Hacking together a plush surveillance unicorn

Last week the first ever Arctic IoT Challenge (ArIoT) took place in Oslo. For three days, six teams competed in building robots, drones, smart home gadgets.. and plush unicorns with bad intentions.

Introducing Team EvilCorp

First of all, a big shout out to the other two thirds of the team, Hans Arne Vartdal and Asbjørn Sannes.

A couple of months ago we were discussing what to build for ArIoT and we had the idea of taking a satirical approach, juxtaposing our (naive?) excitement about cool new IoT technology and the corporate world that is the actual driver behind the innovation. We came up with the fictional company EvilCorp.

EvilCorp

EvilCorp is a global company, working for the greater good (of the shareholders). Their flagship product is a line of free Wi-Fi hotspots, bringing completely free internet to the masses, with almost no strings attached. Their flagship product is called Unicorn Cute Free Wi-Fi.

Unicorn Cute Free Wi-Fi

The hardware

Naturally EvilCorp has created their own bespoke Wi-Fi hotspot hardware that can be installed anywhere consumers people need access to the internet. The actual hotspots look something like this.

The hardware

Photo: Hans Arne Vartdal

If you look past the slightly suicide-bomber-esque exterior you will notice that the hotspot consists primarily of a Raspberry Pi and some USB Wi-Fi dongles.

The snooping Unicorn

The interesting thing about our Unicorn Hardware is that the Wi-Fi dongles we used support monitor mode. This basically means that the EvilCorp hotspots can listen in on packages sent by other Wi-Fi enabled devices nearby.

So that's exactly what EvilCorp does. Specifically we are looking for the "probes" submitted by mobile phones near the hotspot looking for known wireless networks to connect to.

The information picked up by our unicorns include:

  • Unique phone MAC-address
  • SSID, known wireless network identifier
  • Signal strength

Building profiles

The information collected by the hotspots are passed on to an application running in Azure where the data is processed. The analytics application builds a unique profile for each device.

Architecture - Ingest

Every time new information is sent to the analytics application the profile is updated before being pushed to an EventHub, turned into a WebSocket stream, and used for visualization in a dashboard.

Architecture - Dashboard

The dashboard

We created a dashboard to present the information we collected from the devices. It consists of three components presence indicator, tracker and profile.

The EvilCorp Dashboard

Presence indicator

Presence indicator

Each of our three hotspots are represented by a column in the dashboard. Here we find a list of all the devices that are currently near the hotspot. New devices are added as soon as we detect them and they are continuously updated with their signal strength.

This gives us an indication of who are near our hotspots at a given time, and when they are coming and going.

The tracker

The tracker

When you select a device we will load a tracker for that device. The tracker basically attempts to use the signal strength from three different hotspots to calculate where the device is located in the room. The triangulation is updated in real time as new information appears.

Getting useful triangulations at the hackathon venue worked exactly as poorly as expected (the red dot is plotted by our calibration tool). Given some effort and another location we would probably be able to achieve better results.

The profile

The profile

Last but not least we were able to build a unique "profile" for each device, containing a list of known networks. This might seem innocent, but it can contain surprisingly rich information.

A glance at my own profile revealed

  • The fact that I sometimes travel to Denmark, by ferry
  • The name of the town I grew up in
  • The name of my father's company
  • Hints of places I've travelled to in the past year

Other common information includes

  • Name of employer
  • Name of customer

For some profiles the SSIDs alone were sufficient to make an educated guess about the owner of the device.

Augmenting the profile

If the information revealed by the SSIDs isn't sufficient there are means of augmenting the profile. Since the product is a Wi-Fi hotspot we decided to require our users to sign up to get access. We ask for a name, and as soon as users give it to us we tie it our existing profile.

Signup

Imagine that instead of asking for a name we made everything easier for the user by simply asking them to log in using their Facebook account. That would make for an interesting profile, with both detailed personal information, and a history of their whereabouts.

Running it at the hackathon

We had our hardware up and running on the first day of the hackathon. Basically we were able to track around 25-30 unique devices, most of them mobile phones (but also at least one quadcopter!).

We saw that there would be only a handful of devices present in the room during nighttime, but up to 30 during daytime. We were also able to gather sufficiently detailed information about several devices that we could guess who they belonged to.

How scary is it?

This technology isn't new and groundbreaking. It is widely available and in use, and it has many interesting applications.

Since we don't have prior experience building these things, what surprised us the most is how easy it was to build relatively sophisticated surveillance using cheap hobbyist hardware.

With only three days at our disposal (and plenty of talks and competitions to attend in between coding sessions) three people were able to build both the hardware and the software required to track actual people based on data "leaking" from their mobile phones. Using hardware that cost less than $100.

Anyone with some coding skills and a couple of grand to spare could easily put together enough of these devices to cover a significant area. A Raspberry Pi, some USB dongles and a battery pack dropped in a dumpster in the right location is all it takes to get started.

The consequences of IoT

The hackathon focused on Internet of Things. Maybe the takeaway here should be that we have a responsibility as developers to be extra deliberate when moving into the realm of the always connected "things".

Our hackathon case showed us how easy it is to track people based on seemingly innocent data from connectivity hungry phones.

Mobile phones, connected cars and smart homes are here to stay. We just have to do our best to ensure we don't inadvertently allow them to be hazards to the people using them.

Slogan

View Comments