Psst, hey, I’m not trying to embarrass you and don’t look now . . . but you’re leaking, leaving behind a digital trail that Big Brother and your cash-strapped little brother can track while holed up in the relative luxury of his basement bedroom.
"Creepy Distributed Object Locator,” dubbed CreepyDOL for short, “allows anyone to track everyone in a neighborhood, suburb, or city from the comfort of their sofa.” Brendan O’Connor, who runs the security firm Malice Afterthought, called his presentation CreepyDOL: Cheap, Distributed Stalking at Black Hat and Stalking a City for Fun and Frivolity at Def Con. Do you have a spare $500? He promised that if you deploy a network of cheap CreepyDOLsensors, then you can “move up from small-time weirding out to the big leagues of total information awareness.”
CreepyDOL is another innocent looking device, but instead of simply pwning you, it provides DIY surveillance for the masses. It works by picking up wireless signals from smartphones and other mobile devices as people pass nearby the box.
It does much more than that as O'Connor wrote about testing the devices [pdf]:
We deployed CreepyDOL nodes to several different locations in a populous, well-travelled, section of Madison, WI. To prevent badness, we programmed the NOM system to look only for traffic from devices we owned; no “random stranger” data was collected at any time. With that constraint, we were able to capture a significant amount of useful data about the devices, including photographs of their owners, correlation between devices owned by the same person, and some “this is where he hangs out”-type data.
“I take all this data, throw it together, and visualize it to show people with real faces and identities and histories moving around a map in 3D,” he told Forbes. "Even if you don't connect, if you are wired on a network, we will find you. If you are a person in a city, we will find you, and we will do it all for very little money."
What Andy Greenburg found to be “creepiest of all,” is that “O'Connor has even designed the software to grab the user’s photo if they visit a certain dating site that lacks SSL encryption, adding that to the target’s profile.”
O’Connor’s previous work includes the “Falling or Ballistically-launched Object that Makes Backdoors,” a $50 F-BOMB that provides cheap spying for stalkers, hackers or cash strapped feds. Last year at BSides Las Vegas, he presented Reticle that is like F-BOMB’s brain and the command and control for his latest DIY mass surveillance solution. Put them all together and you have CreepyDOL.
"This isn't even hard, and it should be hard, and that is pretty disturbing to me," O'Connor told Dark Reading. "People fix vulnerabilities when the kid on the street corner can abuse it. Maybe it's time to fix this now."
People are not going to stop carrying about mobile devices, but O'Connor said, “If every person on the planet can use this surveillance technology, I think we should start to design things not to leak information at every level. You leave behind a trail that can be tracked not just by the NSA or a law enforcement agency, but by any kid in a basement with less than $500.”
"This is really going to get out of control, but it's the future," stated Chris Wysopal, chief technology officer for Veracode. "Everyone is going to be able to track anyone, unless there are regulations."
Interested and have $570.80? Well if you buy “bulk,” enough for 10 nodes, then according to O'Connor's Black Hat slides [pdf], you can have government-type total information awareness for $57.08 per node. Broken down from the bulk buy, it means spending $25 for Raspberry Pi Model A, $4.61 for a case, $5.99 for a USB hub, $13.04 for two Wi-Fi chips, $6.99 for an SD card, $1.45 for the USB power adapter and wham bam thank you, ma’am. Then you, too, could spy to your little heart’s desire.
Would you get busted if someone were to find a node after you’ve hidden it in a public place? Probably not since:
O’Connor has taken special pains to make them difficult to tie back to their owner. Each spy node runs the anonymity software Tor to obscure the location of the central server that collects their data. All data stored on the boxes is encrypted–the cryptographic key is kept on a memory card that can be removed when the device is planted. And the computers are assembled from off-the-shelf parts to prevent any sort of supply chain analysis from revealing who built them, he says.
Curious about why O’Connor created CreepyDOL? He said, “At some level I’m doing this because it’s interesting. But I’m also doing it to prove that this level of knowledge and detail isn’t only the province of intelligence agencies anymore. If you think that only the government, with millions and billions to blow on watching someone can create this problem for privacy, then we’re not going to solve it.”