Advertisement
Entertainment

These Guys Will Hack Your Phone to Reveal Who It's Secretly Sending Information To

Tech journalist Geoff White and ethical hacker Glenn Wilkinson show audiences how to take cybersecurity into their own hands.

by Rose Lewenstein
Apr 22 2015, 5:00pm


Geoff White (left) and Glenn Wilkinson (right). Photo by James Snell.

This article originally appeared on VICE UK.

Most of us don't think twice when we connect to a WiFi network or download a new app. I didn't. I trusted, to some extent, that the relationship between me and my phone was exclusive.

Turns out my phone was lying to me. My data, my network, my searches—they weren't just between the phone and me but instead between me and several thousand companies I've never heard of in countries I've never been to.

To help people understand what's really going on with their smartphones, tech journalist Geoff White and ethical hacker Glenn Wilkinson have teamed up to create The Secret Life of Your Mobile Phone —a one-hour performance on interception technologies. I met up with Geoff and Glenn to find out what my phone has been playing at.

VICE: Tell me about what happens in The Secret Life of Your Mobile Phone.
Geoff White: Effectively, we take an audience of people and, with their authorization, we hack their phones. Glenn's software tricks the phones into connecting to our network. We then start seeing all the information that's flowing off those phones. We stick it up on a screen, then we start pulling it apart.

Which companies are you sending information to? Here's a list. Where are they in the world? Here's a map. What's actually in those packages of information? And so on. It's basically showing people the places their phones are communicating with in real time.

What kind of software do you use?
Glenn Wilkinson: "Snoopy" runs on any Linux type computer—my laptop or my phone, for example—and it passively listens for WiFi signals.

Basically, we have two levels of interaction with the software. One is passive, where it just listens and your device has no idea that it's listening to you. That gives us two bits of information: the WiFi network you're looking for and also a unique serial number for your device that's called a MAC address. And then by looking at the names of the networks, I can figure out certain information about the individual. So it kind of puts you into an immediate demographic.

That's all fairly passive, but the final bit is really interesting. It's possible sometimes to geo-locate the names and networks you're looking for. So if your device is looking for something fairly unique, like a BT Home Hub, we've got a method using this database from a website called wigle.net to figure out where you've previously been and whether you're a high roller or a low roller.

Geoff: And that's basically listening to what the phone is willingly giving out. Phones are programmed to give out all sorts of information. Listening out for that and receiving it is perfectly legal.

"Phones are programmed to give out all sorts of information. Listening out for that and receiving it is perfectly legal."

Is it really?
Geoff: Passively listening is one thing. If you then start taking those signals and effectively tricking the phone into connecting to what it thinks is a friendly network then you're intercepting traffic. And if you don't do that with the authorization of the person who owns the phone, you've broken the law. So in the show, we tell people specifically what we've done, how it works, and then we check that they're OK with it.

How did "Snoopy" lead to you both creating and developing the show?
Geoff: At the time I was working on a project for Channel 4 News which was all about how personal data is used and manipulated, and I saw this software and I thought it was fantastic; you could do so much with it.

We went to Latitude music festival and wanted to do a demo of the kind of stuff we'd been working on and people were just fascinated by it. The penny dropped—I thought we could not only do this to people's phones, we could do it live, and we could actually start answering some of the questions about where this data is going and how it's being used. And that's when we set up The Secret Life of Your Mobile Phone.

For more on advertising, watch our doc "The Real 'Mad Men'?":

Who actually collects all this information and what do they do with it?
Geoff: The great thing about WiFi is that it's an open technology. Anyone can set up a WiFi network, anyone can connect. But what that means is that lots of people, without any special kind of authority, can start hoovering up signals.

This technology is already being used in the real world. Shopping centers use it, city councils use it. But all this information flies off from your phone all around the world. So you're not just communicating with Facebook or Google, your information is going off to advertising companies you haven't heard of and in countries that you never knew you were communicating with.

When you use the internet via your phone, as many companies as possible are trying to harness bits of your information. They want to know which websites you visited, how long you stayed, whether you bought anything. They're basically trying to build up a picture of you so that they can better serve you with advertising. So you start to get this situation where people are being sectioned off and categorized without their knowledge.

"You're not just communicating with Facebook or Google, your information is going off to advertising companies you haven't heard of and in countries that you never knew you were communicating with."

Some of the figures from the Channel 4 News project you mention are pretty mind blowing—over a 24-hour period it sent out more than 144,000 packets of information which flowed to and from over 315 computer servers around the world. Does this mean that our phones can be exploited even when idle?
Glenn: Yeah, absolutely. The first example I can think of is the smart dustbins around London. It turned out there was a WiFi device inside each dustbin that was doing exactly what "Snoopy" does—detects which WiFi networks you're looking for, identifies you uniquely, and figures out what advert to display for you. Depending on your point of view, that's not as invasive as other possibilities, but I think those were shut down after a public outcry.

The more invasive stuff? The company I work at is an information security company, which boils down to hackers for hire. Companies pay us to look for weaknesses in their systems and we actively use these techniques in our engagements. So if a bank says, "Please come break into us so we know what our weaknesses are," this type of attack is one of the first ones we do because it's really easy. I don't even need to go through the front door.

Geoff: If you look at the way these kinds of technologies shape up, they're quite expensive and difficult at first. Not a lot of people understand them. But as the technology gets easier to use, it starts to get down to the cybercrime level. You get this trickle-down effect. And in the end you have almost a 'plug and play' situation where you can, with very little skill, download this stuff and get cracking.

Practically, what can we do about the fact that our smartphones are essentially tracking our behavior? Like, what button can we press?
Geoff: The off button!

Glenn: I think there are two or three places on the planet where there's zero electromagnetic or radio frequencies. Somewhere deep in the Amazon is one spot where there's no cell, no satellite, no coverage at all. But in general there are practical things you can do. For example, be vigilant of which networks you connect to and understand that once you've connected to a network, your phone will remember that network and keep shouting its name out. It's a good idea occasionally to just flush all of them.

Possibly the biggest piece of advice for deterring local attackers is to use a VPN, which allows you to make a connection from your phone to some secure server, maybe in a different country. And there are lots of apps that allow you to filter cookies and block adverts and that kind of thing.

The overarching problem we've found is that it always boils down to convenience versus security. And most people, myself included oftentimes, would rather have convenience. So I can flush all the networks and I can use a VPN and I can put on my tin foil hat and be super safe, but that's a lot of effort.

"The overarching problem is that it always boils down to convenience versus security. And most people would rather have convenience."

So what's more important—convenience or security?
Geoff: Here's the question—if you could be guaranteed that you were never going to be mugged again, but in order to do that you'd have to wear a head cam that was filming you at all times, would you do it?

I wouldn't.
Glenn: Me neither.

Geoff: But this is the basis on which a lot of technology is being rolled out. It makes you more secure, it's more convenient, and it will give you better advertising. Personally, I think taking your own security into your own hands is a better solution than that. So doing the things Glenn says and trying to put up some walls between some of these services.

It's not easy or comfortable or fun to be told this, but you're getting a great deal. Fundamentally, we have access now to technology that's just way more advanced than anything we could have even comprehended 15 years ago. That's great, it's amazing, but the cost of that is you have to take responsibility for it.

If you want any functionality beyond texts and calls, you sign up for the whole deal; for every bit of information being gathered from you. And the terms and conditions are astonishingly wide. And nobody reads them.

The present is already feeling kind of dystopian. What do you think the future holds in terms of data collection and tracking?
Glenn: The thing is, we're very early in this technological revolution, and it's happening at such an accelerated pace that the technology's gone far faster than the human capacity to understand where we are or why we're going there. But I hope we get to a point in the future where we realign our values and understand that this kind of tracking and advertising is maybe a bad idea.

I'd like to see a different revenue model where we don't need advertising at all. Maybe I'm on kind of an extreme, but I just don't like advertising and I would be much happier if I could pay in some other way—like financially. I use Spotify for example and I'm very happy to pay every month and have no adverts.

"I hope we get to a point in the future where we realign our values and understand that this kind of tracking and advertising is maybe a bad idea."

It sounds strange to say, "I'll pay you not to track me."
Glenn: Yeah, it does. I guess it comes down to how the companies want to make money. At the moment people don't really care. Occasionally you have big revelations like Snowden-type stuff where people get all angry, but usually that wains to some degree.

What do you hope your audience will take away from The Secret Life Of Your Mobile Phone?
Geoff: I hope they'll go home understanding a lot more about their phones and how they work and what they do. It's easy for people to hold their hands up and go, "Oh, I'll never understand it." And that worries me because there's a lot going on in the background that we should be aware of and that we can do something about. That "let's not bother" response is exactly what the technology companies are trading off. So I hope people make just a few more clued up decisions each day.

Glenn: And hopefully they'll go away feeling a bit more curious. If you have a greater understanding of how things work, it's easier to question them. We want people to sit up and say, "Hey, that's not OK, I want to have a choice in this matter."

Follow Rose on Twitter.

Geoff White is a Channel 4 News technology journalist. Follow him @geoffwhite247

Glenn Wilkinson is a senior security analyst at SensePost. Follow him @glennzw

The next performance of the The Secret Life of Your Mobile Phone is on April 22 at Cybersalon in London.

Tagged:
Culture
tracking
ADVERTISING
Facebook
Hacking
Google
data
Theatre
mobile phones
Vice Blog
interception technologies
wi fi network
personal information
data collection