CreepyDOL: Cheap, Distributed Stalking

Brendan O'Connor

Wed, 8th October 2014

Speaker Bio 1:
Brendan O'Connor @USSJoin is a geek of many trades. While he's a full-time law student at the University of Wisconsin in Madison (set to graduate in May 2014), his consultancy, Malice Afterthought, completed two DARPA Cyber Fast Track contracts during his first two years in law school.

He has also taught information warfare for the DoD, played the violin (now for more than 21 years) and wished fervently that his two cats would think of him as more than (a provider of) food!

Learning Objectives:

Brendan will explain:

  • Everything leaks too much data.
  • It is no longer possible to “blend in to the crowd.”
  • The full-stack nature of the privacy leakage means that there aren’t simple technical solutions to these problems.

Resources and materials:

Questions and answers

Max, Concise Courses:
21:04 Who do you want to see using CreepyDOL? Are you targeting any specific verticals?

Brendan O’Connor:
I don’t want to see anyone using CreepyDOL! Let me explain that. CreepyDOL is the proof that the underlying amount of data that we are leaking is far too large and causes real problems for users. I hope that nobody uses CreepyDOL; the same way that sayH.D. Moore [the creator of Metasploit] doesn’t hope that anybody uses Metasploit. CreepyDOL is a proof and a reduction to scriptidiom of things that we have known for years. People have been attacking wireless and wireless devices for years and none of this is new in an academic sense. The problem is that [people say], ‘only a master hacker could possibly attack us in that way’ which is nuts and no reason not to fix anything but people use that to justify not fixing stuff all the time.

So, like Metasploit, the hope is that people go, ‘holy crap, bad people can use this, and not just crazy stupid hackers!’ but any bad 13 year old sat on his couch in his underpants can use this to attack a whole city, so that’s the hope with CreepyDOL.

Some of the underlying technology has some applications to other fields which can be useful.

Max, Concise Courses:
22.33 Could you use an Intel MinnowBoard and make a MinnowBoard CreepyDOL?

Brendan O’Connor:
Sure. The Intel MinnowBoard is the new one that they are trying to attack the Raspberry Pi with if I recall correctly. That is $100, the Raspberry Pi is $25 and that pretty much solves the question. The whole point of this is that I can deploy a whole field of these for basically nothing. When I start using $100 boards and $300 enclosures and making it all ip 678 compliant so it’s all water proof, sand proof and dust proof then the costs ramps us shocking quickly which I am not willing to do. My stuff is all dirt cheap and you can build it all yourself and the downside would be that it is a little less powerful but frankly the Intel board that I saw was so shockingly powerful and the Raspberry Pi is surprisingly great for $25. So I haven’t seen any need to ramp up the power. The issues I have hit have not been ones of insufficient power on the Rasbperry Pi.

The issues I have hit have been problems like coding [for example if] I wrote a bad routine in the visualization software which caused a problem which also means that I stink at coding. You could do that, sure, but there is no point to that right now.

Max, Concise Courses:
23:57 Could you use CreepyDOL for ‘war driving?’ using Kizmit?

Brendan O’Connor:
Yes and no. [CreepyDOL] is doing the opposite to war driving. In war driving you look for beacons coming from wireless access points and then you use your local GPS to determine where those local access points are. With CreepyDOL you look for probe requests that are equivalent to beacons but that are coming from clients so it is less about war driving the access points, but more about war driving the access point users. Now, you can, with the way that CreepyDOL is set-up, take one F-Bomb node attach a USB node to it like a USB GPS and then go war driving for clients. That is hard and requires people in cars, it’s much easier to just throw ten of these things around an area and letting them passively sniff data because you will get a lot better data over a lot longer time period.

Max, Concise Courses:
25:09 How should we firm up our corporate BYOD policy – any tips?

Brendan O’Connor:
You are doomed, but not just because of BYOD. One of the things you can do with CreepyDOL is look for them over an area. [For example] if you were just scanning your campus arguably you have the right, but talk to your lawyer, to ‘look for people on your network and look for whether they are transmitting corporate secrets in the clear’. CreepyDOL doesn;t just attack BYOD. If I had a corporate VPN encrypted laptop that only connects to the corporate VPN it will still say ‘turn dropbox on’ in the few seconds before you can click the button to get the VPN online. It is possibly to do this, but no-one does, to set-up a firewall rule that doesn’t let any non-vpn traffic out. It is not possible on an iOS and not possible in the default as far as I am aware with Android either.

BYOD is not the problem. The problem is, if you have devices, which if you are a corporation you have devices, then they are leaking data and there is very little that you can do about it. VPN’s don’t solve this because they are not fast enough and because iOS or Android won’t let them and they don’t solve the underlying problems like probe requests leaking too much data.