Project meant to prove security risks, instead reignites fears of personal privacy

In an experiment to see just how vulnerable our mobile devices are, a pair of researchers created a drone to see if the equipment they strapped to it could hack mobile devices from up above.

Unfortunately, they succeeded.

Glenn Wilkinson and Daniel Cuthbert of Sensepost are the masterminds behind “Snoopy”, the aptly named drone that can hack and access a mobile device’s data while hovering in the sky.

Specifically, Snoopy looks for phones that have their WiFi settings “on” and are scanning for networks to connect to. The drone sends out a signal pretending to be a network, and when the device connects to it, Snoopy is able to access all the meta data it wants from the device, including passwords, credit card numbers, and more.

When Wilkinson and Cuthbert tested their invention over a part of London, they were able to collect the network names and locations of 150 different mobile devices.

In just one hour.

What’s more, they were also able to identify the usernames and passwords for Amazon, PayPal, and Yahoo accounts that were specially created for the demonstration.

Shocking? Sure. What’s even scarier, though, is the fact that the drone can also be equipped with a GPS card that correlates signals to the location where devices are detected. That means not only can Snoopy locate and hack phones, tablets, etc., but that it can also potentially spy on devices like pacemakers, smart cards, or the most recent fad, fitness bracelets.

Examples of the peripherals Snoopy can connect to:
• Ubertooth (Bluetooth)
• RFidler (RFID)
• Bluenext-BN903S (GPS)
• XBee radio (802.15)

So, how is Snoopy doing all of this? Well, let’s start with its biggest hardware component, the BeagleBone Black, a low-power, open-source micro-computer measuring about the size of a credit card.

Additional components include:
• SanDisk 8GB Class 10 SD card
• USB hub
• 5.5 x 1.2 mm 1 female to 2 male splitter
• 5V2A power supply
• Huawei E160 (with SIM card)

The drone itself is a DJI F450 quadcopter. It has two onboard cameras, one made by GoPro, which is used for collecting HD images, and another that’s tasked with streaming first-person view of live video.

In the event that Snoopy is captured, it can destroy the data it has collected, which is triggered by an on-board accelerometer that detects when the drone is unexpectedly moved or picked up.

Snoopy has been in testing since 2012. It’s gone through many revisions, mostly in an attempt to see if current network securities are still hackable (quick answer: they are).

Wilkinson and Cuthbert used Snoopy at last year’s Black Hat security conference, and will be demonstrating a new and improved version of the technology at this year’s event in Singapore. Their presentation is expected to go over the software and hardware schematics, not only for a Wi-Fi-, Bluetooth-, and GPS-enabled snooping device, but also for an RC aerial drone outfitted with two video cameras. It’s meant to show the darker of side of how much today’s consumer relies on electronics, and so the presentation is called “The Machines that Betrayed their Masters.”