His Little Black Box
It looks harmless: a small black box with a few wires attached. But when you take out your phone and begin searching the web, this device becomes a dangerous spying tool. Its name is CreepyDOL (short for creepy distributed object locator) and it knows where youve been, who you are, and what youre doing on your phone.
CreepyDOL isn't limited to cell phones. It can track any mobile device, including tablets and laptops. Though websites can restrict what information this device can see, CreepyDOL still has access to where youve been, where youre going, your email, and even photos of you. This information could severely impact your security and the security of your home.
SEE ALSO: Who Is Watching You Undress Online?
How It Works
The device is simple. All it takes is a tiny and inexpensive child's computer (Raspberry Pi Model A), two USB WiFi chips, some over-the-counter sensors, and a plastic box for stealth. Once it is set up and has gathered information, CreepyDOL encrypts its findings, and sends it to the owner through the Tor anonymity service, a service that protects Internet users from having sensitive information discovered. The CreepyDOL owner can then access his information over any device that connects to the Internet.
Brendan OConnor, the CreepyDOL creator and principal of consulting agency Malice Afterthought, purchased all of these tools in bulk for around $57 per module and assembled them himself. You can purchase the module by contacting O'Connor's company.
You might scoff at this devices simplicity, saying that such a basic computer module couldnt possibly navigate the complex electronic devices of today. Actually its not hard, OConnor told the New York Times. Its terrifyingly easy.
What It Can Do
- Captures unprotected information from websites you visit: your email address, your photos, your full name, and the city you live in
- Knows where youve connected to WiFi since your mobile device was activated
- Records your Internet history
- Tracks where youre going through the pings your smart phone sends to access new messages from the main server
- Synthesizes the "ping" data to see where you have physically been
Even devices with a VPN are not safe. "It takes you five seconds to bring your VPN online," O'Connor told Ars Technica. "During that time, iMessage has already pinged for updates, Dropbox has already pinged for updates, your mail client has already pinged for updates." All that information is available for CreepyDOL to scoop up and process.
What It Cannot Do
- Access information from a mobile device once its connected to a VPN
- Read information secured by a website, like your password or credit card number
- See your messages when your phone pings
The device, first appearing at the Las Vegas hacker convention DefCon 21, has already been put to use. No crimes have been reported yet. CreepyDOLs uses, however, range from tame observation to just plain creepy.
One techie uses these devices to hash out a form of vigilante justice in his home town. I have actually bought three of these and i was able to place them on three local police cars, he readily admits, I use them to let my friends know where the cops are sitting, it really stifles their revenue generation in my small town!!
Others worry about CreepyDOLs in major cities, where company information is exchanged online. One commenter claimed to have knowledge of a CreepyDOL-like device in Manhattan. It is called XKeyScore (by NSA), one commenter informs another, Those systems are designed as being used without leaving in-system traces.
CreepyDOL And Home Security
Competitiveness among home security companies has led to many high tech innovations, but not enough security measures to back them up.This allows systems like CreepyDOL to access information that should be private.
Initially, CreepyDOLs access to your mobile device might not seem like a threat to home security, but taking a second glance at the evidence might make you think otherwise. Here are some of the dangers CreepyDOL poses to home security:
- It has access to leaked information. If you use the Google Maps app, your phones map app, or simply search the web for directions, your address could be leaked to a hacker.
- It can gather information from open WiFi zones. This could mean your home WiFi network, if it isnt password protected.
- If you have a home security system with a mobile app, it can see information from your home security system. While this ability does not give criminals full access to your home, it will provide integral bits of information on it, such as the type of security system you use.
- It can tell the hacker when youre usually not home. If you consistently have accessed Starbucks WiFi at 10am every day, then the hacker can infer when you must leave your house. He can get this information by simply inputting your address and Starbuckss address into Google Maps and seeing how many minutes away it is.
CreepyDOL reveals the severe lack of security for the information an electronic server sends out. "We've come into a culture where it's OK to take a whole bunch of data we don't actually need and to not take very good care with it," O'Connor said, "Ultimately, CreepyDOL points out how unacceptable that is."
Hacking For Humanity
But OConnors goal with this device was not to go snooping around in peoples business. Instead, he encourages companies to, explore just how much data their organization leaks on a daily basis through simple, inadvertent WiFi traffic, according to a Black Hat convention press release. Such a device is not the firstand will not be the lastspying device out there. By making CreepyDOL an open-source project, OConnor is allowing companies to build their own information gathering device, in the hopes that these devices will cause greater strides in Internet and mobile security.