That's an amateur job. Resin explains it - you try to do some exfiltration via an external commercial service? Come on.
If the author had setup an encrypted partition where all the "real stuff" was found, and the key for such partition was in-memory only, possibly going alone one of the small rpi UPS/batteries to prevent minor electrical hiccups to make the whole operation fail.... it would have been almost impossible to get back at the author.
Also, using a nice "black box" that looked like a sort of electronic device, instead of some randomly put together rpi+pieces, would have made the device mostly invisible.
Or even better: find an old ethernet switch, gut it (but keep the connectors) and put Raspberry PI inside. You will need to solder 6 wires for ethernet and power, but the pins are fairly large so this should be easy.
Even if discovered, most people would not bother taking it apart --- they'll just assume it is broken and throw it away.
I have a 4 outlet "surge protection" power board with a Pi Zero W, and USB power supply, and 4 240V mains relays and drivers all neatly tucked/hidden inside... I use it as Wi-Fi controllable power points, not for pen testing, but at this stage that's just a software update...
Check out the image in the article.
They attached keyloggers and sent the strokes to the box. Saving them and once in a week dump them over to a car in the parking lot.
The original article is great, but the guy was really not putting any effort into it.
Encryption was the first thing I expected when he showed the partition table; so much about the "gifted child" :-)
But even if you don't care, at least DON'T SIGN UP WITH YOUR REAL NAME to that service. What the freaking heck? I really hope they get what they deserve.
I hadn't realised that the wifi->address mapping was so publicly available. That means a list of wifi addresses that you've connected your phone to is also a location history. :(
Which is why Android restricts getting the current wifi SSID (WifiManager.getConnectionInfo()) or the nearby wifi SSIDs (WifiManager.getScanResults()) to apps with the ACCESS_COARSE_LOCATION or ACCESS_FINE_LOCATION permissions. If an application doesn't have permission to know your location, it's also not allowed to know your wifi network's name.
I guess good time to point out XPrivacyLua[0], a privacy/permissions manager which should be default in Android imo (without having to root/install Xposed etc). But for the power users out there, worth it.
IP addresses tend to have a relatively long lived association with a subscriber, often weeks. So an app which communicates out the wifi names naturally reveals the IP address (unless there is carrier NAT, i.e. on mobile, in Russia). So with a database of such information, the IP also reveals probable wifi names and hence location.
What's even more fun is that your phone is also broadcasting those SSIDs to the world as you walk down the street, if you have wifi enabled, and likely also your unique MAC address.
So anyone in wireless range of you can 1) track you and recognize you again, and 2) possibly figure out where you work and live (although of course they may see your friends' wifi networks too and not be able to tell which is your network.)
Only if those SSIDs were configured as a "hidden SSID" (WifiConfiguration.hiddenSSID). AFAIK, that will only happen when you type the SSID manually, instead of selecting it from the list of scan results. And using a "hidden SSID" is a bad idea in the first place (https://superuser.com/questions/43836/automatically-connecti...).
The now kind of forgotten Google row where it was discovered they were scanning all wifi networks while mapping speaks volumes to this. If you have a map that details signal strengths you can infer someones location pretty accurately (not gps accurate, but within the ballpark) even if they have location services off just by logging and plotting them against your wifi coverage map.
The thing that people were upset about was that Google Street View cars didn't only scan the public SSIDs, but also recorded all (open) network traffic.
Knowing this from an Opsec perspective, it would also be better to use generic SSIDs for any wifi networks you're setting up. Something with a name like 'internet' or 'wifi' would be so generic that it would be impossible to pin down.
I tried to check numbers on WiGLE but it's being painfully slow for me.
You would want to look at a database of the most common MAC addresses and SSIDs (maybe even pairs of them) and spoof your MAC address and SSID to match one of the most common pairs.
But it won't help much if there are any other wifi networks or devices around.
Yeah it's returning 502 Bad Gateway errors (AFAIK that's what a CDN would return if it can't reach the actual host), probably a HN/reddit hug of death?
I just realized people can track my relocation across cities and countries if they can see "Ah this SSID was there last month, and here this month!".
SSID unique data is hashed into the password. If you use a very common name there will be a precomputed rainbow table that will make cracking much faster.
I know a few people who think they're being clever by doing things like this (playing with their (E)SSID). I'm still patiently waiting for one of them to learn what a BSSID is.
Too bad wifi location services use Mac addresses (BSSID) instead of ESSID. If anything, it’s probably worse because you’re revealing your real MAC address every time it tries to connect to those APs. Normally most phones scan with randomized Mac addresses but the randomization turns off when it tries to connect.
By appending ‘_nomap’ to the end of your Wi-Fi hotspots you could opt out of all Wi-Fi network tracking and means your hotspot will not be used for improving location fixes on mobile devices.
(only honored by google, other OSs need different approaches)
This is a terrible standard, unfortunately. This makes branded or "clever" SSID's difficult and awkward. (And Microsoft has a different standard too ...)
no, I'm from Austria and it works here too. But it doesn't magically get all SSIDs from the planet, someone in your are must have the wigle app that records those info.
It's crowd sourced
I hadn't either. Also what is the deal of random people contributing to the database at https://wigle.net/, why don't you mind your own business? There is a big difference between broadcasting the SSID in a 20-50m radius and effectively broadcasting it world-wide.
Google and other entities already have that data. Building open databases like wigle.net or https://location.services.mozilla.com/ seems good to me because:
1) It allows building alternative location providers that make it possible to have an Android device that doesn't rely on Google maps.
2) Publicizing the existences of these databases might make the general public more conscious of privacy and data protection issues involved.
The practice is questionable at best, but it's a good reminder about that everying sent with radio waves can be picked up by others even if they were not the intended recipients and no matter if you want them to or not.
It's pretty much like leaving the front door unlocked -- it would be unethical to use it to go inside and steal your stuff but we still need to lock the door if we want to reduce the chance of someone stealing your stuff.
Tips for avoiding this:
- Change SSID at least once per year.
- If your router support multiple SSID's, turn the current one off and use the next one in the settings instead -- it will usually result in the MAC address being changed as well.
- Do the above whenever you move the router from one location to another.
Edit :- This got downvoted. Don’t know why should anyone asking an honest question be marked down. Am I not allowed to ask technical questions in comments section?
Every time a device joins the corp. network, it gets an IP Address (DHCP) and a network name (DNS) from our servers.
RADIUS is the authentication method for wifi. In larger offices you don't just share the same password for all users, but rather set up a RADIUS server that manages individual accounts. So every employee has their own username and password for wifi. Also called WPA2 Enterprise
DNS logs -- logs of name lookups to the internal DNS server, which will include source IP of the DNS lookup (note: UDP, can be spoofed). Look up source IP in DHCP lease table to find hostname and mac address of device on wifi that is assigned that source IP.
RADIUS logs -- RADIUS = AAA server (authorization, authentication, accounting). Basically, a server that answers the question "given these credentials, what resources can this user access?" All new connections to the network will show up in RADIUS logs. As a user, when you have your "own" wifi username and password (e.g. on an access point configured to use WPA Enterprise), usually what happens is the access point asks an external RADIUS server to authenticate the credentials, and then the DHCP server asks the RADIUS server to authorize the user for an IP address assignment.
I didn't downvote you. Perhaps the downvoters did that because they felt your post not interesting enough. Read the guidelines (link at the bottom of the start page), especially:
> On-Topic: Anything that good hackers would find interesting.
Something which is common hacker's knowledge and easily googleable is probably boring.
The attacker's setup is really, really bad. But it's very interesting to see a drop device being used in the wild. I assume that if amateur solo actors are doing this, then organized crime rings are for sure.
It is possible that there is a second device that does a sniffing part. This device may be a relay for the second device. They could be connected via Bluetooth, hence the Bluetooth dongle.
However I don't mind being able to get LAN internet at a hotel that wants me to pay $24 per day for wifi when they have VoiP phones that have internet access...
I often bring a small wifi router with me, hook it up to Ethernet (often taking the TV or phone ethernet connection), then set up a local wifi that I can connect a Chromecast to. That in turn sits in the tv, of course.
That gives me internet and streamability/casting to the tv :)
Or, even better, your services need authentication and authorization even on internal network, with some sort of SSO and/or federated authentication, so it actually doesn't matter where you are. Google's own BeyondCorp initiative works kind of this way.
Getting a route to the outside internet is not such a big deal; access to internal data is.
By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.
As the article concludes with "Legal has taken over, I did my part and the rest is over my pay grade.", I think the author is not allowed to disclose this publicly.
I think the author just doesn't know what it does. From his Reddit post [1]:
>Still no idea what it actually does except for the program being called "logger", the bluetooth dongle and it being only feet away from secretary / ceo office
One can speculate something along, "the neighbor kid, ABC, is pretty smart, perhaps he can help me set up some way to know if someone is around at work?".
Readit News
If the author had setup an encrypted partition where all the "real stuff" was found, and the key for such partition was in-memory only, possibly going alone one of the small rpi UPS/batteries to prevent minor electrical hiccups to make the whole operation fail.... it would have been almost impossible to get back at the author.
Also, using a nice "black box" that looked like a sort of electronic device, instead of some randomly put together rpi+pieces, would have made the device mostly invisible.
So: an amateurish hacking job.
Disguised as one of those generic thermostat boxes on a wall it'd go unnoticed by 99.999% of people. Bonus points for a twiddly wheel.
Even if discovered, most people would not bother taking it apart --- they'll just assume it is broken and throw it away.
Article: https://www.hln.be/regio/antwerpen/rechter-straft-it-special...
Check out the image in the article. They attached keyloggers and sent the strokes to the box. Saving them and once in a week dump them over to a car in the parking lot.
The original article is great, but the guy was really not putting any effort into it.
But even if you don't care, at least DON'T SIGN UP WITH YOUR REAL NAME to that service. What the freaking heck? I really hope they get what they deserve.
Deleted Comment
(I'm still using a perfectly workable phone that is forever stuck on Android 5)
[0]: https://github.com/M66B/XPrivacyLua
So anyone in wireless range of you can 1) track you and recognize you again, and 2) possibly figure out where you work and live (although of course they may see your friends' wifi networks too and not be able to tell which is your network.)
https://www.theguardian.com/technology/2010/may/15/google-ad...
I tried to check numbers on WiGLE but it's being painfully slow for me.
But it won't help much if there are any other wifi networks or devices around.
I just realized people can track my relocation across cities and countries if they can see "Ah this SSID was there last month, and here this month!".
SSID unique data is hashed into the password. If you use a very common name there will be a precomputed rainbow table that will make cracking much faster.
https://www.renderlab.net/projects/WPA-tables/
Ideally you would rotate your SSID regularly, but of couse that is a massive pain.
(only honored by google, other OSs need different approaches)
https://krebsonsecurity.com/2015/07/windows-10-shares-your-w...
Our home SSID isn't there, but a neighbour's network is visible on the street outside and is listed.
1) It allows building alternative location providers that make it possible to have an Android device that doesn't rely on Google maps.
2) Publicizing the existences of these databases might make the general public more conscious of privacy and data protection issues involved.
It's pretty much like leaving the front door unlocked -- it would be unethical to use it to go inside and steal your stuff but we still need to lock the door if we want to reduce the chance of someone stealing your stuff.
Tips for avoiding this:
- Change SSID at least once per year.
- If your router support multiple SSID's, turn the current one off and use the next one in the settings instead -- it will usually result in the MAC address being changed as well.
- Do the above whenever you move the router from one location to another.
https://en.wikipedia.org/wiki/Wardriving
Deleted Comment
Deleted Comment
1) What are DNS logs?
2) What are RADIUS logs?
Would someone be so good as to answer?
Thanks in advance for help you could provide.
Edit :- This got downvoted. Don’t know why should anyone asking an honest question be marked down. Am I not allowed to ask technical questions in comments section?
RADIUS is the authentication method for wifi. In larger offices you don't just share the same password for all users, but rather set up a RADIUS server that manages individual accounts. So every employee has their own username and password for wifi. Also called WPA2 Enterprise
RADIUS logs -- RADIUS = AAA server (authorization, authentication, accounting). Basically, a server that answers the question "given these credentials, what resources can this user access?" All new connections to the network will show up in RADIUS logs. As a user, when you have your "own" wifi username and password (e.g. on an access point configured to use WPA Enterprise), usually what happens is the access point asks an external RADIUS server to authenticate the credentials, and then the DHCP server asks the RADIUS server to authorize the user for an IP address assignment.
won't someone please think of the lurkers
> On-Topic: Anything that good hackers would find interesting.
Something which is common hacker's knowledge and easily googleable is probably boring.
https://en.m.wikipedia.org/wiki/RADIUS
It's amateur hour if you can just plug in any random rpi, it gets a DHCP lease, access to the company lan, and a route to the outside internet.
However I don't mind being able to get LAN internet at a hotel that wants me to pay $24 per day for wifi when they have VoiP phones that have internet access...
That gives me internet and streamability/casting to the tv :)
Getting a route to the outside internet is not such a big deal; access to internal data is.
By the way: it's "amateur hour" if, as you say, that happens for a switch in a public/semipublic area in an office structure. On the contrary, I've seen a lot of "all-enabled" switches if those were accessible just from INSIDE the datacenter, where few people had access. It's not a really reasonable scenario.
Great article though, very interesting read.
>Still no idea what it actually does except for the program being called "logger", the bluetooth dongle and it being only feet away from secretary / ceo office
[1] https://www.reddit.com/r/sysadmin/comments/9xveq5/rogue_rasp...