Earlier this year, a hacker by the name of Mehdi Lauters published some data from an experiment he conducted using two Raspberry Pi devices running GPS, WiFi, and Bluetooth sniffing applications. Put simply, he traveled the city of Bordeaux, France, and collected wireless data from signals within his range. After collecting this data for six months, he summarized and published his findings here.
Here's a summary from his write-up on the project:
You want to discover your city's public transport infrastructure? If people crossing your street are mainly tourists or neighbors? Check if you always take the tram with a given person who likes pizza and travels? Or maybe more when your neighbor is at home or not right now, and use to be there at this time?
Mehdi discovered 62 postmen using the Facteo app on a Samsung device, and he was able to determine which commuters on a particular train knew each other, based on their phone connections.
See his project page on github for details on how he did all of this.
His results aren't entirely surprising, in terms of the type of data that can be discovered through the use of wireless networks. However, it's a bit scary how easy and inexpensive it was to build and use his data extraction toolset:
All these scan were mainly done thanks to 2 Raspberries pi, one with a serial GPS and an external battery pack, and the other at a fixed position to monitor people every day at the same place. But scanning more data at several city points in the same time to profile users and find people streams is also available with low cost devices such as esp8266.
Mehdi goes on to discuss how to improve user profiling and build other features into the project. Notice that he was able to track individuals without access to any of their devices. He didn't need any expensive equipment, secret backdoors, federal warrants, or an army of highly trained computer hackers to get this information. This project is very easy for the public to replicate, and the instructions are all on github here.
This kind of data gathering is made possible through the use of a ‘sniffer.' This is a program that monitors and analyzes network traffic, and may be used on wireless networks, in a LAN or ISP infrastructure, or somewhere out in the public like Mehdi's device. Any network traffic that is not encrypted is vulnerable to sniffing.
Like most ‘hacking' tools, there are legitimate uses for sniffers, such as troubleshooting network issues or analyzing traffic patterns. Wireshark, Solarwinds, and PRTG Network Monitor all provide popular network sniffers / analyzers that are used for business purposes in networks across the world. Mehdi's project is a perfect example of how these analyzers can pull in data that can be used for a variety of agendas, including business, criminal, and espionage.
There are a handful of things you can do to protect yourself while you are out in the public:
· Avoid WiFi networks that do not require passwords if possible
· Use a corporate VPN if you are using public WiFi
· Always use HTTPS when you visit a site
· Never accept untrusted certificates
· Do not enter financial or other sensitive information when connected to open WiFi networks
· Never transmit sensitive data without end-to-end encryption on a public WiFi hotspot
With the growth of smartphones and apps, the Internet of Things, and the new operating systems being built into vehicles, there is no end to the things that are leaking information about you. Manufacturers and consumers need to follow best practices when using public networks and start thinking of their security and privacy at the device level.