Cellular Privacy: A Forensic Analysis of Android Network Traffic

Video thumbnail (Frame 0) Video thumbnail (Frame 1402) Video thumbnail (Frame 5494) Video thumbnail (Frame 7006) Video thumbnail (Frame 10382) Video thumbnail (Frame 12676) Video thumbnail (Frame 13801) Video thumbnail (Frame 14970) Video thumbnail (Frame 18127) Video thumbnail (Frame 20034) Video thumbnail (Frame 22878) Video thumbnail (Frame 24108) Video thumbnail (Frame 26232) Video thumbnail (Frame 27509) Video thumbnail (Frame 28485) Video thumbnail (Frame 31782) Video thumbnail (Frame 33198) Video thumbnail (Frame 35654) Video thumbnail (Frame 37700) Video thumbnail (Frame 40099) Video thumbnail (Frame 41911) Video thumbnail (Frame 44860) Video thumbnail (Frame 45916) Video thumbnail (Frame 49969) Video thumbnail (Frame 52341) Video thumbnail (Frame 58979) Video thumbnail (Frame 61210) Video thumbnail (Frame 62459) Video thumbnail (Frame 64174) Video thumbnail (Frame 67548)
Video in TIB AV-Portal: Cellular Privacy: A Forensic Analysis of Android Network Traffic

Formal Metadata

Cellular Privacy: A Forensic Analysis of Android Network Traffic
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
People inherently trust their phones, but should they? "Cellular Privacy: A Forensic Analysis of Android Network Traffic" is a presentation of results from forensically analyzing the network traffic of an Android phone. The results paint an interesting picture. Is Google more trustworthy than the application developers? Are legitimate market apps more trustworthy than their rooted counterparts? Perhaps most importantly, should you trust your passwords, location, and data to a device that shares too much? Eric Fulton is the Director of Research for Lake Missoula Group, LLC, and a specialist in network penetration testing and web application assessments . In his spare time Eric works with local University students to provide hands-on security training, and conducts independent security research. Eric also publishes network forensics contests on ForensicsContest.com
Goodness of fit Multiplication sign Android (robot) Cellular automaton Computer network Mathematical analysis Communications protocol Address space Information privacy
Laptop Group action Server (computing) Transportation theory (mathematics) Length Branch (computer science) Mathematical analysis Coma Berenices Information privacy Perspective (visual) Information technology consulting Twitter Neuroinformatik Number Local Group Medical imaging Hacker (term) Different (Kate Ryan album) Semiconductor memory Intrusion detection system Computer network Software testing Information Computer forensics Addition Information Digitizing Mathematical analysis Computer Computer network Bit Statistical hypothesis testing Uniform resource locator Software Intrusion detection system File archiver Hard disk drive Smartphone
Laptop Email Android (robot) Server (computing) Presentation of a group System call Service (economics) Password Design by contract Image registration Plastikkarte Information privacy Neuroinformatik Twitter Supercomputer Web 2.0 Sign (mathematics) Internetworking Encryption Information Router (computing) Information security Vulnerability (computing) Email Information Sound effect Computer network Image registration Cartesian coordinate system Public-key cryptography Connected space Radical (chemistry) Uniform resource locator In-System-Programmierung Process (computing) Internetworking Software Password Telecommunication Right angle Key (cryptography) Quicksort
Web page Mobile app Android (robot) Mobile app Information Bit Lattice (order) Streaming media Cartesian coordinate system Avatar (2009 film) Population density Energy level Right angle Smartphone Game theory Office suite Internetradio
Presentation of a group Multiplication sign Cellular automaton Password Electronic mailing list Content (media) Mereology Information privacy Number Hypothesis Dew point Facebook Term (mathematics) Computer configuration Charge carrier Software Electronic visual display Information Extension (kinesiology) Metropolitan area network Physical system Standard deviation Information Cellular automaton Projective plane Android (robot) Cartesian coordinate system Statistics System call Statistical hypothesis testing Information privacy Hypothesis Uniform resource locator Googol Software Password System programming Charge carrier Video game Information security Window
Laptop Point (geometry) Mobile app Presentation of a group Installation art Multiplication sign Radon transform Regular graph Hypothesis Statistical hypothesis testing Emulator Regular graph Internetworking Software testing Office suite Router (computing) Wireless LAN Installation art Mobile app Addition Building Cellular automaton Android (robot) Mathematical analysis Plastikkarte Core dump Bit Mereology Cartesian coordinate system Statistical hypothesis testing Connected space Word Internetworking Software Mixed reality Right angle Wireless LAN Operating system Router (computing) Laptop
Mobile app Mobile app Computer file 1 (number) Mass Cartesian coordinate system Avatar (2009 film) Statistical hypothesis testing Web browser Statistical hypothesis testing Web 2.0 Word Word Googol Facebook Googol Mixed reality Right angle Game theory Data conversion Information security Game theory
Turbo-Code Computer file Information Function (mathematics) Port scanner Cartesian coordinate system Avatar (2009 film) Public key certificate Statistical hypothesis testing Root Finite difference Musical ensemble Right angle Arithmetic progression Physical system
Point (geometry) Direct numerical simulation Graphical user interface String (computer science) String (computer science) Infinite conjugacy class property POKE Direct numerical simulation Motion capture Data conversion
Android (robot) Statistics Service (economics) Touchscreen Information Server (computing) Multiplication sign Electronic mailing list Mathematical analysis Cartesian coordinate system Information privacy Automatic differentiation Number Element (mathematics) Revision control Facebook Uniform resource locator Hexagon Facebook Personal digital assistant Oval Data conversion Game theory International Date Line
Mobile app Computer file Key (cryptography) String (computer science) String (computer science) Password Motion capture Password Website Figurate number
Email Domain name Group action Computer file Motion capture Password Coma Berenices Parameter (computer programming) Login Information privacy Field (computer science) Word Facebook Booting Metropolitan area network Address space Mobile app Email Word Uniform resource locator Facebook String (computer science) Function (mathematics) Password Right angle
Point (geometry) Android (robot) Server (computing) Mobile app Computer file Image resolution Time zone Motion capture Function (mathematics) Distance Information privacy Hypothesis Formal language Number Revision control Word Chain Different (Kate Ryan album) String (computer science) Cuboid Energy level Software testing Maize Data type Execution unit Email Touchscreen Information Mathematical analysis Special unitary group Cartesian coordinate system Timestamp Population density Word Googol Software Ad serving Personal digital assistant String (computer science) Game theory
Point (geometry) Area Information Multiplication sign Boom (sailing) Web browser Line (geometry) Cartesian coordinate system Information privacy Web application Uniform resource locator Googol Spherical cap Term (mathematics) Personal digital assistant Profil (magazine) String (computer science) Googol Wireless LAN Arithmetic progression Address space Geometry
Information Local area network Structural load Bit Web browser Average Information privacy Type theory Googol Average Term (mathematics) String (computer science) Googol Wireless LAN Communications protocol Address space
Point (geometry) Statistics Service (economics) Image resolution Multiplication sign Range (statistics) Cellular automaton 1 (number) Exploit (computer security) Information privacy Automatic differentiation Number Revision control Spherical cap Hacker (term) Term (mathematics) Charge carrier String (computer science) Endliche Modelltheorie Extension (kinesiology) Computing platform Vulnerability (computing) Touchscreen Information Cellular automaton Sound effect Bit Cartesian coordinate system Statistics Exploit (computer security) Hypothesis Information privacy Uniform resource locator Googol Software Charge carrier Website Right angle Wireless LAN
Point (geometry) Filter <Stochastik> Android (robot) Perfect group Turbo-Code State of matter Multiplication sign Information privacy Disk read-and-write head Graph coloring Power (physics) Revision control Dew point Googol Purchasing Information Data storage device Special unitary group Bit Axiom Cartesian coordinate system Avatar (2009 film) Uniform resource locator Voting Software Freeware
Server (computing) Statistics Multiplication sign Boom (sailing) Password Electronic mailing list Content (media) Information privacy Hypothesis Statistical hypothesis testing Facebook Software Authorization Information Physical system Information Content (media) Bit Cartesian coordinate system Statistics Exploit (computer security) Hypothesis Uniform resource locator Software Password System programming
Point (geometry) Web page Password Electronic mailing list Coma Berenices Content (media) Information privacy Mereology IP address Field (computer science) Bridging (networking) Software Smartphone Software testing Information Physical system Information Mathematical analysis Counting Bit Cartesian coordinate system Statistics Hypothesis Information privacy Uniform resource locator Software System programming Smartphone Wireless LAN
Installation art Web page Focus (optics) Service (economics) Information Multiplication sign Motion capture Computer network Bit Information privacy Cartesian coordinate system Product (business) Emulator Process (computing) Software Term (mathematics) Password Website Information Process (computing) HTTP cookie Extension (kinesiology) Reading (process)
hello def con 2011 yeah I'm excited I'm glad you guys are making sounds because I was really expecting like a bunch of half asleep people kind of drunk kind of time getting over a pimp but like I want to see this talk um so I think I'd like to start off with I don't know if you guys read the protocol jokes and so this is kind of I mean even for defcon a little over-the-top nerdy but imma start with a joke uh so an ipv4 address walks into a bar and says I'll have a strong glass of cider but the bartender says we're exhausted oh it's so tip it's so terrible it's great um good gosh you guys hear me well all right well then let's get this party started sweet so hi
there my name is eric fulton I work for a consulting firm called Lake Missoula group in beautiful Missoula Montana I know you guys are thinking you guys you know have public transportation in Montana yes we do and we also have hackers up there which is a lot of fun so we can hack in the morning and hike in the afternoon as i like to say uh I also helped run forensics contest com we actually run a network forensics contest puzzle during def con which is pretty sweet and packets are are important in doing forensic analysis of a lot of different things so I'm also on triska com I really don't update it ever so I guess that's not as useful i'm also on Twitter and I'd really like to say during this talk thank you to Sherry davidoff and Jonathan ham they are absolutely amazing ninjas with packets and they are actually writing a book and I was able to help or well use their an advanced copy of the book to do some of the analysis that I'm going to kind of show you guys today so what I'm going to show you today I'm going to start with some definitions a testing methodology kind of go into how I analyze the packets what I was looking for how I was what I kind of found some fun findings I found throughout all of this and then kind of kind of come to a conclusion now um in addition to this this talk is kind of threefold I've got a bit to cover so I'm going to talk a little bit fast so I apology are apologize if I'm going a little bit of a rapid pace but what I'm trying to cover here is is some distinct topics privacy especially I mean obviously it's in the title because privacy in our lives is is important I think that our privacy that we have is eroding and we don't exactly know what's happening a lot of you have an android phone probably not in your pocket cuz it's def con but maybe at home you've got a smartphone and you don't realize that every day it's leaking your location where you're at and some other some other interesting facts so that's not only something I want to cover i also want to touch a little bit on network forensics because this is what i use to help discover what's being shared over your android phone and uh I mean that's and that's that's the majority of it so I've got it's a wide breadth and it's kind of shallow and if you want to know more about kind of the analysis that I did packet forensics i'd highly suggest that you well our contest is over so apologies if you're just finding out about it now but we we run it online and we've got our archives of past contests I'd recommend you take a look at those you kind of teach yourself or try and teach yourself some some network forensics and we'll give you a kind of a new perspective on how to to analyze things so what is network forensics now
the wikipedia article says network forensics is a sub branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purpose of information gathering legal evidence or intrusion detection but basically it's sniffing packets on the wire you've got traditional forensics which I'm sure love you uh know of where you take your hard drive you DD it you make an image you analyze that you try and say hey what's on this hard drive but there's also network forensics and that's where you're going what is going over the wire what is my computer leaking what is going on I mean with with traditional forensics unless you pull the memory you won't ever realize that there's something loaded in memory leaking any number of things and so listening on the wire gives you a different perspective and unless you really understand what your phone your laptop your server etc is is really sharing with with your network in the world ah or network Francis could be doing called listening to the wire for fun ? ? ? puffin lulz so how network
forensics effects us you could say I mean assuming you're at DEFCON uh all of us use network devices we use laptops phones etc etc and everything is network-based I mean back in the day before the the advent of the internet and the beauty that is network communications people just had kind of a solid solidarity uh sir excuse me they had a single computer that wasn't really connected anything else everything you did was on that terminal but now we send all sorts of things to everyone we send usernames passwords hashes URLs lolcat pictures with your grandma uh going for laughs on that one sorry it's Sunday at ten I should probably cut the humor um yes but he lives uh but we sent all of these amazing things over the internet and we think to ourselves oh I am sending my password to this service and a lot of people don't think of all the externalities that affect that when they when they pass I mean when I when I login to twitter for example most people think oh my computer Twitter that's all that's happening but they don't realize that they're going from there most likely laptop iphone ipad I device etc to probably a wireless router which then connects to your ISP which then is routed over the Internet to Twitter servers and along there whether or not I have access on your actual computer I might have access to your network traffic and through that I have access to a lot of fascinating information I mean no one wants to be handing out user names passwords or anything else and a lot of companies are really good at protecting that that's why we hash or passwords but the simple fact that I'm able to look at that is is a huge not only privacy risk but a security vulnerability so some of our applications tend licensing registration you DIDS and all this all this data can be filtered logged and analyzed by third-party you don't know your ISP is doing most people just kind of sign that contract and assume that the ISP is their best interest at heart but and and I'm not saying that isps can be evil but if they want it to be there's a good chance that they could do a lot of lot of damage or your roommate who also is on your wireless network to do a lot of damage assuming how close you are with your roommate or the guy next door if you're using web so essentially what
i'm trying to say is there's a lot of ways our phones could us what I what I really am specifically focusing on is Android application security because a lot of people done the computer thing la piel done laptop forensics analysis etc but something that we don't realize is we've got this essentially supercomputer in our pocket I mean when I first had my my first computer and I'm not gonna say what that was but it's like a tenth of the processing speed of my current phone in my pocket well in my room cuz it's not on and people don't realize all of the fascinating things that they have on their phone and what and what their phone knows so we look at it and and if someone wanted uh I mean our phones have a lot of things if you're doing gpg encryption and trying to decrypt your phones or your emails I mean that's assuming that you're a naturally secure thinking person let's say you encrypt your emails it's on your phone you have to have your private key on your phone is equipped your emails if you're not a private thinking individual or secure thinking individual you just you're sending your emails over your network connection ah you have emails usernames GPS etc etc and mower and so when I first got into this research I thought oh you know would be really cool let's build an evil application right like something something that would be like a back orifice for phones which I think some other presenters at Def Con have actually done which is awesome but when you when you make that application it's it's it's it's not really silly because as long as you can get the user to press
ok uh done right I mean how many people with smartphones scroll through their phone they're like I want to play this game scroll Scroll scroll ok I mean I don't have you guys watch south park that's what the there's a whole episode on the humancentipad where someone didn't actually read the EULA oh god forbid someone read 39 pages on a short level of dense legal text that doesn't happen and so anyone can build an evil app put it on the market and say hey you should download this and anyone could execute it and it could it could export a lot of bad information and we know this is bad right there's a lot of companies out there that do a lot of great things trying to prevent malware evil applications etc but then I got thinking you know okay so we know evil applications are evil but what about
regular applications I mean when you get your android phone you think oh okay first thing I want to do I want to stream music through pandora right I mean it's really awesome having an unlimited internet radio station on your phone and they play with a little bit longer than you're like oh sweet i've heard about Angry Birds who here loves angry birds I'm not gonna lie i use it you're sitting in a meeting you're sitting in your office you're on the phone with your boss and you're just playing not that they know you're playing it but the fact of the matter is you're thinking all of these apps i've paid for it or not but I've download from the android application market and it's a game what I've downloaded is a game but what you do don't realize is you've downloaded a little a little spy in your pocket now some previous
research has been done by the wall street journal and by man named aldo cortessi and i'd like to meet this man who's done a lot of great things but basically i was i mean i was even gonna call my original presentation and joy the spy in your pocket Wall Street Journal been there done that ah they've done a lot of great research saying what these applications are sharing uh and and and and how they're sharing it and so to get back to the kind of the privacy side of it um in terms of privacy we don't realize how much we share a better life so we think you know all these companies have anonymized data and when the best examples is is with Apple you have a udid I think yeah and it's basically an anonymized number that says oh I'm me but i'm not actually eric fulton it's just you know the come he doesn't know who I am they just know my number well that's cool but there's companies out there in the world where their whole idea is d anonymizing who you are like figuring out Oh this guy that lives in Montana that loves doritos and Mountain Dew and also travels to these places is this number and they can easily tag it as eric fulton because i love mountain dew and so as part of this i thought all right well let's let's start looking at these applications these applications that i blindly trust that i think oh yeah i totally believe these people so scientific method to the rescue what i wanted to do was create a reproducible kind of project that someone else could look at and that i could do with standards that would kind of display what our applications are sharing so we've got all the basic things there and the question I asked was to what extent do participants in the cellular ecosystem so OS creators app creators carriers etc respect privacy now my research I've only got as far as Android but I hope to get to windows phones and two blackberries and two iphones but right now we're going to focus in on android phones so my hypothesis was in
terms of respecting privacy what do they do and i thought you know what software applications and operating systems transmit your private information I mean to a certain extent its built-in that's what they're supposed to do when you log into your Facebook you kind of have to give Facebook you use name and password but what do they give to third parties without your knowledge what do they give to advertising partners and more so what are their advertising partners that these companies blindly trust connecting collecting about you and so I thought I bet you they're sharing the standard you know usernames and passwords and things that personal identify you I mean it's part of the application but when you think about it why does when you're searching for something on Google why does google need to know your location and to a certain extent for a business purpose you know it's helpful they need to know that I am in Las Vegas right now and when I search for Batista's restaurant they know Oh restaurant in Las Vegas but the same time I have no really real option of turning that off I mean I know google says hey if you want to turn off your location data your GPS etc we won't collect it but we don't realize and what I found out later was is that the kind of our but to maybe not that the Jeep yes extent to a different extent so for
this experiment i built a lab and for this lab i want to install use apps on the android phone I want to capture their packets analyze these packets and then profit or at least give a DEFCON presentation um thank you so I built a lab I thought to myself I've got this great idea I've got this great hypothesis what do I need well i bought a femtocell an original motorola droid a wireless router with GD word on it a sniffing laptop and an inter connection i was like i am ready turns out you don't need all that stuff to do this analysis as I went along I found out I could have done a lot of it in the emulator which would have taken nothing but it allowed me to buy some cool using the office company card well thank you I'm happy about it um so i bought the femtocell thinking all right when i am using my phone I want to collect the cellular network traffic in addition to the regular network traffic cuz i was thinkin you know if I'm an app creator I don't want people tweakin with my stuff and generally I'm gonna use the word generally cellular networks are safe um and so if I was an app creator I'd be like oh oh no no no no no I won't send sensitive data over a Wi-Fi I'll make sure it's over there the cellular network because it's a lot harder to tap and so I was like I'm gonna buy a femtocell I'm gonna intercept that ah and then I bought an android phone because I was like this is cheap on ebay and then I already had the router in the laptop and the Internet well it turns out after doing a bit of research and I didn't delve too much into this that app creators aren't that sheisty yet all I had to do I didn't have to register for the cell network I was just able to pop over my phone turn on Wi-Fi get to the android market and start playing around which was absolutely great so I created
this amazing testing methodology where I would take the applications I would purchase and install them I would have initial usage regular usage and then uninstalling the application for each application because then I would know what traffic's going on is exactly what point and then during the operating system tests I would have first usage so when you first install on your phone light usage and then regular idle time and then when I've reset the phone right i mean it seems like i would cover just about every aspect of every application and the OS so that I would make sure when I won't miss any shy sees that went on because I thought to myself you know if I were no s Creator every 30 minutes I'd want to know where you are at or if I'm an application owner I might be like hey every 15 minutes who have you called in the last 15 minutes so this is my amazing original testing methodology what actually happened was I
just took a massive pcap file for each app ssl stripped it tcp dumped it and made a drinking game out of it in true DEFCON fashion but you guys weren't hungover so maybe that's not true DEFCON fashion uh and so for the apps that i
tested i thought all right i'm gonna do a mix um i'm gonna do angry birds uh as I used earlier this really sketchy Chinese app I don't read Chinese and I was like well that looks sketchy haha ah it's kind of my sketchy test uh and then random applications that no one uses so I like I scroll how much majors down I got the main ones facebook I got just browsing the web on google and that actually actually uh happened by accident but i found some fascinating things so i decided to keep it in and Telep eyelet which is a if I an airline pilots Abba application abusing logbooks mousetrap which is a game Pandora red phone which is an amazing application created by Moxie Marlinspike and if you guys don't know of this it's a little app on your android phone that you can have secure conversations with other people and i thought you know i like moxie but i kind of want to see if he's doing anything there well we'll find out more about that later um and then words with friends in zynga poker because i'm absolutely addicted two words with friends and if any you guys play Scrabble you'll know oh yeah and I I digress and so it's obviously a work in
progress I have a lot of applications I'd like to test I have a lot of different operating systems I'd like to test and basically what I've been trying to work towards is a standard methodology so that I can kind of hammer through it when I'm not working which seems to be rare so what I have to work
with is a bunch of pcap file and ssl strip outputs and the reason I did this was is because I figured you know if I'm an attacker it's really easy just to run ssl strip so let's just assume SSL is useless and so I decided to take all the information that if someone were attacking you or if they were a corporation etc would have now later on I want to see absolutely everything sent back to the company I'm going to add a root certificate to the phone and just collect all the information but for right now I've got a bunch of packet captures an SSL stripped outputs and that alone has proved very interesting so let's start analyzing
with each packet capture I first appeared around with it in wireshark I analyzed some of the conversations some of the IP is being addressed I ran strings r and grab pretty easy linux stuff and then I did some dns play and I did some Argus flows so first Wireshark
if you guys haven't done any network analysis Wireshark is kind of the de facto GUI tool its really nice just to kind of poke around and scroll and you can just visually look at and see Alice's HTTP traffic DNS traffic etc that's a good starting point kind of give you a feel for the lay of the land but command line tools are more powerful and so I moved to t shark and so I
wanted to basically read the packet captures look around see what was happening looks at some of the hex what's being talked to and the conversations that are happening and so I ran t shark it's up on there and I try to see what are these applications talking to who are these applications who are these applications talking to what services are they using who are they sharing it with and then I who is like a mofo so if we don't take one
specific example we can look at zynga how many people here know whose egg is oh nice so I should assume this is def con you guys are smart uh and to reader for those who didn't raise their hands Zynga is kind of the new mogul if you will for android games most games on Android and openfeint on Apple or yeah I think it's up in vain I'm in any case zinga zinga makes a large number of those idle time games those those games when you're kind of sitting down as I started stated early you uh and you just kind of you know you don't have anything to do and you want a game that you can play for five minutes or you're on a conversation a little bored you can play for five minutes and they're wildly popular because people have a lot of Bible time and so I took a look at Zynga and I was like who is Inga talking to well if you look at the screen and I'm not going to read each one out there's a lot there's tapjoy ads Midas step towards a facebook facebook facebook facebook macromedia adobe and when you look at this there's a couple on there that you're curious I mean this was for zynga poker and so you're playing poker on your phone and you don't really expect for it to call out to Midas Moby what does this company do what does em khoj do what does tapjoy adds to what information is being sent to these third parties that you have absolutely no idea and this is where we draw in on the privacy element when you downloaded that application for poker did you really understand that you're going to be sending your statistics your android version your location potentially to zynga poker and why do they need to know it so this kind of
like this really begs the question what is being sent on your phone without you knowing I mean now I mean now that I brought the question up you guys are thinking like Oh what apps do I have well one of the easiest quick and dirty
ways to look at a packet capture file and see where it goes of strings strings just basically outputs text strings that are inside the packet capture file or any file for that matter but basically what I did was is I look for interesting things and you'll see on here one of the first things I did was the HTTP trying to see what websites are being contacted and then i had a couple key phrases and i did this for a couple reasons one I don't want to have to go through every packet capture file trying to figure out what password was what and why was going through so i made some basic things to look for I made woot DEFCON my password and I made my username droid net dot for
Ren at gmail com and for those of you thinking oh he left the past he just displayed it i'm gonna go login yeah I did I don't care um have at it
and so basically I'm not using anymore
basically what I did was is I had I put these kind of like a little like these cookies with in the packet capture file so I get instantly group for grab porn boots DEFCON right because I was so excited this was coming up I was making my password that and I could instantly see where my password was shown I could instantly see rather than trying to figure out what's their password field called or is it in there get parameter the post parameter whatever I guess go is woot woot dev com going over the wire I also did it for my email address well when we look at it would def con is definitely going over Facebook obvious I mean you have to login to your facebook to actually get the alerts that you want to see about your best friend and their update on how they're so excited for a friday but what we didn't realize is is that Facebook words with friends and seeing a poker I'll sending my email again something to be assumed but but beyond that any attacker can capture this and this is and this is where I really tie in the privacy on it and this is where privacy kind of intercedes with what I'm doing so we have it to wear as an attacker or as a man in the middle I now know potentially your password for your facebook your facebook URL domain name etc all because you're playing poker I now know potentially where you're located potentially what you're doing potentially where you're at and so
when we delve in with words with friends we can see a lot of very interesting things and so this is an output that i got from running strings on words with friends and again this is all this is all very simple stuff i mean i'm not doing extremely advanced packet analysis but if you guys would like to know more about that i would highly recommend the network forensics contest but this is I mean this is quite simple if you if you have a Linux VM or Linux box you can all do this and so I ran strings on the capture file that I had and I found this I found words with friends and sending a couple of interesting things one they're sending the network that I'm on so they know whether I'm using AT&T t-mobile Verizon etc so now they know that my phone is verizon they know that well and they know that a millennial which I found was kind of weird I think they're guessing but they also know what my build version is for my android they know what app server i'm using which i'm guessing and some of these are hypotheses and some of these are facts but on this i'm guessing that they know where I'm located based on my my distance to the ad server they know what screen resolution i'm using what language i'm using etc and from my testing some of this didn't quite show up because i hadn't fully set up the phone so they weren't able to send a couple of things because i didn't have anything in there but it definitely lets you know what they're what they're sharing and so when we continue on okay
well they've got my email they also have my device ID they also know that my last word was about and i got 18 points for it but that's to be obvious again sorry i thought jokes would go over better at 10am ah but but in any case so they know the timestamp of when i'm accessing it they know my email they know my device ID etc and what's important about this well i can only assume that my device ID is only my device i can also assume or i feel safe assuming that zynga has a number of different applications and in every application they know that my device is using that they know that i'm using their game one two three and four but then we tie this in with kind of a larger ecosystem issue is that advertising is kind of the i would almost argue one of the largest rotors of privacy because they want to know as much as possible they want to know exactly who you are so they can market directly to you and so we take it from zynga and we move to a higher level of the advertising agencies that sink a leaves us out well now that they have my diet device ID from seeing it they can also tie it in with maybe if i'm at a website if they can pull my device ID maybe if there are elsewhere they can put my device ID and then all the Sun they can tie all these different disparate pieces of information that I never really thought someone else would be collecting and they're starting to put it together now continuing on the theme of strings and this is the one that I I had no idea and I really do not appreciate when you on your android phone go to google and if your Wi-Fi is on google instantly knows and it sends back to home all the Wi-Fi
access points around you these are the people that live around me they're creative people um I mean and how many of you knew every time you're going o what's around me I want to google for something boom open up a web browser oh my Wi-Fi is on Oh google actually knows all the Wi-Fi access points that are beaconing right no one really thinks of this and they think oh oh well that's fine i mean what's some Wi-Fi access points but if you guys have heard of skyhook what skyhook basically does is it uses Wi-Fi to geo locate people and Google's trying to essentially squeeze skyhook how the marketer at the very least not pay them because they're going okay so if you're at this location and these wireless access points are around you if you're using an application and you can all like if someone else is using this application and they can see this Wi-Fi they also know where you're at and so you don't even have your gps on let's say you're super paranoid person you're like no no no my gps is off google will not find me well now they know what wireless ap's are around you they also know because of those wireless IP s exactly where you're located kind of scary what's also sent
to google and i totally totally anonymize this the exes are me because that's my exact address I i was looking to the cap church and I was like dev lock what's that is that like the my my my phone is locked it's actually device location and when i have my gps on and i am browsing to google and mind you i am just browsing to google they instantly know where exactly I am pinpointed to a dot I could unite its i mean i remember back when gps was kind of sketchy be like oh you're in this area but they are you are standing right here to that many X's worth of latitude alone latitude and longitude null lines scary they're also sending a bunch of other information that I haven't decoded yet but I plan on looking through but at the same time I mean there's a lot of easy stuff to be picked out right away I mean why does google need to know my specific exact location when I'm browsing and again you could say oh well it's useful because they need to know when you search for pizza what pizza is nearby completely agreeable but then we have to move a layer higher in terms of privacy well because Google is collecting my location who are they sharing it with who else knows where I'm located when I'm browsing for pizza do they share with their advertisers do they share the time that I search for it with and then you start to think this is getting a little creepier advertisers now know when I've got a hankerin for food or whenever I search something they know where or potentially know where I searched for it at they know what time I searched for it and they can start to build a profile about you and I mean I personally in terms of privacy I think that we shouldn't have advertisers that know your most intimate detail without you even understanding what you're sharing Google doesn't instantly say hey if you don't have your gps on we'll just send us Wi-Fi access points around you if you turn off gps location assistance for web applications we're going to send your Wi-Fi to try and guess where you're at they don't allow you to turn that off
we also continue through and we get a little bit more interesting information as well we have the land mac address the land mac address the WL mac address and the lan IP what type of wireless you're using what type of protocol it's using what the active wireless is I mean and I could keep reading through it and I just just for no reason google knows how long I've been up how long the uptime has been on my device the actual IP of it the load average etc it may it might I reiterate that you know all of this just because I popped open a web browser it's it's it's quite crazy and it's insanely disturbing in terms of privacy because
you think why do they need to know this well now we're going to look at why data
is collecting and I'm hypothesizing here we've got advertising we've got statistics because obviously they want to know are you using your application what you're using it for etc we have advertising we have legitimate business purposes so maybe an application needs to know what version of Android your bruising bruising so it's effective we have advertising we have things that can increase the value of a service so I mean it's a helpful when you for pizza that they search for pizza near you we have advertising and I hope I made my point here as you guys have caught on i'm repeating advertising over and over and over because advertising is again the number one reason why they collect this information and maybe and maybe they could collect it without advertising but it's number one reason that they use why'd you need relocated we need to give you the correct ads why do we need to know Wi-Fi around you well I mean that helps us find your location which helps you get proper ads why do you need to know my device version well I mean if we're going to run in and add on your screen we need to know what resolution it's at it's creepy so in terms of men of this what about man-in-the-middle attacks traffic can be intercepted you can use SSL strip exploits etc and so just from sniffing your traffic from you hopping on my Wi-Fi point I know you haven't applied your latest carrier upgrade I know you decided to root your phone and put gingerbread on it from a certain model like community I know exactly all what device you have where you've been etc and hackers this is all very very fascinating information right if I know that you're using a phone that your carrier decided not to upgrade and that there are active vulnerabilities in it I also know that I can screw you I know that if I have one of the exploits probably released at Def Con or that I made myself targeting the shoals platform with or against gingerbread I know I'm gonna have a hundred percent effective right and I know this just because you're playing angry birds on my wireless network or not that I've done this yet um you happen to be within a certain foot range of my femto sale and are on my cellular network but that's a whole nother talk and so I kinda want to go back to the original question I asked to what extent do participants in the cellular ecosystem cap creators OS creators carriers etc respect user privacy my answer not very much
and the reason for this is that no one's really called out for it and I don't mean to wax to practically I mean we're at DEFCON I think a lot of people here really believe in privacy we've got the Electronic Frontier Foundation who fights for our privacy and yet for convenience we sacrifice our privacy for the ability to Google something out of your pocket to run the little location gps on your phone to find out where you're going to do any of these things you're sacrificing your privacy I mean and that's fine I mean if that's something that you want to do and that you're comfortable with that's fine but myself I don't like Google knowing my neighbors have very creative wireless access point names I don't like Google knowing exactly exactly where I'm located when I browse the website I don't like when i use turn-by-turn navigation google knows exactly when i'm taking those turns and i don't mean to pick on google they're just they happen to have the phone that i was able to obtain you can only postulate what's on an apple iphone what's on and either a blackberry etc and the greatest time with this is that in terms of privacy all of these companies and let's assume a beautiful perfect world all of these companies believe in your privacy which is patently false but let's say they do well aside from that what about the people that have access to your traffic as I stated before I did all of these let me let me go back a little bit I Iran strings and click did all these
packets so so long ago on my own network and I was able to analyze this but how many people are able to write filters put out a Wi-Fi point put out a femtocell and as soon as you walk by you've instantly shared so much information about yourself I mean if someone walked next to you and asked to rifle through your wallet what would you say no no sir but if you just happen to walk by a store and they happen to know certain details about you they could change their advertising um going
forward I mean I did and this is this is kind of near the the postulation stage all of this information is available whether companies are and they're not protecting it this is all set in clear text so if you were to hypothesize into a future where and i hope i'm not giving these people ideas this is just where my own head is gone imagine an idea where on your android phone it's sharing all this information you happen to wander past a supermarket and all the Sun you're saying oh I really do feel hungry for mountain dew I do really want some chips I understand just said hungry for mountain dew I'm very thirsty for Mountain Dew 10 a.m. on a sunday um all the sudden I see an advertisement that says Mountain Dew really cool and I think myself Oh perfect timing I'm gonna get myself some Mountain Dew right but is that is exactly right I mean I may have bought the mountain dew beforehand but it's almost an abuse of trust and an abuse of your privacy to take a look into your private thoughts and your phone and to share it out with the world I mean let's apply this towards politics all of this information is bought sold and traded all this information that's being shared on your phone that you don't quite realize so all the Sun I'm someone in politics and I'm like you know I want to be the perfect politician well I've got these advertisers over here that are allowed on all these applications that you downloaded in use and you're like oh sweet I want to use the free version it's ad supported rather than paying a dollar ninety-nine but when you do that you give away a little bit of privacy it's not just your giving away oh I'm gonna ignore that ad you're giving away your privacy and they take this information they take what device version you have where you're located where you've been what you like to buy what you like to search for and they correlate it together it's their goal to find out who you actually are because when these companies these companies might have your best interest at heart they might say hey we don't collect your real name but when someone else buys this data that's in your unique ID they correlate it with other public data and they kind of jumbled it all together they know who you are they know where you live they know your favorite color and so taking this along the political idea imagine a future where politicians know every constituent in their district they know this because their cell phones are in that district they know this because all of those cell phones have exposed what everyone does they know what people search for they know whether they read The Huffington Post or Fox they know what percentage of people do this they know what grocery stores you shop at and they can take this data they can take the state of its been correlated along all these different avenues they can combine it and they can go oh hey my district is sixty-eight percent likely to vote democrat or republican okay or no let's listen to something closer it's like oh my district is fifty-five percent likely to vote Republican but most of those people like ten percent are not likely to vote which means I probably need to pitch myself towards the Democratic side okay well if I'm pitching myself towards the Democratic side I see that most of the people on this side or value shoppers they like to shop for the value brands well now I shop for the value brands I talk about value when I talk to my constituents I make them think oh my gosh this politician is is me I believe in them I can I can affiliate with this person I'm going to vote for them but what they don't realize is whoever this person is they have tailored themselves meticulously to look exactly like the person that these people want or that these people are that these people would want to see this is this is the power that correlating data has this is the power that just using these applications on your cell phone by sharing out your device ID your location in the Wi-Fi access points can share so kind of time
back to my hypothesis I said software applications and operating systems transmit private user information to the author third parties without the users knowledge and consent so I mean throughout this talk I've stated personal data identifying data sent whether it's encrypted or not it can be ssl stripped and there was some data and actually to talk it a little bit I promised you a little bit about some of the applications I did I did test red phone I did take a look at hey you know I know moxie believes in privacy but does he put his walk or does he I mean walking the steps that he talks and I actually couldn't intercept his traffic fascinating and I was like well let's look into this apparently moxy having broken ssl knows how to secure a and he does so it's definitely doable these companies can make your information private they they can make it so that I can intercept it on the wire but the problem is they don't they view it as not important data or I mean maybe not necessarily not important but not sensitive they don't take the time to protect it they don't want to invest in servers so they can encrypt it over the wire and so I thought okay I mean and even if they do it's still exploitable facebook application you can use SSL strip username and password boom done applications and usernames passwords contactless location data usage statistics timing of activities and other content kind of give it away
so they were where we right yeah uh we
write on all of those counts all of them and this is only using very basic packet analysis on these applications and and and when I say basic I didn't want to make this talk overly technical because I hope to make it a bridge between kind of the more technical field of network forensics and the non technical field of privacy and kind of merge them together so that there's a little bit for both sides but if you're a privacy advocate i would highly recommend you taking a look at network forensics being able to look and see hey what're application sharing what are these operating systems sharing when i go to google com did I know my Wi-Fi access points are showing did I know my IP address is showing etc and that was all with very very basic testing and so to kind of conclude I
don't think a lot of people realize your smartphone roads your privacy and you agreed to it and that's the worst part you agreed to it it's allowed and until people start saying hey companies we don't want information shared you don't need to know the wireless access points around me when I'm trying to look for something specifically even when I said I don't want location data shared but the problem is you agree to it you scroll through the pages and pages and pages and stuff and said okay and even beyond that a lot of people don't understand the importance of the data they're sharing they don't understand that when they're sharing this information they're sharing it now with the world well no they are showing with the world to shame with everyone and then they think I mean they just build it up and they say oh yeah well I'm sorry I'm starting to digress from my original point essentially what i want to say is is that information what can be seen as as benign information that companies collect can be intercepted it can be taken by that original company it can be correlated it can be tied to you and it can be used for nefarious purposes and then you should be aware of this and if you're curious about more applications what I'm trying to do is I'm trying to build out
for my original research essentially what i did was a very manually intensive time intensive process i am working on manually or automating that process i would like to have an emulator that downloads and installs every application of the android market runs it through its paces a little bit analyzes its packet capture data for passwords other yeah i would say sheisty looking information but important information and can go through each one and that's what i'm going to be working on what i'm also going to be working on and and what this is kind of hinted me towards is advertising it's it's it's kind of nether region that and maybe this is just me but i didn't quite realize the fact that there are tons and tons and tons and tons of ad networks on every page looking at everything you do and you might think oh ok when i browse from engadget over to slashdot there's those are two separate websites but what you don't realize is that one advertising company has a cookie or an ad on both of those websites and they're able to see oh when he was done reading engadget he hopped over to slashdot this guy's a nerd i'm gonna advertise to him nerd products I mean and it's effective and there's a reason they do it they do it because it's more effective and they make money off it and to a certain extent I mean having targeting advertising is useful but to another extent it's just it just gets creepy because the way that the information can be used and so in terms of in terms of mapping out these oh sorry so in terms of all this what I'd also like to do is I'd like to map out these ad networks I'd like to find out who's talking to whom where the service located at who has access to what information and what can happen from that so that's where I'm hoping to go i hope i've shared a little bit with you guys a little bit on the analyzation of packet captures finding out where your information is going some of the information that is being shared and I'm definitely be available for talk in the QA room 3 I've got a lot more technical data but I just kind of chose to to keep it simple for for you guys so I could kind of focus on privacy and in the intersection of that so thank you very much