As we store and transport more and more information online, we’ve gradually come to realize how easy it is for others to access that information without our permission. From Facebook’s privacy policies to the ongoing NSA leaks, it seems like the ordinary online user has enough reason to log out. Well, I’ve got more bad news for you: anyone can build a powerful spying tool using off the shelf parts, and for under $60 (USD).
Brendan O’Connor is the founder of security and software consultancy company Malice Afterthought. Last week he made headlines when he shared how he built F-BOMB, a small device that runs a software that he calls CreepyDOL . The DOL stands for Distributed Object Locator and “Creepy” with a capital ‘C’ is the perfect word to describe it. O’Connor built the F-BOMB using the popular Raspberry Pi microcomputer and added a Wi-Fi sensor to the device. The cost? $57 (USD). He built 10 F-BOMBs and hooked them up to Reticle, a “command & control system” that he made. Finally he hooked it up to a “data visualization system,” which you can see in the image above and in O’Connor’s video below:
In case the video wasn’t clear enough, the F-BOMB can gather a disturbing amount of wireless data. As New York Times reported – and as the video above proves – with the F-BOMB you can find out not only information on a wireless device but what the user is currently using or accessing through the device: geolocation, websites, email addresses, programs and more.
In my brief chat with O’Connor, he revealed that the device can snoop on wireless devices within about 160ft. He can add other sensors to the F-BOMB as well as adapt it to snoop on wired connections. Further, O’Connor said the F-BOMB is a passive device, so you have no way of knowing if it’s snooping on you. Finally, I asked O’Connor if the situation really is as hopeless for consumers as the New York Times article seemed to indicate. Here’s what he said:
Yes, it really is that hopeless. There are vulnerabilities in all the relevant layers of the stack. The application developers need to stop leaking so much data outside encryption envelopes (e.g., why does iMessage send hardware make and model, and iOS version, unencrypted?). iOS (I’m picking on it here because I use it, but the same problem is larger) should have OS-level support for blocking all non-VPN traffic until a VPN connection is established (once it’s up, the connection is opaque, but while it’s going up, I’ve usually got all the data I need). And the low-level protocol needs to stop encouraging devices to *beacon out all their known networks constantly*. So since there needs to be culture-level shifts at all the layers of the stack, yes, for end-users, the situation is hopeless at the moment.”
In other words, not only is it possible to make a surveillance tool that is small and cheap, the devices that we use are practically inviting prying eyes to take a look at our data. It falls upon us as end users to nag Apple, Microsoft, Google and other companies who create the hardware and software that we use to step their security game up. It would be foolish to believe that they know nothing about the disaster that they’re courting (with our privacy and security at stake). But for some reason they’re not doing anything about it, nor are they telling us how much danger we’re in.
O’Connor intends to sell F-BOMBs soon. Fellow black hats and tinkerers can sign up at Malice Afterthought’s website to find out more about the F-BOMB and when it will go on sale. Ars Technica also has a thorough technical report on the F-BOMB. As for the rest of us? I guess we’d better start learning how to communicate telepathically.