During DefCon 24 (3-7 August 2016) and ShmooCon 2017 WarCollar Industries, with the help of AmazonV, deployed the BoobyTrap – which took advantage of certain ‘characteristics’ of the way WiFi ‘just works’ on a normal cell phone, computer, or anything else that runs WiFi. We were both excited and disturbed by the results. We promised our DefCon, Shmoocon, Twitter, Facebook, and IRL followers that we would post results from the experiment.
During ShmooCon 2016, WarCollar Industries hosted a ‘Foxx ‘n Hound’ game where we first put our Internet of Things expertise on display. We got the notice of Nicole ‘AmazonV’ Schwartz, who was wearing a very cool ‘Tardis Corset’ she designed after the popular British time traveler show “Dr. Who”. Ms. V approached a WarCollar employee and asked if she could have something ‘special’ done to the corset for DefCon this year. We took up the challenge and developed the WarCollar “BoobyTrap.” We gathered results, and submitted them for a talk at ShmooCon 2017. Our talk was rejected as the Shmoo Group thought that the results would end up shaming several people – so rather than present at ShmooCon we re-deployed the BoobyTrap at ShmooCon to gather more data. The results are ‘interesting.’
What is the BoobyTrap?
According to Wikipedia, a booby trap is a device or setup that is intended to kill, harm or surprise a person, triggered by the presence or actions of the victim without the victim’s awareness. As the word trap implies, there is sometimes some form of bait designed to lure the victim into the trap. At other times, the trap is set to act upon trespassers that violate personal or restricted areas. The device can be triggered when the victim performs an everyday action, e.g. opening a door, picking something up or switching something on. The word booby refers to a person of low intelligence – e.g. someone who would be thoughtless or careless enough to be caught in a booby trap; or leave their WiFi turned on at the world’s largest Hacker Convention.
We thought it a fitting name for the device since:
- People will trigger it unknowingly
- It will surprise them
- They are baited by the device
- They just need to be within range for the trap to spring
- It was a fun play-on-words referencing the flattering nature of the ‘Tardis Corset”
So what is it?
This particular incarnation is a piece of 'off the shelf' hardware called the Onion Omega. The board is based on the Atheros AR9331 WiFi module. It has 64Mb RAM and 16Mb of flash and runs the OpenWRT firmware.
What does it do?
The current incarnation of the software advertises multiple WiFi SSID's and allows anyone to connect. Once a victim connects to the access point (AP), their MAC and the SSID they connected to is recorded and they are re-directed to a fixed landing page. The landing page is a mild reminder that allowing your WiFi enabled devices to connect automatically to an AP may be a bad idea. When captured victims attempted to browse the web they were presented with a picture of AmazonV in her corset stating “You’ve Been Caught in my Booby Trap.” While this solution itself is relatively harmless with some minor modifications to the code, it is possible to intercept the web traffic, track user activity and even fool someone into providing their user credentials.
So What did WarCollar do?
On the evenings of August 3rd (at the BSides Las Vegas Pool Party), 5th and 6th, Ms. AmazonV donned her Corset with the WarCollar BoobyTrap and spent 3-4 hours roaming around. Progress (e.g. the victim list) was displayed via a Smart Phone on her hip that connected to the database on the chip. We captured more victims on the afternoon of the 5th when one of the WarCollar Developers roamed the halls of the DefCon conference itself.
At ShmooCon 2017 WarCollar had a booth, and we had the BoobyTrap on display and running for the entire conference.
So What are the Results!?!?
DefCon (~20,000 participants):
Total connections: 1455
Total Individual connections: 1432 (device x connecting to SSID y counted once)
Total unique MAC addresses: 1238
*By the Way: Your MAC address is unique to your phone – so we can use it to positively identify your device. Kind of like a phone number
Most Popular SSIDs:
NETGEAR: 571 connections
AT&T WiFi: 216 connections
Linksys: 128 connections
Most Common Vendors (based on MAC lookup):
We also saw Apple Watches, Samsung Gear, and other wearables.
ShmooCon (~2500 participants):
Total connections: 167
Total Individual connections: 167 (device x connecting to SSID y counted once)
Total unique MAC addresses: 156
Most Popular SSIDs:
AT&T WiFi: 69 connections
xfinitywifi: 31 connections
Linksys: 19 connections
Most Common Vendors (based on MAC lookup):
We also saw Apple Watches, Samsung Gear, and other wearables.
Did the devices connect more than once?
By and large, most devices connected only once. However, we did have approximately 146 devices connect multiple times. The device that connected most frequently was a HUAWEI device which connected 11 times – but, based on the analysis of the times at which the same MAC connected (difference of .10 seconds), we believe this device was a scanner rather than a user device. If we discount the HUAWEI device, then the most frequent connectors were 3 different devices which connected a total of 5 times each.
There were several devices that connected 2 times each, but since unique connections were the same as total connections, it means that those MACs connected to different SSIDs.
What were the most prolific Operating Systems?
As stated above, based on Vendor MAC addresses Apple Devices were far and away the most popular victims. After Apple, things get a bit complicated because it’s often difficult to tell what OS a device is running. If we were go to by the hostname that the device was broadcasting, there were:
- 515 devices that identified themselves as Android
- 386 that identified themselves as iPhone
- 10 devices that identified themselves as Mac
- 42 devices that identified themselves as iPad
- 15 devices that identified themselves as Windows Phone or WinMobile
- 1 device that identified itself as ‘kali’
- 65 devices that identified themselves as Android
- 46 devices that identified themselves as iPhone
- 2 devices that identified as Mac
- 1 devices that identified as iPad
- 1 device that identified as Windows
It is extremely difficult to put an exact number based on the data set we collected. For example, based on MAC address, there were 27 Microsoft devices, but further analysis shows 4 Nokia Devices that were identifying themselves as Microsoft Phones. There were other devices that did not identify themselves at all.
On a side note, we found it most amusing that two printers and 40 Nintendo DS devices connected to our solution.
Fun with Hostnames:
Something that we also found disturbing is the number of people who named their devices “<firstname><lastname>’s iphone” (including a certain friend of mine whose initials are L.F. and he needs to be called out on this because he knows better). One person even used their phone number as their host name (California number). So based on a simple dump of whomever was connecting to our solution, we received their full name and MAC address. It is troubling that at a Hacker Conference someone would voluntarily give away such information. Then again, a surprising number of people don’t know that they are making that information so easily available – which is part of the problem.
That notwithstanding, there were some very creative hostnames that people gave their devices. Our favorites are:
And our favorite: ‘AMacHasNoName’
You’re probably wondering if the BoobyTrap caught the same MACs at both DefCon and ShmooCon. The answer is yes! The data shows that there were 7 MAC addresses that connected to our solution at both ShmooCon and DefCon.
So What’s the Problem?
Honestly, the real problem is that most people do not realize that walking around with their phone’s WiFi turned not only makes them vulnerable to this type of attack, but also discloses personal information that an average person would want to keep private.
Understanding the problem requires a high-level overview of how WiFi Works. For that purpose, we’ll provide a 90,000ft High-Speed Fly-by overview:
- When WiFi is turned on, your device (computer, mobile phone, game boy, watch, etc..) is ALWAYS trying to connect to WiFi. It wants to connect. It NEEDS to connect.
- When you connect to a WiFi hotspot, your device thinks “Ah! I have successfully connected to a WiFi hotspot! My human must like and trust this WiFi hotspot. Since my human likes and trusts this hotspot, I will automatically connect to it whenever I see it again in the future – because I am a helpful robot.” This is one of the principal reasons why it’s good to use WPA2 encryption on your home WiFi solution – more on that later.
- When you’re wandering around away from your normal WiFi hotspots with your WiFi turned on, your devices are constantly trying to connect. Desperate to make a connection, the device “Probes” for a WiFi network – by name. Specifically, your devices are calling for the WiFi hotspots they’ve known and loved in the past. Therefore if you’ve connected to a router named NETGEAR, and you’ve also connected to your local Starbucks, then when you’re wandering around out of range of those two WiFi hotspots your cell phone is basically calling out “Hey! Anybody named NETGEAR out there!?!? I need some WiFi! No!? How ‘bout Starbucks! Anyone named Starbucks!?!?! ANYBODY!!?!?! I need WiFi!!!!”
- Your devices are so desperate for WiFi, that if anyone – and I do mean anyone – responds with “Yeah, I’m Starbucks!” Then your device will run to that hotspot like a teenage girl to a loser boyfriend.
- Now if your normal WiFi hotspot requires a password to connect – like your home WiFi solution that’s using WPA2 encryption (right?) – then your device will say “Ewww – you’re not my loser boyfriend” and reject that connection. If, however, the site is an unencrypted connection (like most retail stores that offer Free WiFi connections) your device won’t know the difference. It will just say “Thank goodness!! WiFi! I’m whole again!!”
While the above description is a simplified explanation of WiFi behavior, it is accurately describing the aspects of WiFi that were exploited by the BoobyTrap. We at WarCollar are not about malicious use, but rather about using these projects to entertain and, more to the point, to educate. Therefore, the only thing that happened to our victims is that they got a free picture of Ms. AmazonV in her Tardis Corset – if they happened to be surfing the web. Only one gentleman – who demanded a selfie – was honest enough to admit that he had fallen victim to the BoobyTrap.
It Gets Worse!
So let us recap for you: So far we’ve talked about how your Smart Phone is actively searching for the WiFi HotSpots that it remembers. We can figure out what kind of phone it is based on the MAC address, and a ton of users have configured their device’s hostname to say something like “John-Smiths-iphone”. Using rudimentary WiFi collection techniques available to anyone (with tutorials on YouTube) we can see that John Smith likes to go to Starbucks and Panera, he flew on United Airlines and he’s staying at Bally’s Hotel (because your phone is probing for United, Starbucks, Panera, and Bally’s – and telling everyone that your name is John Smith) – not to mention the fact that it’s probing for John Smith’s home WiFi network as well. Combine everything your phone is broadcasting with a legitimate WiFi location service such as SkyHook, and it is possible to get a Google Map of your house in a matter of seconds.
We are not exaggerating. There was a demonstration at BlackHat that did exactly that.
So How Do I Fix This?
Now we have identified the problem, so how do you solve this? Well, we have amassed several suggestions:
- Turn off your phone’s WiFi if you’re at a Hacker Convention. Turn off your Bluetooth as well.
- No seriously, turn off your phone’s WiFi if you’re at a Hacker Convention. Seriously! Your Bluetooth as well.
- Turn off your WiFi when you’re not using it (honestly very few people remember to do that).
- Remove extra access points from your device’s list of Networks. Depending on your device, this may not be as easy as it sounds. More on that later.
- If you’re using Android, download an app that automagically turns off your WiFi when you’re not around a trusted network. WiFi@Home; WiFi Matic; Smart WiFi Toggler, etc. There is no such app for iPhone
- Use a VPN when you’re attached to unencrypted networks
What’s a VPN?
Since technology changes every 18 months, it’s probably best to search Google for the best VPN for your device. WiTopia is one VPN provider that is very easy to use. Others include ExpressVPN, VyprVPN, and FSecure Freedome VPN. Most VPNs are inexpensive but do cost money. There is a free VPN offered by Opera.
Now, back to WiFi
How do I get rid of unused WiFi Access Points from my device:
Keeping in mind that technology changes completely every 18 months or so, we recommend that you check the Internet and/or your vendor’s website for specific information. However, we have compiled a cheat sheet addressing how to remove unwanted SSID’s from your device’s list of good hotspots:
Settings > Network > Internet > WiFi > Manage WiFi Settings
Click on SSID and select ‘Forget’
From the ‘Charms Bar’ select Settings > Change PC Settings > Network > Connections > Manage Known Connections
Click on SSID and select ‘Forget’
Start > Control Pannel > Network and Internet > Network Sharing Center > Manage Wireless Networks
Select SSID and click ‘Remove’
Upgrade to Windows 10 and follow Windows 10 instructions - Seriously? You’re still on XP?
System Preferences > WiFi > Advanced
In the “Preferred Networks” Window, highlight an SSID and hit the ‘-‘ button.
Honestly, there are too many flavors of Android to precisely give a tutorial, but in general its:
Settings > WiFi
Long-press on an SSID and choose ‘Forget’
*Check the Internet for instructions for your specific device.
From the home screen, swipe down from the top of the screen and select Settings > WiFi > Saved
Select the desired SSID and hit the ‘delete’ icon.
From the Start Screen, swipe left, scroll down to Settings > WiFi
Tap the network you want to remove and hit the ‘delete’ icon.
- From the Wii U Menu, select "System Settings."
- Using the Left Stick, select the "Internet" icon and press the A Button.
- Tap "Connect to the Internet."
- Press the X Button or tap "Connections" in the top-right corner.
- Select the Wi-Fi network connection you wish to configure.
- Select "Delete Settings."
- Tap "Delete" to confirm
- Tap "OK."
We’ve saved the best for last, because it’s very annoying. There is currently no way to selectively choose which SSIDs to ‘Forget’ in iOS (iPhone and iPad) unless you're actively connected to that SSID. It’s a common complaint and may help explain why Apple devices amassed the majority of our victims in the above experiment. The only way to remove unused SSIDs from your iOS device is to do the following:
Settings > General > Reset > Reset Network Settings
We hate this for many reasons – but the top three reasons are:
- This takes the user into an area of the phone where an unwise choice or simple mistake may wipe out the entire phone. That’s like putting the ‘self destruct’ button right next to the ‘system reboot’ button.
- When you tell the device to Reset Network Settings, it wipes out all WiFi Hotspots that the phone is remembering – including the ones you wanted to keep. Hope you remember all those WiFi Passwords!
- Based on the security issues we addressed above, there really should be an easier way to remove unwanted SSIDs from an iOS device in 2017.
- (Bonus Reason) I configured my iPhone with a VPN. Reset Network Settings deleted my VPN configuration and I had to re-create it. That’s just mean, Apple! That’s just mean.
And in Closing:
Thank you for reading! We hope you were informed and entertained by our BoobyTrap experiment. We encourage everyone to take their personal security seriously and to choose wisely as you traverse the Internet of Life. If you would like to know more, please reach out to us at firstname.lastname@example.org.
If you’d like to find out more about the Tardis Corset, go to http://mayfairemoon.com/tardis-corset/