Tuesday, October 30, 2012

Abusing WiFi-Based A-GPS To Achieve Extreme Low-Cost Targeted Tracking

When security consultants and analysts consider the use of modern-day tracking techniques, they think of two things: tracking devices and mobile phones. And that's fair. GPS tracking devices, such as the Zoombak, are cheaper and more effective than ever before. However, as I demonstrated in 2011, tracking devices are often poorly designed, easy to reverse, and insecure. This means that they can not only be found remotely, but they can be hacked.

Mobile phones are always a significant vector for location tracking, as they commonly move with a target. But, what if the target is only exposed while using a burner? The MSISDN or software on the mobile endpoint may not persist beyond exposure, making the endpoint a less desirable resource.

Advances in technology, however, provide an interesting alternative to these solutions that has not yet been widely discussed by privacy advocates. Though, the pieces of the puzzle have been available for some time. A significant decrease in the cost of microcontrollers (uC) and wireless components, coupled with the increase in use of peripheral technology, provides an interesting vector for abuse.

What if, for a couple of dollars, a tiny device could be constructed that allows for targeted tracking? This article describes a simple example of how and why this is possible.

The Wireless Photograph

An interesting device crossed my path on Woot in the past few months: the Eye-Fi. This product is a simple SD memory card, like you would use with any digital camera. Models are offered that support flash storage of 4GB to 16GB, along with a more interesting storage option: wireless image delivery.

Eye-Fi 802.11 enabled SD Card
At 3.3V, the Eye-Fi product line integrates three chip components: a microcontroller, a flash chip for image and application/configuration storage, and a Marvell 802.11 wireless chip. The internal layout of the product can be seen in this FCC filing from 2010. From this information, it is easy to determine that the Eye-Fi is meant to act as a wireless client driven by the power of a digital camera.

When the camera saves an image to the Eye-Fi, the Eye-Fi SD card transparently uploads the image over a WiFi network to a laptop, phone, or other endpoint on the same network. While gimmicky as a SD card, this product is exceptionally inventive because of the way it exploits power from a host device.

Alternative Use Cases

While writing to the network is certainly an important feat, an aside to this article would be the use of this design for fuzzing/testing of devices that read from an SD card (such as a firmware update). Reads from the SD card could be cached from the network in order to test multiple variations of a firmware image without the chore of having to copy each new image to an SD card. I'm looking at you Travis Goodspeed.

Assisted GPS and WiFi

Regardless, the design of the Eye-Fi brings to mind another technology: Assisted GPS (A-GPS). A-GPS helps devices determine their approximate physical location even when a Global Positioning System (GPS) beacon is unavailable. As many technologists know, A-GPS has evolved beyond the analysis of cellular beacons for location derivation. Today, alternative signals can be used as location control as well, such as 802.11.

Google Street View Car in Action
I'm sure that everyone remembers Google's trouble with WiFi, Street View, and Privacy. Google, along with many other companies, use WiFi to ascertain the physical position of a mobile device when GPS is no longer available. This means that they were collecting a giant database of WiFi access points across several countries around the world. 

Samy Kamkar, a security researcher, came up with a brilliant application that abused Google's web API  and allowed anonymous users to query for 802.11 access points. Google responded by blocking Samy's application and restricting queries to only users that are known to be associated with particular access points.

The Access Point That Wasn't

So, let's presume users can't query devices that they aren't associated with. I'm sure this is hardly the case as even if Google has solidified this issue, custom databases like Zoombak's, Skyhook, and others, have had similar issues to Google's but are far less vetted by the security industry. Regardless, let's step back for a minute and presume this "hole" is patched. What does a researcher do? 

Well, systems like Skyhook and Google don't actually attempt to log on to random WiFi access points. Instead, they simply take note of the location of the beacon along with the access point name (SSID) and the address (MAC/BSSID). This means that the access point (AP) doesn't have to function. In fact, it doesn't have to do anything except emit a valid beacon. 

What if technology similar to the Eye-Fi could be designed to emit a fake AP beacon instead of acting as a client? The "Fake-Fi" could simply emit a beacon intended to be picked up by devices that would pass on the beacon name and MAC to another authority, such as a Google location database.

Selecting a WiFi network on Android
For example, Android and iPhone devices that see the beacon could upload data describing the Fake-Fi access point to a centralized database. This means that everyone in range of the Fake-Fi is helping tell the world where this beacon is located. This makes for an interesting tracking opportunity without having to use a large amount of power, cellular infrastructure, or other complicated technologies. The Fake-Fi can be driven with two simple chips (a uC and an 802.11 chip) off a 3.3V power source for the cost of dollars, just like the Eye-Fi.

The Result

Using this methodology, researchers can poison technologies that are more likely to stay present on an individual's person. A USB cable, USB dongle, mouse, mini-keyboard, laptop power adapter, wall wart, or another commonly trafficked device can now become a beacon.

This is an extremely hard to detect attack as the components used are small and thin enough to fit on a SD Card. There is a large amount of potential host technologies for this technique and few ways to effectively detect them. A user may notice the addition of a WiFi access point in their range, but will they presume it originates from their own equipment, or will they presume a neighbor is the source of the beacon? An attacker can diminish the potential for inspection by lowering the beacon strength of the wireless signal, making it look as if the source is farther away than it actually is.

A common Samsung microSD Card in an Android phone
The SD card in a user's Android phone can even be replaced with this technology, turning the phone into a proxy for the tracking beacon without the user's knowledge. How's that for parasitic technology?

Read and Store

An alternative and purely passive methodology would be to use almost the exact same formula as the Eye-Fi technology: WiFi client. Except, instead of connecting to WiFi networks, the software on the uC could simply log the access points and their frequency to the flash storage. Access points with higher frequency (occurrence) would identify a user's location and could be searched for using the same technologies: Google, Skyhook, etc. 

However, this purely passive tracking technique would require physical access to the target's devices at two exposure points in time, rather than one, significantly increasing the risk of the operation. 

The Take Away

At Capitol Hill, we believe that desktops, laptops, and even BYOD, are no longer the only risks a group or individual must monitor. Instead, security analysts must consider the applicability of each potential wireless endpoint as a source for malicious or parasitic behavior. And, analysts must consider that not all devices are known - or can be known - in a particular environment.

Discovering, cataloging, and isolating, the risks of the wireless world is a growing challenge. At Capitol Hill, we help organizations identify and mitigate the risks introduced by the Bring Your Own Radio world through our years of embedded engineering and security expertise. Our team will help define what practical threats mean to your organization, how they can be detected, and the most fiscally effective ways of removing these risks. Contact us today to determine if our services are right for your organization at: info at capitolhillconsultants dot com.

Don A. Bailey