the word “drone” is attached to it. This danger exists regardless of whether it’s attached to a drone. Same rig can fit in a backpack or purse and be walked or biked through the city (or for the lazy hacker, strapped to the roof of a car and driven). Just as hidden and less conspicuous than a flying drone.

  • James Hughes

    Apple needs to add Preferred Network Lists to the wi-fi section in Settings. That way we can clear out any nonsecure networks that may be listed.That would give iOS users some control at least.

  • The alternative is to live in a Faraday cage. Or here’s one: automatic compensation for those accidentally exposed to scrutiny. “Congratulations, citizen! We have to apologize for something we can’t tell you about, but here is $1000! Okay now? Please sign below and read the Terms of Service.”

  • It’s important to be secure, but it’s also important for the small handheld computer sometimes described as a “telephone” to interact with its environment. But I think it makes it clear that a good password and WPA are still secure. Open wifi lets them peek in with hacker tools. So maybe we should require all public wifi to not be available unless you punch in a one-time password the store gives you. You recognize it and it recognizes you. Public and private keys. No? Am I wrong?

    • David Zentgraf

      That would not help in this case at all, because in this case “the network” itself is malicious. An encrypted connection to it won’t help.