Full Report
For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being leaked by a device that is always with you, powered on and often provided with a fast Internet connection. From this obsession, the Snoopy framework was born and released. After 44con this year, Channel 4 contacted us to be part of a new experimental show named ‘Data Baby‘, whose main goal is to grab ideas from the security community, and transform them into an easy-to-understand concept screened to the public during the 7 o’clock news.
Analysis Summary
# Tool/Technique: Snoopy Framework
## Overview
The Snoopy framework was developed out of an obsession with data leakage from mobile devices. It is designed to intercept, profile, and access data from nearby mobile phones. It was famously used in a demonstration for Channel 4's 'Data Baby' show to highlight mobile security risks to the public.
## Technical Details
- Type: Tool / Framework
- Platform: Mobile devices (Implied interaction with Wi-Fi, targeting data access)
- Capabilities: Intercepting, profiling, and accessing data (e.g., inboxes) from targeted mobile phones.
- First Seen: Prior to November 2013 (developed over the 'last year' before the article date).
## MITRE ATT&CK Mapping
The actions described align primarily with initial access and collection techniques focused on wireless environments and physical proximity.
- **TA0011 - Collection**
- T1005 - Data from Local System (If accessing local storage)
- T1119 - Automated Collection (If profiling is automated)
- **TA0008 - Collection**
- T1043 - Network Sniffing (Implied, to capture traffic)
- **TA0007 - Discovery**
- T1484 - Passive Scanning (Implied, while profiling)
## Functionality
### Core Capabilities
- Interception of data from mobile devices.
- Profiling of target mobile devices.
- Gaining access to personal information, such as email inboxes.
### Advanced Features
- The framework was used in conjunction with **Maltego** to process and visualize harvested data, suggesting capabilities for data aggregation and presentation.
- Demonstrated effectiveness in a controlled, localized environment against students using mobile devices.
## Indicators of Compromise
*Note: No specific technical indicators (hashes, C2s) are provided in the context for the Snoopy framework itself.*
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: [N/A] (The technique relies on proximity and attacking unencrypted/misconfigured Wi-Fi connections rather than specific C2 infrastructure mentioned.)
- Behavioral Indicators: Establishing unauthorized network presence to intercept traffic from nearby devices; unexpected access to user applications (e.g., email).
## Associated Threat Actors
- The creators (Glenn and Daniel from SensePost) demonstrated its use.
- Not directly associated with known malicious threat actor groups in this context.
## Detection Methods
*Detection methods relate to the underlying vulnerabilities Snoopy exploits, rather than signatures for the tool itself.*
- Signature-based detection: [Unlikely for a custom framework unless specific configuration files are known.]
- Behavioral detection: Monitoring for unauthorized network access points or unexpected traffic flow patterns associated with mobile devices.
- YARA rules: [N/A]
## Mitigation Strategies
The article explicitly provides mitigation advice based on exploiting mobile network/Wi-Fi habits:
- Be discerning about when Wi-Fi is switched on.
- Verify the authenticity of connected Wi-Fi networks (e.g., checking if a "Starbucks" network is legitimate given location).
- Keep phone operating systems and applications updated.
- Ensure application security settings mandate full encryption for traffic (not just login).
- Configure the phone to "forget" networks after use.
- Avoid joining "open" or unencrypted Wi-Fi networks.
## Related Tools/Techniques
- **Maltego**: Used alongside Snoopy, indicating integration for data visualization and linkage analysis.
- **Wi-Fi Attack Techniques**: General techniques involving rogue access points or man-in-the-middle attacks targeting wireless protocols and client trust.