Nite Team 4 and why Airplane Mode is a must on a subway

Hey hi hello! Today, I’d like to get to our topic through a semi-related topic: A game review to the question of privacy and travel. I will try to link to as many articles as possible so that this post has some value, but I assume that if you are really interested, you are one simple startpage/searx search away. The names are unique enough to show up on their own.

Firstly, yes, I do have my phone on me. I usually have either data or wifi on, but I turn off wifi pretty regularly when out and about. I’ll explain why later. On to the game review!

Recently, while going through another “Top 10 hacking games evurrrr” and looking for something relaxing I could finish, I stumbled upon the name Nite Team 4. I’ve seen it touted as a “Hacknet Sequel”, so I was curious. I enjoyed Hacknet, for all the mouse clicking. After some further inquiry, I found out that the game actually mentions several real-life hacking tools and is “as close to the pentesting process as it gets”. Since my pentesting process sucks big hairy balls, I bit the bullet.

And let me tell you, I was NOT disappointed. First surprise: There is the “Academy”, which is meant to get you up-to-speed on all the tech you have at your disposal. This tech includes exploits, fingerprinting tools, DNS searches etc. So far so regular, you need tools to do tasks and if it’s a hacking game, they should be hacking tools, right? Well, it gets better: After I checked out the column on the right while going through the DNS tools, I found the following:

Real life equivalent: DNSrecon Gobuster

What. the. fuck. Did this game actually tell me what to look for if I want to port my in-game knowledge to the real life? Now this is something I can get into! And that’s not the only occurance! One time, Agent Dylan (your mentor and colleague) casually mentions that you “borrowed an exploit from the NSA”. In the right column? ETERNALBLUE. The actual, real NSA tool that got exposed by Shadow Brokers. Not only that, there are 3 links to Wikipedia and other sites that talk about all of it!

Of course, this went over the top a bit, but as far as I’m concerned, none of that is untrue. All those exploits exist, FOXACID is a thing, XKEYSCORE is there, there’s even the Social Engineering Toolkit! And if you think it’s gonna be some clicky menus, you’re fucking WRONG. It’s really detailed to be like the SET, even down to the numbered menus! Press 1 to build an e-mail database, press 99 to go back. Aircrack is even there!

I swear there were several points where an “Oh fuck me” was heard. The fact of the matter is that many of the tools you use in the game exist and are used in real-life attack scenarios. It may not be as simple as it is in the game, but damn, who knows? The more you know about security, pentesting, and the tools groups like the NSA use, the more fun you will have playing this game, I can guarantee that much.

The last lesson in the Academy has you tracking a journalist in order to “ensure she doesn’t end up in enemy hands”. A noble cause, sure, but that’s not the point (I could be tracking a dog for all I care). The system you ultimately have to use is a flaw in smart billboard systems that track who is nearby. Using that and satellite imagery, I ultimately managed to get the BSSID and make of her phone, enabling me to use the “CID backdoor” to listen in on her conversation, read texts and anything else my heart desired.

This is the segue to the real-life implications. How viable is this approach in real life? I thought. Sure, I used to run airodump-ng on the subway, but that turned out boring since I didn’t want to invade privacy beyond that. Let us now go on a dark journey, Nite Team 4 style, and find out what a bored-enough individual can do. Not a company, not an agency, a single person with an internet connection, a laptop and some free tools.

The first meeting

Okay, the first meeting always goes like this: I’m sitting on the train, some poor sucker comes up and sits within the wireless earshot of my laptop. First tool: Aircrack-ng. The tool airodump-ng lets you scan for wireless networks in the vicinity as well as the devices connected to them… or not.

For those not in the know, this is the way your phone autoconnects to your home network: You connect to a network, save it with a password in your list. You do that with your home network, right? Well, from that time until you have your phone “forget” the network, every time your phone is on, it will constantly shout HEY, $HOMENETWORK, ARE YOU THERE? PLEASE, RESPOND! TELL ME YOU’RE NEAR! In your pocket, in your car, on the train, anytime you have your WiFi turned on, it’s shouting the name of any saved network. When the network is in range, it responds, and you can autoconnect. When it’s not, your phone is shouting into the dark… and I’m listening.

How your phone knows where it is

Every shoutout to a previously saved network, I record it along with the MAC address of the device. Again, for those not in the know, the MAC address is the unique device identifier of your wireless adapter. If you got a wireless card in your laptop and take it out, it’s written on the card. It looks something like this: DE:AD:BE:EF:CA:FE. The first three octets (DE:AD:BE, in this case) are the manufacturer. Every wireless card manufacturer gets their own unique set of octets to use in their devices. This means that by looking at the first three octets, you can pin down the make of the device you’re listening in on. The last three octets are usually randomized, think of it as a serial number of your device. Now that we got the dirty and incomplete MAC address 101, we continue.

WiGLE WiGLE WiGLE

Now, I have 2 pieces of data: A unique identifier of the person’s device and most likely a shoutout or two of previously connected-to networks. While useless in itself, we can use this knowledge to go deeper. Next tool: WiGLE. WiGLE is the user-generated WiFi map. You can download it for Android and map out your surrounding (this is called wardriving, if you want, look it up). Anyway, WiGLE can be used to geolocate a wireless network. You just make a throwaway account, search for the ESSID (name) of the network and you’ll get it! It’s really that easy. You can use Advanced search, where you put in the name of the city, the ESSID and you’re off! It lists out all the networks that fit your parameters.

If the network ESSID is specific enough (linksys might get you thousands of results), you got where the person lives. What does this imply?

(One more secret tip: If you get a wireless card and remove the antenna, you don’t lose all reception, you only lose a whole lot of distance, if the card allows it. Useless to connect to anything, but it makes it easy to tell who you’re picking up. You go from seeing the whole train carriage to people to either side of you.)

Implications

Now, we can trace a person’s phone/laptop/tablet to a place they frequent. Now, it’s all about setting up a WiFi Pineapple near the place where you want to meet them and wait for it to send you a heads-up about them being there. Alternatively, you may just use this knowledge to run a RogueAP attack and have them connect to your fake network. There are many other possibilities, but one thing is obvious: You are uniquely identifiable by using off-the-shelf, legal-to-own-and-use equipment. No warrants, no GSM hijacking, no IMSI catchers that cost thousands of dollars, just a wireless card, a laptop, and a common commute with someone.

Now, let us expand again: If I can do this on my own with shit I got for the price of a Huawei phone, imagine what a company, a hacker group, a government agency with much larger funds could do! The amount of data your phone tells about you is scary once you realize what it can be used for.

My advice is actively disabling your wireless radio every time you don’t need it or you know you won’t be connecting to anything. As for the cell radio, you can turn on airplane mode if you want and turn it on just for phone calls, but that may defeat the purpose of your phone. My advice is to turn on airplane mode if you’re going through a spotty reception (say, on the subway), because if you don’t get reception, your phone goes into overdrive and tries as hard as it can to find reception, since “there can never be no reception, that’s crazy-talk!”

Ending

Well then, this has been another wild ride. It’s really late, I’m really tired, so I cut it off. Hope you get something out of this (apart from the thought that I’m some sort of a weird-ass stalker, which I’m not, I swear).

See you in the next one!

-m