,
20 tweets,
5 min read
Read on Twitter
When I get to Vegas for DEF CON in a couple weeks, I'm going to record all the MAC addresses I see connected to WiFi networks. I'm also going to record everyone's Bluetooth low energy beacons from their phones, Fitbits, Tiles, and other objects. This is creepy and weird.
I mention this because in response to the "burner phone" debates, many have pointed out that you aren't as important as you think you are, and that nobody is going to burn 0day at @defcon. True, but there's gonna be shenanigans that stop short of full exploitation.
The @defcon WiFi is gonna be secure, with WPA-Enterprise, certificates, and port isolation. Of all the things you do at DEFCON, connecting to their WiFi is among the most trustworthy things.
On the other hand, MAC addresses come from the metadata in the headers that isn't encrypted. They are hardware IDs that identify your device no matter where you go, such as that terrorist in Berlin they are tracking with their MAC address.
Maybe instead your threat model is law enforcement instead of hackers. We are targets of surveillance and arrest because they believe they don't understand what we do and fear what they don't understand.
Your phone is a GPS tracker tied to you, with hardware IDs in both the phone hardware in the SIM (swapping to a prepaid SIM isn't enough). Law enforcement can easily get this data.
One argument against burner phones to avoid police surveillance is, that if they are REALLY out to get you, even this isn't enough. They can tie the hardware IDs back to Amazon.com, or if you pay cash in a store, grab the surveillance video from the store.
Simply walking down the street with a burner phone in your pocket means the police can grab nearby surveillance video and stitch things back together. Or maybe record that fact that your real and burner phones were once together at the same location.
Or maybe they can stitch together license plate readers, GPS location, the credit card you used to pay for the cab, and of course the cab's surveillance video.
But here's the thing: their powers of surveillance are limited by cost. What they can do in theory is a lot less than they will do in practice. Minor effort on your part can greatly reduce what information they'll get about you in practice.
Here's a good question: why you know about Bluetooth pairing is out-of-day. Bluetooth low energy beacons are a separate thing that's likely still enabled even when you've turned Bluetooth "off" on you phone.
Here's a good question: what about evil twin WiFi attacks against the DEFCON Wifi? Well, they use certificates, so if you have the certificate installed, it won't work.
I mean, the scenario is when you don't have the certificate installed what happens, but then this applies to any network that has a slightly different name.
BTW, I looked up crime statistics. You have less chance of getting mugged/robbed in Vegas than the city where you are coming from, as far as I can tell. Sure, robbers would want to target tourists but the police have even more incentive to protect their tourism industry.
On the other hand, you are likely to drink heavier than normal, and are more likely to lost your phone/computer that way.
This person makes a joke, but maybe we should pay attention to it. Would Palentir send somebody DEFCON/CCC conferences to enumerate the identifiers they broadcast from electronics? If I were them I would.
The point of this thread is that you probably don't have to fear targeted attacks or 0day, but there's a lot of opportunistic stuff going that that may make it worth our while to spend $19 for an Android "burner" phone.
This person asks whether I'm seriously going to be creepy and weird, or am I just pointing out that people can be creepy and weird in theory.
The answer is that I'm actually creepy and weird.
blog.erratasec.com/2018/08/what-c…
blog.erratasec.com/2018/08/what-c…
...frequently creepy and weird....
blog.erratasec.com/2017/09/state-…
blog.erratasec.com/2017/09/state-…
