The National Security Agency, argues Brendan O’Connor, doesn’t have a monopoly on mass surveillance. In fact, he’s developed a cheap system of open-source spy boxes and mapping software that he says will let anyone “track everyone in a neighborhood, suburb, or city from the comfort of their sofa.”
At the Def Con hacker conference early next month, O’Connor, a security researcher who runs the consultancy Malice Afterthought, plans to unveil Creepy Distributed Object Locator or CreepyDOL, a system of Linux computers that cost less than $60 each and are designed to be hidden around an urban or suburban area. The little black boxes can wirelessly track the movements of cell phones or other mobile devices, feeding the information they collect into a database where an administrator can monitor targets on a map-based interface. A proof-of-concept version of the system that O’Connor has built includes ten of the spy nodes, each capable of reading the wireless signals of nearby devices and communicating back to a central server by piggybacking on any available Wifi network.
CreepyDOL is O’Connor’s latest addition to a surveillance setup he’s been developing for more than 18 months, integrating earlier research funded by small grants from the Pentagon research arm the Defense Advanced Research Projects Agency. He revealed the first piece of his CreepyDOL system, a small, homemade spy computer known as the F-BOMB (an acronym for Falling or Ballistically-launched Object that Makes Backdoors) at the Shmoocon hacker conference in January of last year, describing at the time how the small box of sensors could be planted in a corporate network or dropped from a drone to wirelessly snoop on a target. Since then he’s been reproducing and evolving those small machines and building new software based on the widely-used Unity video game engine to collect and map the data from multiple F-BOMB-like computers to track surveillance targets over a wide area.
“With these F-BOMBs, I can gain creepy identity information pretty easily and passively,” says O’Connor. ”I can track people over whole areas of a city just by tracking watching their wireless devices as they wander around.”
Each CreepyDOL computer is built from a $25 tiny, single-board computers known as a Raspberry Pi and designed to be inconspicuously plugged into a power outlet anywhere with public Wifi; O’Connor suggests that the outlets in corners of coffee shops would make perfect hiding spots. When a user’s phone or laptop comes close enough to one of the boxes to connect with the same public Wifi network, the unit can pick up the target device’s MAC address and feed the data back to O’Connor’s server. If the user browses the Web or runs certain apps while on that network, O’Connor says the CreepyDOL software can run the network sniffing program Kismet to ferret out other information from target devices, including users’ names, email addresses and his or her version of Apple’s iOS software revealed by certain applications that send that information over the Internet unencrypted.
Creepiest of all, O’Connor has even designed the software to grab the user’s photo if they visit a certain dating site that lacks SSL encryption, adding that to the target’s profile. “I take all this data, throw it together, and visualize it to show people with real faces and identities and histories moving around a map in 3D,” he says, though he declined to share any screenshots of the mapping software ahead of his Def Con talk or name the apps or dating website from which he’s pulling users’ private information.
Aside from the sheer hacker challenge of assembling a DIY surveillance kit, O’Connor says he built CreepyDOL to demonstrate just how much data is constantly leaked from smartphones and other computers. “At some level I’m doing this because it’s interesting,” he says. “But I’m also doing it to prove that this level of knowledge and detail isn’t only the province of intelligence agencies anymore. If you think that only the government, with millions and billions to blow on watching someone can create this problem for privacy, then we’re not going to solve it.”
O’Connor isn’t the only hacker to use inconspicuous spy boxes to gather data on targets. Other researchers have built similar tools small enough to fit into an Altoids tin, or even ones that resemble a power strip. Those stealthy computers, loaded with hacking software, are designed to be snuck past a corporation’s front desk and planted in an empty office or wiring closet to create a backdoor into the company’s network.
O’Connor has experimented with similar devices: One earlier version of his F-BOMB was designed to masquerade as a carbon monoxide detector. But CreepyDOL is his first attempt to produce a larger crop of the spying devices and tie them together to cover a large area. He says he’s experimented with the machines around his own property and the houses of friends to track test targets, but hasn’t tried them in public due to legal concerns.
Because CreepyDOL’s computers are designed to be left in public places, O’Connor has taken special pains to make them difficult to tie back to their owner. Each spy node runs the anonymity software Tor to obscure the location of the central server that collects their data. All data stored on the boxes is encrypted–the cryptographic key is kept on a memory card that can be removed when the device is planted. And the computers are assembled from off-the-shelf parts to prevent any sort of supply chain analysis from revealing who built them, he says.
If all of that subterfuge seems to enable real privacy invasion by amateur snoops, O’Connor says that’s his point: He argues that his CreepyDOL setup proves that it’s time for everyone from device makers to app designers to users to acknowledge the potential for cheap, widely available intrusion tools. “If every person on the planet can use this surveillance technology, I think we should start to design things not to leak information at every level,” he says. “You leave behind a trail that can be tracked not just by the NSA or a law enforcement agency, but by any kid in a basement with less than $500.”
Tuesday, August 13, 2013 at 08:38PM 
