Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Scoping out the Wi-Fis with WarCollar’s DopeScope and Booby Trap


The WarCollar Industries 360 Dope Scope: a game, yet not.

What do I spy inside the Dope Scope?

Wi-Fi access points and signal strengths to help track them down.

Sean Gallagher

At last month's Shmoocon security conference in Washington, I was looking for gear for the Ars Tech Lab's hostile network environment. As I was browsing, I ran across a table manned by Gene Bransfield, the founder and CEO of WarCollar Industries LLC. People were gathering to look into little black boxes with the sort of delight you only find at security conferences.

The boxes were "360 Dope Scopes"―devices originally created by Bransfield for a security game at last year's Shmoocon. The DopeScope is a self-contained Wi-Fi scanner that can do quick reconnaissance of the wireless environment wherever you are―and a tool for hunting down where access points are physically located.

Bransfield told Ars that he had wanted to "make a splash" at the 2016 Shmoocon with his company, which does both security services work and security-related hardware. So he devised a game called "Foxx 'n Hound." Rarticipants would use the DopeScope to locate a Raspberry Pi-based "Fox" broadcasting a series of Wi-Fi access point named after famous "Foxxes" (Redd Foxx, Jaime Foxx, Samantha Fox, Guy Fawkes).

"When the Scope got within range of the fox," Bransfield explained, "it would login and query the AP for a 'game password'. The hound [the player] then had to identify the fox, tell the fox the password, and bring him back to the WarCollar booth.First person to do that won a prize."

But it also turns out that the scope is useful for hunting down other access points as well―as well as surveying what Wi-Fi access points are broadcasting themselves without using more expensive or more obtrusive survey gear. During the first game, Bransfield said, "someone came by asking to buy one. I explained that this was a marketing toy and wasn't really for sale and went into my elevator speech.The gentleman waved me off of my speech quite briskly and said 'Look, this solves a problem I have right now.I want to buy it.How much?'"

Bransfield hadn't planned on selling the devices, which were put together from 3D-printed parts, viewing lenses re-purposed from Google Cardboard virtual reality viewers, an ESP8266 programmable Wi-Fi transceiver chip, and a small OLED display. Together, they were all powered by lithium polymer batteries intended for micro-drones. "We were taken aback," he said."The gentleman noticed this and said 'Ok, how much did it cost to make?'We told him and he said, 'I'll give you double that.'"

Ars obtained our own scope for $60 and propagated WarCollar's unexpected business model. The company got its name from a device Bransfield built as part of a project he presented at a DefCon 22 talk entitled "Weaponizing your Pets: The WarKitteh and the Denial of Service Dog."

Bransfield recounted:

I took a microcontroller, GPS, Wi-Fi, Battery, and storage and got it down to a form factor that would fit on a cat collar. I sent the cat wandering around Washington DC doing Wi-Fi Scanning for me.The product worked, the talk was very successful and soon people were asking me to make these things―so I created WarCollar Industries.

Bransfield's side-line hardware operation soon became a security consulting company as well before the company he worked for was acquired by another, much larger company.

It's a trap!
Scoping out the Wi-Fis with WarCollar’s DopeScope and Booby Trap

Enlarge / The Booby Trap, a wandering weaponized Wi-Fi corset.

Bransfield and WarCollar have collaborated on another hardware project: an Internet of Things corset configured with captive portal access points. The "Booby Trap" , designed and worn by security researcher Nicole 'AmazonV' Schwartz, was equipped with malicious access points broadcasting common access point names (such as "attwifi", "xfinitywifi", "NETGEAR" and "LINKSYS"). The low-power access points would connect with smart phones whose Wi-Fi was turned on once they got into range. It displayed a "captive portal" web page on the victim devices announcing, "You've been caught in my Booby Trap."

As Bransfield wrote in his after-action report :

The current incarnation of the [Booby Trap] software advertises multiple WiFi SSID's and allows anyone to connect. Once a victim connects to the access point (AP), their MAC and the SSID they connected to is recorded, and they are re-directed to a fixed landing page. The landing page is a mild reminder that allowing your WiFi enabled devices to connect automatically to an AP may be a bad idea. When captured victims attempted to browse the web, they were presented with a picture of AmazonV in her corset stating "You've Been Caught in my Booby Trap." While this solution itself is relatively harmless with some minor modifications to the code, it is possible to intercept the web traffic, track user activity and even fool someone into providing their user credentials.

The point―one we've made before in Ars Tech Lab with our own demonstration―is that leaving a mobile device's Wi-Fi turned on can be a big security risk. In 2015, researchers at Wandera demonstrated that this sort of Wi-Fi captive portal could be used to spoof Apple Pay screens and potentially steal credit card data. But even at security conferences largely populated by the paranoid, devices were easy victims for the Booby Trap. At DefCon in Las Vegas last August, the Booby Trap "caught" 1432 devices and identifoed 1238unique hardware (MAC) addresses. At this year's Shmoocon, with a much smaller attendance (about 2,000 versus the over 20,000 at DefCon), 167 devices were "caught", with 156 unique MAC address.

Listing image by Sean Gallagher

Viewing all articles
Browse latest Browse all 12749

Latest Images

Trending Articles

Latest Images