 Hello DevCon 2011! Yeah, I'm excited. I'm glad you guys are making sounds because I was really expecting like a bunch of half asleep people kind of drunk, kind of, trying to get an overt pin, but like, I want to see this talk. So, I think I'd like to start off with, I don't know if you guys read the proto-lol jokes, and so this is kind of, I mean even for DevCon, a little over the top nerdy, but I'm going to start with a joke. So, an IPv4 address walks into a bar and says, I'll have a strong glass of cider, but the bartender says, we're exhausted. Oh, it's so terrible, it's great. Good gosh, can you guys hear me well? Alright, well then let's get this party started. Sweet, so hi there, my name is Eric Fulton, I work for a consulting firm called Lake Missoula Group in beautiful Missoula, Montana. I know you guys are thinking you guys, you know, have public transportation in Montana, yes we do, and we also have hackers up there, which is a lot of fun, so we can hack in the morning and hike in the afternoon, as I like to say. I also help run forensicscontest.com, we actually run a network forensics contest puzzle during DevCon, which is pretty sweet, and packets are important in doing forensic analysis of a lot of different things. So, I'm also on Trisket.com, I really don't update it ever, so I guess that's not as useful. I'm also on Twitter, and I'd really like to say during this talk, thank you to Sherry Davidoff and Jonathan Ham, they are absolutely amazing ninjas with packets, and they are actually writing a book, and I was able to help, or well use their, an advanced copy of their book to do some of the analysis that I'm going to kind of show you guys today. So, what I'm going to show you today, I'm going to start with some definitions, a testing methodology, kind of going to how I analyze the packets, what I was looking for, how I was, what I kind of found, some fun findings that I found throughout all of this, and then kind of come to a conclusion. Now, in addition to this, this talk is kind of threefold. I've got a bit to cover, so I'm going to talk a little bit fast, so I apologize if I'm going a little bit of a rapid pace. But what I'm trying to cover here is some distinct topics. Privacy, especially, I mean obviously it's in the title, because privacy in our lives is important. I think that our privacy that we have is eroding, and we don't exactly know what's happening. A lot of you have an Android phone, probably not in your pocket because it's DEF CON, but maybe at home you've got a smartphone and you don't realize that every day it's leaking your location, where you're at, and some other interesting facts. So that's certainly something I want to cover. I also want to touch a little bit on network forensics because this is what I use to help discover what's being shared over your Android phone, and I mean that's the majority of it. It's a wide breadth and it's kind of shallow, and if you want to know more about kind of the analysis that I did, packet forensics, I'd highly suggest that you, well, our contest is over, so apologies if you're just finding out about it now, but we run it online and we've got our archives of past contests. I'd recommend you take a look at those, you kind of teach yourself or try to teach yourself some network forensics, and it'll give you kind of a new perspective on how to analyze things. So what is network forensics? Now the Wikipedia article says, network forensics is a sub branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purpose of information gathering, legal evidence, or intrusion detection. But basically it's sniffing packets on the wire. You've got traditional forensics, which I'm sure a lot of you know of. Where you take your hard drive, you DD it, you make an image, you analyze it, you try and say, hey, what's on this hard drive? But there's also network forensics, and that's where you're going what is going over the wire, what is my computer leaking, what is going on? I mean with traditional forensics, unless you pull the memory, you won't ever realize that there's something loaded in memory leaking any number of things. And so listening on the wire gives you a different perspective, and it lets you really understand what your phone, your laptop, your server, etc. is really sharing with your network in the world. Or network forensics could be doing, called listening to the wire for fun, question mark, question mark, question mark, profit and loss. So, how network forensics affects us? You could say, I mean assuming you're at DEF CON, all of us use network devices. We use laptops, phones, etc., etc. And everything is network based. I mean, back in the day before the advent of the internet, and the beauty that is network communications, people just had kind of a solid, a solidarity, sorry, excuse me, they had a single computer that wasn't really connected to anything else. Everything you did was on that terminal. But now we send all sorts of things to everyone. We send usernames, passwords, hashes, URLs, lolcat pictures with your grandma. I was going for laughs on that one. Sorry, it's Sunday at 10, I should probably cut the humor. Yes, but he laughs. But we send all of these amazing things over the internet, and we think to ourselves, oh, I'm sending my password to this service. And a lot of people don't think of all the externalities that affect that. When I log into Twitter, for example, most people think, oh, my computer, Twitter, that's all that's happening. But they don't realize that they're going from their most likely laptop, iPhone, iPad, iDevice, etc., to probably a wireless router, which then connects to your ISP, which then is routed over the internet to Twitter servers. And along there, whether or not I have access on your actual computer, I might have access to your network traffic. And through that, I have access to a lot of fascinating information. I mean, no one wants to be handing out user names, passwords, or anything else. And a lot of companies are really good at protecting that. That's why we hash our passwords. But the simple fact that I'm able to look at that is a huge, not only privacy risk, but security vulnerability. So some of our applications send licensing, registration, UDIDs, and all this data can be filtered, logged, and analyzed by third party. You don't know what your ISP is doing. Most people just kind of sign that contract and assume that the ISP is their best interest at heart. And I'm not saying that ISPs can be evil, but if they want it to be, there's a good chance that they could do a lot of damage. Or your roommate, who also is on your wireless network, could do a lot of damage, assuming how close you are with your roommate or the guy next door if you're using a web. So essentially what I'm trying to say is there's a lot of ways our phones could fuck us. What I really am specifically focusing on is Android application security, because a lot of people have done the computer thing, a lot of people have done laptop forensics, analysis, etc. But something that we don't realize is we've got this essentially super computer in our pocket. I mean, when I first had my first computer, and I'm not going to say what that was, but it's like a tenth of the processing speed of my current phone in my pocket. Well, in my room, because it's not on. And people don't realize all of the fascinating things that they have on their phone and what their phone knows. So we look at it, and if someone wanted to... I mean, our phones have a lot of things. If you're doing GPG encryption and trying to decrypt your phones or your emails, I mean, that's assuming that you're a naturally secure thinking person. Let's say you encrypt your emails and it's on your phone. You have to have your private key on your phone to decrypt your emails. If you're not a private thinking individual or a secure thinking individual, you're just sending your emails over your network connection. You have emails, usernames, GPS, et cetera, et cetera, and more. And so when I first got into this research, I thought, oh, you know what would be really cool? Let's build an evil application, right? Like something that would be like a back orifice for phones, which I think some of the other presenters at DEF CON have actually done, which is awesome. But when you make that application, it's ultimately silly because as long as you can get the user to press OK, done, right? I mean, how many people with smartphones scroll through their phone, and they're like, I want to play this game. Scroll, scroll, scroll, OK. I mean, I don't know if you guys watched South Park, but that's what the, there's a whole episode on the human centipad where someone didn't actually read the eula. Oh, God forbid someone read 39 pages on a short level of dense legal text. That doesn't happen. And so anyone can build an evil app, put it on the market, and say, hey, you should download this. And anyone could execute it and it could export a lot of bad information. And we know this is bad, right? There's a lot of companies out there that do a lot of great things trying to prevent malware, evil applications, et cetera. But then I got thinking, you know, OK, so we know evil applications are evil, but what about regular applications? I mean, when you get your Android phone, you think, oh, OK, first thing I want to do, is stream music through Pandora, right? I mean, it's really awesome having an unlimited Internet radio station on your phone. And then you play with it a little bit longer than you're like, oh, sweet, I've heard about Angry Birds. Who here loves Angry Birds? I'm not going to lie, I use it. You're sitting in a meeting, you're sitting in your office, you're on a phone with your boss and you're just playing. Not that they know you're playing it, but the fact of the matter is you're thinking, all of these apps I've paid for it or not, but I've downloaded from the Android application market and it's a game. What I've downloaded is a game, but what you don't realize is you've downloaded a little spy in your pocket. Now, some previous research has been done by the Wall Street Journal and by a man named Aldo Cortesi. And I'd like to meet this man, he's done a lot of great things. But basically, I mean, I was even going to call my original presentation and enjoy the spy in your pocket. The Wall Street Journal, been there, done that. They've done a lot of great research seeing what these applications are sharing and how they're sharing it. And so, to get back to the privacy side of it, in terms of privacy, we don't realize how much we share about our lives. We think all these companies have anonymized data. One of the best examples is with Apple. You have a UDID, I think. Yeah. And it's basically an anonymized number that says, oh, I'm me, but I'm not actually Eric Fulton. It's just, you know, the company doesn't know who I am. They just know my number. Well, that's cool. But there's companies out there in the world where their whole idea is de-anonymizing who you are. Like, figuring out, oh, this guy that lives in Montana, that loves Doritos and Mountain Dew and also travels to these places is this number, and they can easily tag it as Eric Fulton because I love Mountain Dew. And so, as part of this, I thought, all right, well, let's start looking at these applications. These applications that I blindly trust that I think, oh, yeah, I totally believe these people. So scientific method to the rescue. What I wanted to do was create a reproducible kind of project that someone else could look at and I could do with standards that would kind of display what our applications are sharing. So we've got all of the basic things there, and the question I asked was, to what extent do participants in the cellular ecosystem, so OS creators, app creators, carriers, et cetera, respect privacy? Now, in my research, I've only gotten as far as Android, but I hope to get to Windows phones and to Blackberries and to iPhones. But right now, we're going to focus in on Android phones. My hypothesis was, in terms of respecting privacy, what do they do? And I thought, you know what, software applications and operating systems transmit your private information. I mean, to a certain extent, it's built in. That's what they're supposed to do. When you log into your Facebook, you kind of have to give Facebook your username and password. But what do they give to third parties without your knowledge? What do they give to advertising partners? And more so, what are their advertising partners that these companies blindly trust and are collecting about you? And so I thought, I bet you they're sharing the standard, you know, usernames and passwords and things that personally identify you. I mean, it's part of the application. But when you think about it, why does when you're searching for something on Google, why does Google need you to know your location? And to a certain extent, for a business purpose, you know, it's helpful. They need to know that I am in Las Vegas right now and when I search for a Batista's restaurant, they know, oh, restaurant in Las Vegas. But at the same time, I have no really real option of turning that off. I mean, I know Google says, hey, if you want to turn off your location data, your GPS, et cetera, we won't collect it. But we don't realize, and what I found out later was, is that they kind of are. But to maybe not the GPS extent, to a different extent. So for this experiment, I built a lab. And for this lab, I want to install, use apps on the Android phone. I want to capture their packets, analyze these packets, and then profit. Or at least give a DEF CON presentation. Thank you. So I built a lab. I thought to myself, I've got this great idea, I've got this great hypothesis, what do I need? Well, I bought a Femto cell, an original Motorola Droid, a wireless router with DD Word on it, a sniffing laptop, and an interconnection. And I was like, I am ready. Turns out you don't need all that stuff to do this analysis. As I went along, I found out I could have done a lot of it in the emulator, making nothing. But it allowed me to buy some cool shit using the office company card. Well, thank you. I'm happy about it. So I bought the Femto cell thinking, all right, when I am using my phone, I want to collect the cellular network traffic in addition to the regular network traffic. Because I was thinking, if I'm an app creator, I don't want people tweaking with my stuff. And generally, I'm going to use the word generally, because cellular networks are safe. And so if I was an app creator, I'd be like, oh, no, no, no, no, no, I won't send sensitive data over a Wi-Fi. I'll make sure it's over there, the cellular network, because it's a lot harder to tap. And so I was like, I'm going to buy a Femto cell. I'm going to intercept that. And then I bought an Android phone, because I was like, this is cheap on eBay. And then I already had the router and the laptop and the internet. Well, it turns out, after doing a bit of research, and I didn't delve too much into this, that app creators aren't that shiesty yet. All I had to do, I didn't have to register for the cell network. I was just able to pop over my phone, turn on Wi-Fi, get to the Android market, and start playing around, which was absolutely great. So I created this amazing testing methodology, where I would take the applications, I would purchase and install them, I would have initial usage, regular usage, and then uninstalling the application, for each application, because then I would know what traffic's going on at exactly what point. Operating system tests, I would have first usage, so when you're first installing your phone, light usage, and then regular idle time, and then when I've reset the phone. It seems like I would cover just about every aspect of every application, and the OS, so that I wouldn't miss any shiesties that went on. Because I thought to myself, if I were an OS creator, every 30 minutes I'd want to know where you are at. Or if I'm an application owner, I might be like, hey, every 15 minutes, who have you called in the last 15 minutes? So this was my amazing original testing methodology. What actually happened was, I just took a massive PCAP file for each app, SSL stripped it, TCP dumped it, and made a drinking game out of it. In true DEFCON fashion. But you guys weren't hungover, so maybe that's not true DEFCON fashion. And so for the apps that I tested, I thought, alright, I'm going to do a mix. I'm going to do Angry Birds, as I used earlier. This really sketchy Chinese app. I don't read Chinese, and I was like, well, that looks sketchy. It's kind of my sketchy test. And then random applications that no one uses, so I scrolled a bunch of pages down. I got the main ones, Facebook, I got just browsing the web on Google, and that actually happened by accident, but I found some fascinating things, so I decided to keep it in. Intellipilot, which is an airline pilot's application for using logbooks. Mousetrap, which is a game. Pandora. Red Phone, which is an amazing application created by Moxie's Marlin Spike, and if you guys don't know of this, it's a little app on your Android phone that you can have secure conversations with other people. And I thought, you know, I like Moxie, but I kind of want to see if he's doing anything there. We'll find out more about that later. And then Words with Friends in Zingapoker, and I'm absolutely addicted to Words with Friends. And if any of you guys play Scrabble, you'll know. Yeah, I digress. And so it's obviously a work in progress. I have a lot of applications I like to test. I have a lot of different operating systems I like to test, and basically what I've been trying to work towards is a standard methodology so that I can kind of hammer through it when I'm not working, which seems to be rare. So what I have to work with is a bunch of PCAP files and SSL strip outputs. And the reason I did this was is because I figured, you know, if I'm an attacker, it's really easy just to run SSL strip. So let's just assume SSL is useless. And so I decided to take all the information that if someone were attacking you, or if there were a corporation, et cetera, would have. Now later on, I want to see absolutely everything sent back to the company. I'm going to add a root certificate to the phone and just collect all the information. But for right now, I've got a bunch of packet captures and SSL strip outputs, and that alone has proved very interesting. So let's start analyzing. With each packet capture, I first appeared around with it in Wireshark. I analyzed some of the conversations, some of the IPs being addressed. I ran strings, ran grep, pretty easy Linux stuff. And then I did some DNS play and I did some Argus flows. So first, Wireshark. If you guys haven't done any network analysis, Wireshark is kind of the de facto GUI tool. It's really nice just to kind of poke around and scroll, and you can just visually look at and see, oh, this is HTTP traffic, DNS traffic, et cetera. That's a good starting point. Kind of give you a feel for the lay of the land. But command line tools are more powerful. And so I moved to T-Shark. And so I wanted to basically read the packet captures, look around, see what was happening. Look at some of the hex, what's being talked to, and the conversations that are happening. And so I ran T-Shark. It's up on there. And I tried to see what are these applications talking to? Who are these applications? I mean, who are these applications talking to? What services are they using? Who are they sharing it with? And then I, who is like a mofo? So, if we were to take one specific example, we can look at Zynga. How many people here know who Zynga is? Oh, nice. I should assume this is DevCon. You guys are smart. And to read it, if those didn't raise their hands, Zynga is kind of the new mogul, if you will, for Android games. Most games on Android and Open Faint on Apple, or yeah, I think it's Open Faint. In any case, Zynga makes a large number of those idle time games. Those games, when you're kind of sitting down, as I started, stated earlier, and you're just kind of, you know, you don't have anything to do and you want a game that you can play for five minutes or you're on a conversation on your little board you can play for five minutes. And they're wildly popular because people have a lot of idle time. And so I took a look at Zynga and I was like, who is Zynga talking to? Well, if you look at the screen and I'm not going to read each one out, there's a lot. There's Tapjoy Eds, Midas, Tapjoy Eds, Facebook, Facebook, Facebook, Facebook, Macromedia, Adobe. And when you look at this, there's a couple on there that you're curious. I mean, this was for Zynga poker. And so you're playing poker on your phone and you don't really expect for it to call out to Midas.Moby. What does this company do? What does MKHOJ do? What does Tapjoy Eds do? What information is being sent to these third parties that you have absolutely no idea? And this is where we draw in on the privacy element. When you downloaded that application for poker did you really understand that you were going to be sending your statistics, your Android version, your location potentially to Zynga poker? And why do they need to know it? So this kind of like this really begs the question, what is being sent on your phone without you knowing? I mean, now that I brought the question up you guys are thinking like, oh, what apps do I have? Well, one of the easiest, quick and dirty ways to look at a packet capture file and seeing where it goes is strings. Strings just basically outputs text strings that are inside the packet capture file or any file for that matter. But basically what I did was is I looked for interesting things. And you'll see on here one of the first things I did was the HTTP trying to see what websites are being contacted and then I had a couple key phrases and I did this for a couple reasons. One, I don't want to have to go through every packet capture file trying to figure out what password was what and what I was going through. So I made some basic things to look for. I made Woot, DefCon, my password and I made my username droid.net.foren at gmail.com and for those of you thinking oh, he left the password and he just displayed it, I'm going to go log in? Yeah, I did, I don't care. Have at it. And so basically, I'm not using it anymore, basically what I did was I put these kind of little cookies within the packet capture file so I could instantly group for Woot, DefCon, right? Because I was so excited this was coming up I was making my password that I could instantly see where my password was shown. I could instantly see rather than trying to figure out what's their password field called or is it in their get parameter, the post parameter, whatever. I can just go, is Woot, DefCon going over the wire? I also did it for my email address. Well, when we look at it, Woot, DefCon is definitely going over Facebook. Obvious. I mean, you have to log into your Facebook to actually get the alerts that you want to see about your best friend and their update on how they're so excited for Friday. But what we didn't realize is that Facebook, Words With Friends, and Zingapoker are all sending my email. Again, something to be assumed. But beyond that, any attacker can capture this. And this is where I really tie in the privacy element and this is where privacy kind of intercedes with what I'm doing. So we have it to where as an attacker or as a man in the middle I now know potentially your password for your Facebook, your Facebook URL domain name, etc. All because you're playing poker. I now know potentially where you're located, potentially what you're doing, potentially where you're at. And so when we delve in with Words With Friends, we can see a lot of very interesting things. And so this is an output that I got from running strings on Words With Friends. And again, this is all very simple stuff. I mean, I'm not doing extremely advanced packet analysis, but if you guys would like to know more about that, I would highly recommend the Network Forensics Contest. But this is quite simple. If you have a Linux VM or a Linux box, you can all do this. And so I ran strings on the capture file that I had and I found this. I found Words With Friends is sending a couple interesting things. One, they're sending the network that I'm on. So they know whether I'm using AT&T, T-Mobile, Verizon, etc. So now they know that my phone is Verizon. They know that, well, and they know that I'm a millennial, which I found was kind of weird. I think they're guessing. But they also don't know what my build version is for my Android. They know what app server I'm using, which I'm guessing, and some of these are hypotheses and some of these are facts. But on this, I'm guessing that they know where I'm located based on my distance to the ad server. They know what screen resolution I'm using, what language I'm using, etc. And for my testing, some of this didn't quite show up because I hadn't fully set up the phone, so they weren't able to send a couple of things because I didn't have anything in there. But it definitely lets you know what they're sharing. And so when we continue on, okay, well they've got my email, they also have my device ID. They also know that my last word was about and I got 18 points for it. But that's to be obvious. Again, sorry, I thought jokes would go over better at 10 a.m. But in any case, so they know the timestamp of when I'm accessing it, they know my email, they know my device ID, etc. And what's important about this? Well, I can only assume that my device ID is only my device. I can also assume, or I feel safe assuming, that Zynga has a number of different applications and in every application they know that my device is using that. They know that I'm using their game 1, 2, 3 and 4. But then we tie this in with kind of a larger ecosystem issue. Is that advertising is kind of the, I would almost argue, one of the largest agencies that I see. Because they want to know as much as possible. They want to know exactly who you are so they can market directly to you. And so we take it from Zynga and we move to a higher level of the advertising agencies that Zynga leases out. Well now that they have my device ID from Zynga, they can also tie it in with maybe if I'm at a website if they can pull my device ID. Maybe if there are elsewhere they can pull my device ID. And then all of a sudden they can tie it in. Now continuing on the theme of strings. And this is the one that I had no idea and I really do not appreciate. When you on your Android phone go to Google and if your Wi-Fi is on Google instantly knows and it sends back to home all of the Wi-Fi access points around you. These are the people that live around me. They're creative people. I mean and how many of you knew every time you're going oh what's something. Boom. Open up a web browser. Oh my Wi-Fi is on. Oh Google actually knows all the Wi-Fi access points that are beaconing. Right? No one really thinks of this and they think oh well that's fine. I mean what's some Wi-Fi access points? But if you guys have heard of Skyhook, what Skyhook basically does is it uses Wi-Fi to geolocate people. And Google is trying to essentially squeeze Skyhook out of the market or at the very least not pay them because they're going to do it. So if you're at this location and these wireless access points are around you, if you're using an application and you can see, like if someone else is using this application and they can see this Wi-Fi, they also know where you're at. And so you don't even have your GPS on. Let's say you're a super paranoid person and you're like no no no no. My GPS is off. Google will not find me. Well now they know what wireless APs are around you. They also know because of those wireless APs located. Kind of scary. What's also sent to Google, and I totally totally anonymized this, the X's are me because that's in my exact address. I was looking through the captures and I was like DevLock, what's that? Is that like the, my phone is locked? It's actually device location. And when I have my GPS on and I am browsing to Google, and mind you I am just browsing to Google, and I can instantly know where exactly I am. Pin pointed to a dot. I kid you not. I remember back when GPS was kind of sketchy you'd be like oh you're in this area. But they are. You are standing right here. To that many X's worth of latitude and longitudinal lines. Scary. They're also sending a bunch of other information that I haven't decoded yet, but I plan on looking through. Easy stuff to be picked out right away. Why does Google need to know my specific exact location when I am browsing? And again you could say oh it's useful because they need to know when you search for pizza what pizza is nearby. Completely agreeable. But then we have to move a layer higher in terms of privacy. Well because Google is collecting my location who are they sharing it with? Who else knows where I am located when I am browsing for pizza? Do they share it with their advertisers? Do they share the time that I search for it with? Do advertisers now know when I've got a hankering for food or whenever I search something? They know where, or potentially know where I searched for it at. They know what time I searched for it. And they can start to build a profile about you. And I mean I personally in terms of privacy I think that we shouldn't have advertisers that know your most intimate detail without you even understanding what you're sharing. Google doesn't instantly say hey if you don't have your GPS on we'll just send some wifi access points around you. If you turn off GPS location assistance for web applications we're going to send your wifi to try and guess where you're at. They don't allow you to turn that off. We also continue through and we get a little bit more interesting information as well. We have the LAN MAC address, the WAN MAC address, the WL MAC address and the LAN IP. What type of wireless you're using, what type of protocol it's using what the active wireless is I mean and I could keep reading through it and just for no reason Google knows how long the uptime has been on my device, the actual IP of it, the load average, etc. It might re-iterate that you know all of this just because I popped open a web browser. It's quite crazy and it's insanely disturbing in terms of privacy because you think why do they need to know this? Well now we're going to look at why data is collecting and I'm hypothesizing here. We've got advertising. We've got statistics because obviously they want to know are you using your application, what you're using it for, etc. We have advertising. We have legitimate business purposes so maybe an application needs to know what version of Android you're using so it's effective. We have advertising. We have things that can increase the value of a service so I mean it's helpful when you search for pizza that they search for pizza near you. We have advertising and I hope I made my point here as you guys have caught on. I'm repeating advertising over and over and over because advertising is again the number one reason why they collect this information and maybe they could collect it without advertising but it's the number one reason that they use. Why do you need to relocate it? We need to give you the correct ads. Why do we need to know Wi-Fi around you? Well I mean that helps us find your location which helps you get proper ads. Why do you need to know my device version? Well I mean we're going to run in and add on your screen we need to know what resolution it's at. It's creepy. So in terms of man of this what about man in the middle of text? Traffic can be intercepted. You can use SSL strip exploits etc. And so just from sniffing your traffic from you hopping on my Wi-Fi point I know you haven't applied your latest carrier upgrade. I know you decided to route your phone and put gingerbread on it from a certain mod like community. I know exactly what device you have where you've been etc. And to hackers this is all very very fascinating information right? If I know that you're using a phone that your carrier decided not to upgrade and that there are active vulnerabilities in it I also know that I can screw you. I know that if I have one of the exploits probably released at DEF CON or that I made myself targeting the Sholes platform against gingerbread I know I'm going to have a 100% effective rate. And I know this just because you're playing Angry Birds on my wireless network. Or not that I've done this yet. You happen to be within a certain foot range of my FEMTO cell and are on my cellular network but that's a whole other talk. And so I kind of want to go back to the original question I asked. To what extent do participants in the cellular ecosystem, app creators, OS creators, carriers etc respect user privacy? My answer? Not very much. And the reason for this is that no one's really called out for it. And I don't mean to wax too practically. I mean we're at DEF CON. I think a lot of people here really believe in privacy. We've got the electronic frontier foundation who fights for our privacy. And yet for convenience we sacrifice our privacy. For the ability to Google something out of your pocket to run the little location GPS on your phone to find out where you're going to do any of these things you're sacrificing your privacy. I mean and that's fine. I mean if that's something you want to do and that you're comfortable with that's fine. But myself, I don't like Google knowing my neighbors have very creative wireless access point names. I don't like Google knowing exactly exactly where I'm located when I browse the website. I don't like when I use turn by turn navigation Google knows exactly when I'm taking those turns. And I don't mean to pick on Google. They're just, they happen to have the phone that I was able to obtain. You can only postulate what's on an Apple iPhone. What's on an Apple iPhone or a Blackberry et cetera. And the greatest time with this is that in terms of privacy all of these companies and let's assume a beautiful perfect world all of these companies believe in your privacy which is patently false. But let's say they do. Well aside from that what about the people that have access to your traffic? As I stated before I did all of these let me go back a little bit I ran strings and collected all these packets on my own network and I was able to analyze this. But how many people are able to write filters? Put out a Wi-Fi point, put out a Femto cell and as soon as you walk by you've instantly shared so much information about yourself. I mean if someone walked next to you and asked to rifle through your wallet what would you say? No no sir. But if you just happen to walk by a store and they happen to know certain details about you they could change their advertising. Moving forward and this is kind of near the postulation stage all of this information is available and whether companies are and they're not protecting it this is all sent in clear text so if you were to hypothesize into a future where and I hope I'm not giving these people ideas this is just where my own head is gone imagine an idea where on your android phone it's sharing all of this information you happen to wander past a supermarket and all of a sudden you're saying oh I really do feel hungry for Mountain Dew I do really want some chips I just said hungry for Mountain Dew I'm very thirsty for Mountain Dew 10 a.m. on a Sunday um all of a sudden I see an advertisement that says Mountain Dew really cool and I think to myself oh perfect timing I'm going to get myself some Mountain Dew right? But is that exactly right? I may have bought the Mountain Dew beforehand but it's just an abuse of trust and an abuse of your privacy to take a look into your private thoughts and your phone and to share it out with the world I mean let's apply this towards politics all of this information is bought sold and traded all of this information that's being shared on your phone that you don't quite realize so all of a sudden I'm someone in politics and I'm like you know I want to be the perfect politician well I've got these advertisers over here and you're like oh sweet I'm going to use the free version it's ad supported rather than paying $1.99 but when you do that you give away a little bit of privacy it's not just you giving away uh oh I'm going to ignore that ad you're giving away your privacy and they take this information they take what device version you have where you're located, where you've been what you like to buy, what you like to search for and they correlate it together it's their goal to find out who you actually are because when these companies say hey we don't collect your real name but when someone else buys this data that's in your unique ID they correlate it with other public data and they kind of jumble it all together they know who you are they know where you live, they know your favorite color and so taking this along the political idea imagine a future where politicians know every constituent in their district they know this because their cell phones they know this because all of those cell phones have exposed what everyone does, they know what people search for they know whether they read the Huffington Post or Fox, they know what percentage of people do this they know what grocery stores you shop at and they can take this data they can take this data that's been correlated along all these different avenues they can combine it and they can go oh hey my district is 68% likely to vote Democrat or Republican okay or no, let's even do something closer it's like oh, my district is 55% likely to vote Republican but most of those people like 10% are not likely to vote which means I probably need to pitch myself towards the Democratic side okay, well if I'm pitching myself towards the Democratic side, I see that most of the people on this side are value shoppers they like to shop for the value brands well now I shop for the value brands I talk about value when I talk to my constituents I make them think oh my gosh this politician is me I believe in them, I can affiliate with this person I'm going to vote for them but what they don't realize is whoever this person is they have tailored themselves meticulously to look exactly like the person that these people want or that these people are, that these people would want to see this is the power that correlating data has this is the power that just using applications on your cell phone by sharing out your device ID your location data, the wifi access points can share so kind of tying back to my hypothesis I said software applications and operating systems transmit private user information to the author third parties without the user's knowledge and consent so I mean, throughout this talk I've stated personal data, identifying data sent, whether it's encrypted or not it can be SSL stripped and there was some data and actually to talk it a little bit I promised you a little bit about some of the applications I did I did test red phone I did take a look at hey, you know I know Moxie believes in privacy but does he put his walk, or does he I mean walk in the steps that he talks and I actually couldn't intercept his traffic fascinating and I was like well let's look into this apparently Moxie having broken SSL knows how to secure his shit and he does so it's definitely doable, these companies can make your information private they can make it so that I can't intercept it on the wire but the problem is they don't they view it as not important data or I mean maybe not necessarily not important but not sensitive they don't take the time to protect it they don't want to invest in servers so they can encrypt it over the wire and so I thought okay and even if they do it's still exploitable they use SSL strip, username and password boom, done applications and usernames, passwords, contact list, location data, usage statistics timing of activities and other content kind of give it away I said they were were we right yeah we were right on all of those counts all of them and this is only using very basic packet analysis on these applications and when I say basic I didn't want to make this talk overly technical because I hope to make it a bridge between kind of the more technical field of network forensics and the non-technical field of privacy and kind of merge them together so that there's a little bit for both sides but if you're a privacy advocate I would highly recommend you taking a look at network forensics, being able to look and see hey what are applications sharing what are these operating systems sharing when I go to google.com did I know my wifi access points are showing did I know my IP address is showing etc basic testing and so to kind of conclude I don't think a lot of people realize your smart phone erodes your privacy and you agreed to it and that's the worst part you agreed to it it's allowed and until people start saying hey companies we don't want information shared you don't need to know the wireless access points around me when I'm trying to look for something specifically even when I said I don't want location data shared but the problem is you agree to it I said okay and even beyond that a lot of people don't understand the importance of the data they're sharing they don't understand that when they're sharing this information they're sharing it now with the world well no they are sharing it with the world they're sharing it with everyone and then they think I mean they just build it up and they say oh well I'm sorry I'm starting to digress from my original point essentially what I want to say is that information what can be seen as as benign information that companies have created it can be taken by that original company it can be correlated it can be tied to you and it can be used for nefarious purposes and you should be aware of this and if you're curious about more applications what I'm trying to do is I'm trying to build out from my original research essentially what I did was a very manually intensive time intensive process I am working on manually or automating that process an emulator that downloads and installs every application of the android market runs it through its paces a little bit analyzes its packet capture data for passwords other I wouldn't say you should be looking information but important information and can go through each one and that's what I'm going to be working on what I'm also going to be working on and what this has kind of hinted me towards is advertising it's kind of nether region and maybe this is just me but I didn't quite realize the fact that there are tons and tons and tons and tons of ad networks on every page looking at everything you do and you might think oh okay when I browse from n gadget over to slash dot there's those are two separate websites but what you don't realize is that one advertising company has a cookie or an ad on both of those websites and they're able to see oh when he was done reading ad and gadget he hopped over to slash dot this guy's a nerd I'm going to advertise to him nerd products I mean and it's effective and there's a reason they do it they do it because it's more effective and they make money off it and to a certain extent I mean having targeting advertising is useful but to another extent it's just it just gets creepy because the way that the information can be used and so in terms of in terms of mapping out these oh sorry so in terms of all this what I'd also like to do is I'd like to map out these ad networks I'd like to find out who's talking to whom where the service located at who has access to what information and what can happen from that so that's where I'm hoping to go I hope I've shared a little bit with you guys a little bit on the analyzation of packet captures finding out where your information is going some of the information that is being shared and I'm definitely going to be available for talk in the Q&A room 3 I've got a lot more technical data I just kind of chose to to keep it simple for you guys so I could kind of focus on privacy and in the intersection of that so thank you very much