UK security firm Sensepost has discovered that unmanned flying drones can be used to hack into smartphones by simply flying over London pretending to be a Wi-Fi network.
Smartphones are constantly sending out signals trying to find familiar Wi-Fi networks to connect to, such as your home or work network, or even the Starbucks free Wi-Fi network you accessed two weeks ago.
Using a simple off-the-shelf helicopter drone it bought on Amazon, the researchers were able to create a piece of software called Snoopy that can detect those signals and trick the phone into thinking that the drone is a familiar Wi-Fi network.
Once the phone is connected to the drone, all data traffic sent from apps like email, Facebook and even banking apps captured and fed back to those controlling the drone. This shows that cybercriminals don't have to infect your smartphone with malware in order to monitor your activity.
Sensepost developers tested their flying drone two weekends ago by flying it over people's heads on a sunny afternoon in London Fields, Hackney, and to their amazement, no one noticed the drone at all.
The drone is watching you
"In the old days, to hack someone you needed a laptop with a big antenna which would be really obvious, but now we're in the age of really small devices. We thought, can we apply an old-school Wi-Fi hack called Karma?" Sensepost's chief operating officer Daniel Cuthbert tells IBTimes UK.
Not only can the drone monitor your smartphone, but it's also very easy to track someone's movements and habits through their phone.
The firm first programmed an old Nokia N900 smartphone to become a spying device two years ago, put the device in their pocket and then spent some time hanging out in major London train stations Liverpool St, Oxford St, Victoria and Kings Cross St Pancras.
While they blended in and sat having a coffee, the device picked up data from over 60,000 smartphones in the four stations.
Sensepost took the data and put it into Wigle, an open-source geo-location service. When they cross-referenced the data with Google Streetview, they were then able to track all the people and their smartphones as they moved throughout the stations and beyond.
Turn off your Wi-Fi
"People put so much trust into the internet, it's mind-boggling. Stop putting so much trust in the internet. When you go out, turn your Wi-Fi off on your phone," Cuthbert warns.
"We want more pressure put on the developers of iOS, Android, Windows Phone and BlackBerry to improve security on smartphones. You wouldn't buy a car with poor security, why are we willing to do it with the internet?"
Cuthbert also warns against connecting to free public Wi-Fi if you're not sure where it's coming from.
"If you don't know who the Wi-Fi network belongs to, how do you know if it's malicious? Someone could be accessing your data and you don't know where it's going," he says.
Sensepost will be presenting their research at the Black Hat Asia cybersecurity conference in Singapore next week.
The firm is also working on non-security deployments of unmanned flying drones being used for crowd management and to collect data about people in a certain geographic location, so that advertisers can serve them targeted advertising.