NEW YORK (CNNMoney) — The next threat to your privacy could be hovering over head while you walk down the street.
Hackers have developed a drone that can steal the contents of your smartphone — from your location data to your Amazon password — and they’ve been testing it out in the skies of London. The research will be presented next week at the Black Hat Asia cybersecurity conference in Singapore.
The technology equipped on the drone, known as Snoopy, looks for mobile devices with Wi-Fi settings turned on.
Snoopy takes advantage of a feature built into all smartphones and tablets: When mobile devices try to connect to the Internet, they look for networks they’ve accessed in the past.
“Their phone will very noisily be shouting out the name of every network its ever connected to,” Sensepost security researcher Glenn Wilkinson said. “They’ll be shouting out, ‘Starbucks, are you there?…McDonald’s Free Wi-Fi, are you there?”
That’s when Snoopy can swoop into action (and be its most devious, even more than the cartoon dog): the drone can send back a signal pretending to be networks you’ve connected to in the past. Devices two feet apart could both make connections with the quadcopter, each thinking it is a different, trusted Wi-Fi network. When the phones connect to the drone, Snoopy will intercept everything they send and receive.
“Your phone connects to me and then I can see all of your traffic,” Wilkinson said.
That includes the sites you visit, credit card information entered or saved on different sites, location data, usernames and passwords. Each phone has a unique identification number, or MAC address, which the drone uses to tie the traffic to the device.
The names of the networks the phones visit can also be telling.
“I’ve seen somebody looking for ‘Bank X’ corporate Wi-Fi,” Wilkinson said. “Now we know that that person works at that bank.”
CNNMoney took Snoopy out for a spin in London on a Saturday afternoon in March and Wilkinson was able to show us what he believed to be the homes of several people who had walked underneath the drone. In less than an hour of flying, he obtained network names and GPS coordinates for about 150 mobile devices.
He was also able to obtain usernames and passwords for Amazon, PayPal and Yahoo accounts created for the purposes of our reporting so that we could verify the claims without stealing from passersby.
Collecting metadata, or the device IDs and network names, is probably not illegal, according to the Electronic Frontier Foundation. Intercepting usernames, passwords and credit card information with the intent of using them would likely violate wiretapping and identity theft laws.
Wilkinson, who developed the technology with Daniel Cuthbert at Sensepost Research Labs, says he is an ethical hacker. The purpose of this research is to raise awareness of the vulnerabilities of smart devices.
Installing the technology on drones creates a powerful threat because drones are mobile and often out of sight for pedestrians, enabling them to follow people undetected.
While most of the applications of this hack are creepy, it could also be used for law enforcement and public safety. During a riot, a drone could fly overhead and identify looters, for example.
Users can protect themselves by shutting off Wi-Fi connections and forcing their devices to ask before they join networks.