Wednesday, August 25, 2010

Google, Wifi, Android, and Too Much Data [repost]

[Repost from old blog software]

By now, I expect everyone is pretty well sick of hearing about Google
capturing wifi data (though I'm still amused on some level watching
each news report come in).

This is not, per se, about Google capturing wifi data.  This is about what
happens when a gigantic company with multiple business sections suddenly
amasses a truly frightening combination of data points.

What we know about the Google wifi snooping:

1.  They set out to collect BSSIDs, SSIDs, and locations (standard
skyhook-style stuff, not scary at all really).

2.  They also logged packet payloads.  Ignoring the spin on legality,
deliberate actions, and the like, what we've got is a company holding an
unknown quantity of data.

What we don't know:

1.  What payloads were captured?  The reports indicate "unencrypted
packets", but is this only because encrypted packets aren't interesting to
the news agencies?

2.  What will happen to this data?  Will it be kept if it's determined that
no laws were broken?

3.  How will this data be treated by agencies issuing subpoenas to examine
it?  Will it be destroyed after the case is concluded, or like genetic data,
will it be kept for future data trawling / evidence?

Where it gets really interesting (read: Dangerous):

Recently I had some bizarre errors with my android phone, solved by doing a
factory reset.  The first thing that happened after the reset was that the
phone connected to my wifi network again.

Wait... what?

"Back up my settings -- Your settings (such as your bookmarks and Wi-Fi
passwords) can be backed up..."

So now Google knows where I am, where the Network is,
and what the password is?  Uh oh.

What this all means:

I don't actually propose that Google is using stored password data -- I'm
fairly certain that, under the scrutiny they're experiencing, they wouldn't
be that foolish.  It's highly unlikely that the two departments even

What this does allow for, however, is end-runs around network
security, world-wide.  Some governments have already introduced measures for
secret warrants when issuing wiretap orders.  When your network password is
stored outside of your control, you (obviously) no longer control exclusive
access to it.

This can affect you even if you don't have an Android phone - ever given
your WPA passphrase to a visiting friend?

This again raises the question:  What happens to all the packets captured from
streetview?  Who may have access to correlate stored passwords with captured
data already obtained from a subpoena?

Sunday, August 22, 2010

Moving blog code

I decided if I'm going to try to make more regular posts I ought to use something better than some cobbled up scripts and a directory of files.

I'll move over some of the more recent posts and then kick over the link on the Kismet site.

Trust me, I'm a cell tower

While chatting with Nick DePetrillo we came up with a few more highly unpleasant things to do using the new Iphone vuln.

Using Chris Pagets work demoed at Blackhat this year, for $1500 (a totally reasonable price point for an attacker looking to make money with spy/ad/fraud ware on an iphone) it's possible to build a custom cell tower / IMSI catcher.

What does that get you?  The ability to masquerade as AT&T.

And to send SMS messages directly to the phone.

A man-portable microcell carried around a major metropolitan area may be able to catch a significant number of Iphones, immediately sending a spoofed SMS ("iOS update, click here"?  "More porn"?  "bank alert"?  "look at this funny cat"?)

IMSI catching: Not just for spying and phone sniffing, now you can use it as a direct attack.

Since the current USRP code doesn't support data, the phone is forced into
voice only mode, preferring wifi for data.  Not only can an attacker
directly spoof a URL in a message, but by forcing wifi (and bringing, for
example, an access point running karmetasploit which redirects all URLs via
MITM attacks) along with the USRP, users which do NOT respond to the URL are
still grabbed via the next website they visit.

Once inside the phone, what horrible stuff is on the menu?  Sending a worm-style SMS to everyone in the contacts list to then own their phones?  Installing trojans to dial high-rate numbers (already a problem with advertising services and a few apps)?  Snooping logins and personal data?  Targetted tracking via hidden apps?

Pass me a guinness.

My smart phone can beat up your smart phone

Or, Why this Iphone web attack really really matters.

So there's another jailbreakable vulnerability on the Iphone.

Much hilarity and glee ensues - who wouldn't want to go into Apples stores and jailbreak their own demo models?

This all gets a lot less funny when you consider some of the fundamental flaws in wireless networks (most recently hilighted by Renderman and I at The Last Hope, slides here.  Short version:  Airpwn isn't dead, and hijacking HTTP traffic can be extremely nasty.

What do we get when we combine Metasploit, MSF-Airpwn, a browser/content vulnerability, and a browser environment running as root?

The best case scenario is drive-by jailbreaking.  "You're welcome, Iphone users.  Here's cydia."

The worst case?  I don't know.  Maybe MSF-Ipwn?  (msf/data/ipwn/ipwn in the MSF tree).  Arbitrary spyware or adware on the phone that can't be killed by normal user access?  Tracking software?

What do we need to do this?  Any device capable of running MSF, MSF-Airpwn,
and which has inject-capable drivers.  Like say href="">the Nokia
N900?.  My smartphone beat up your smartphone on the playground.

All from browsing with an insecure device in public.