Full Report
At this year’s 44Con conference (held in London) Daniel and I introduced a project we had been working on for the past few months. Snoopy, a distributed tracking and profiling framework, allowed us to perform some pretty interesting tracking and profiling of mobile users through the use of WiFi. The talk was well received (going on what people said afterwards) by those attending the conference and it was great to see so many others as excited about this as we have been.
Analysis Summary
# Tool/Technique: Snoopy
## Overview
Snoopy is a distributed tracking and profiling framework designed to monitor and profile mobile users by leveraging WiFi probe requests. Its goal was to replicate, with limited resources, the functionality of large-scale surveillance technologies often used for anti-terrorism monitoring, focusing instead on tracking devices and their owners.
## Technical Details
- Type: Tool
- Platform: Linux devices capable of wireless monitor mode/packet injection (referred to as "drones"). Examples include Nokia N900, Alfa R36 router, Sheeva plug, and RaspberryPi.
- Capabilities: Distributed data collection from numerous client devices, real-time and historical profiling based on captured WiFi data, and SSID analysis for user profiling.
- First Seen: Introduced at 44Con conference, London, around September 2012 (article published September 25, 2012).
## MITRE ATT&CK Mapping
Since Snoopy is a custom tracking framework and not explicitly known malware, its mapping focuses on the data collection and network surveillance aspects.
- T1049 - Inhibit System Recovery (Conceptual - Monitoring infrastructure placement)
- T1049.001 - Network Scanning (Implied for initial reconnaissance/placement)
- T1564 - Hide Artifacts (Conceptual - Using inconspicuous/disposable hardware)
- T1564.005 - Hard Drive / System File Deletion (If drones are disposable)
- TA0043 - Surveillance (Primary focus)
- T1557 - Lateral Movement (Inter-drone communication/central reporting)
*(Note: Direct mapping is limited as Snoopy is a research/profiling tool rather than a traditional offensive malware framework. The closest fit relates to collection and inventory.)*
## Functionality
### Core Capabilities
- **Distributed Data Collection:** Utilizes small, inconspicuous, and disposable Linux devices ("drones") deployed across an area (e.g., 50 drones across London).
- **Probe Request Sniffing:** Drones are configured to operate in wireless monitor mode (`tshark -n -i mon0 subtype probereq`) to capture all observed 802.11 probe requests sent by nearby mobile devices actively searching for previously saved networks.
- **Data Aggregation:** Each drone uploads collected data (timestamp, client MAC address, SSID, GPS coordinates, and signal strength) to a central server.
- **Proximity Tracking:** The central server groups client observations into "proximity sessions," allowing inference of a device's location and presence over time based on which drones observed its probe requests.
### Advanced Features
- **Passive Profiling:** Analyzes the SSIDs captured in probe requests to profile device owners. This profiling includes:
1. Simple analysis (e.g., identifying connection patterns to specific, named Wi-Fi networks like commercial locations).
2. Geo-locating analysis based on known SSID locations.
- **Infrastructure Composition:** Combines existing technologies into a custom, distributed framework capable of functioning effectively with limited time and resources.
## Indicators of Compromise
Since Snoopy is a framework designed for passive collection rather than active infection, traditional compromise indicators (like specific malware hashes) are not strictly defined based on the provided text. Indicators relate to the infrastructure used.
- File Hashes: N/A (Framework components based on existing OS/tools)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Reporting traffic from numerous geographically distributed "drones" reporting back to a central aggregation server. (No specific C2 addresses provided; context suggests a custom setup.)
- Behavioral Indicators: Observed operation of Linux devices in monitor mode actively capturing 802.11 probe requests on channels, potentially uploading large volumes of location/network metadata off-device.
## Associated Threat Actors
- **SensePost Researchers:** Daniel and the author (Glenn) who developed and presented the tool at 44Con 2012. (No known threat groups are mentioned as using this tool for malicious purposes.)
## Detection Methods
Detection would focus on the unusual network activity of the deployed hardware:
- **Signature-based detection:** Look for known drone hardware (Nokia N900, Raspberry Pi) running non-standard network monitoring processes or communicating externally from unexpected locations.
- **Behavioral detection:** Detection of systems continually running in wireless monitor mode (`mon0`) and transmitting large outbound data streams indicative of aggregated tracking logs.
- **YARA rules:** Not derivable from the text.
## Mitigation Strategies
Mitigation focuses on hardening mobile devices against probe request leakage:
- **Prevention measures:** Users must periodically clean the list of saved SSIDs on their devices (especially difficult for iOS users, according to the text).
- **Hardening recommendations:** Disable WiFi when not in use, or utilize features that restrict probe requests only when a beacon from a known network is received (if such a feature is available on the client OS).
## Related Tools/Techniques
- **Individual Components:** Technologies leveraging wireless packet capture and monitor mode (e.g., tools utilizing Aircrack-ng components for packet capture).
- **Future/Conceptual Work:** The article specifically mentions future plans to extend this tracking methodology using Bluetooth, GSM, and NFC.