Hey look — here’s a hacking story that doesn’t involve the NSA! Will wonders never cease? Given that everything from innocuous-looking hardware and smart refrigerators can send your private information to hackers, it probably isn’t surprising that now drones can too. Hackers have been piloting (ha, sorry) newly developed drones that can raid your smartphone. The drone is dubbed “Snoopy,” which makes me kind of sad because I love Red Baron Snoopy and whatever he was doing up there, I’m sure he wasn’t infringing upon our privacy. Anyway, it zooms around scouting for Wi-Fi signals. The drone exploits one of the most common features of smartphones and tablets — that they constantly look for Wi-Fi signals and networks to connect to, and they focus on networks they already know and have used before, often connecting to them automatically. Snoopy then sends signals to your devices, posing as a previously accessed network.
It’s possible for multiple devices in the same area to connect to Snoopy, all thinking that they’re on some trusted Wi-Fi network they’ve used before. Once they connect, Snoopy can access anything they transmit and all the websites their users visits. This means that if a user buys something online with a credit card while connected to Snoopy, their credit card number would be comprised, as would any other information, passwords, etc. If Snoopy’s got more than one device connected to it, it can tell which info comes from which device using its MAC address or identification number. Snoopy also gathers other information from users. If someone connected to it searches for a particular Wi-Fi network, Snoopy may be able to deduce where the person works and/or lives.
So…isn’t all this illegal? Well, kind of. Harvesting device identification numbers and the names of networks isn’t illegal — yet — but harvesting passwords and credit card information, especially with plans to use them (what else would be the incentive?) is illegal, as it violates identify theft laws and possibly wiretapping laws too. Still, Snoopy’s developers are testing it out in London (watch out, Brits!) and in an hour they can get information from over 100 people who walk within the vicinity of the drone. But its developers, Daniel Cuthbert and Glenn Wilkinson of Sensepost security, call themselves “ethical hackers” — they want people to be aware of the possibilities that their smart devices are being hacked. A pretty easy lesson to learn from Snoopy is to shut off Wi-Fi connections and to not allow a device to automatically connect to networks. The technology behind the drone will be featured at Singapore’s Black Hat Asia cybersecurity conference.