Here’s what bugging your own office NSA-style can reveal

Eavesdropping. Image courtesy of Shutterstock.

Eavesdropping. Image courtesy of Shutterstock. In the past year many have grown increasingly incensed at news regarding pervasive surveillance.

Then again, many have yawned.

For those who remain unconvinced that National Security Agency (NSA)-style blanket surveillance might uncover anything that could come back to haunt them, Project Eavesdrop will hopefully be an eye-opener.

That’s the code name for a project designed by the US’s National Public Radio (NPR) news agency to find out just what, exactly, the NSA could see about a person if it cared to look.

The answer: a lot.

To get to that answer, Steve Henn, a reporter for NPR, had his office bugged.

NPR worked with Sean Gallagher, a reporter at Ars Technica, and Dave Porcello, a computer security expert at Pwnie Express, to have the internet traffic coming into and out of his home office in California, tapped.

They set up the tap so as to mimic the broad, passive surveillance of internet traffic that’s done by NSA systems, and they let it run for a week.

The main systems devoted to that task of broad surveillance at the NSA are the Turbulence network monitoring system, which skims traffic off the internet’s fiber-optic backbone, and XKeyscore, an analytics database that processes the captured traffic, allowing NSA analysts to search emails, online chats and browsing histories of millions of individuals as they hunt for specific strings of text or patterns in data (email addresses, phone numbers, file attachments).

To achieve a miniaturized version of that, Gallagher went to Henn’s home office and plugged in PwnPlug R2 – a little box that looks like a small Wi-Fi access point or router but is actually a penetration-testing piece of hardware designed by Pwnie Express and loaned to the team for the project.

That little, wireless box’s job was to basically capture all the data flowing to and from Henn’s computer and mobile phone, then to automatically sift and analyse the traffic.

Henn didn’t think he was working on anything particularly interesting or worth analysing.

There were no off-the-record sources to protect. Nor did the team have access to NPR’s systems; rather, they could only eavesdrop on Henn’s equipment as it chirped, peeped and chatted with the internet.

Not interesting? Boy, did his equipment chirp, peep and chat.

He wasn’t even touching his iPhone, which was just sitting on his desk.

But as soon as he and Gallagher plugged in the PwnPlug R2 router and the iPhone connected to the network, “a torrent” of data began to wash over the line, Henn writes.

Porcello, monitoring the traffic from his office in Vermont, was startled by the phone’s silent but perky activities.

Gallagher quotes Porcello as he ran down what he was capturing from the phone:

Whoa. Yep, there’s Yahoo, NPR... there’s an HTTP request to Google... the phone is checking for an update. Wow, there’s a lot of stuff going on here. It's just thousands and thousands of pages of stuff... Are you sure you’re not opening any apps?

Henn didn’t have to touch his iPhone in order for it to be alive and spilling information.

It turned out that the phone was running a slew of apps in the background: Mail, Notes, Safari, Maps, Calendar, Messages, Twitter, and Facebook – all of which were connecting to the internet.

Within just a few minutes of tapping Henn’s phone, the NSA wannabes were able to paint a surprisingly intimate portrait of the reporter, thanks in large part to the websites he had left open in the Safari web browser.

They saw, for example, what movies he was checking out for his kids, a weather report, and his work-related research, as reflected in his Google searches.

Henn quotes Porcello’s colleague, Oliver Weis:

People are walking around every day with these mobile computers in their pockets, and they have no idea what they are sending to the world.

First, the team simply sat back and watched Henn’s normal internet traffic. Then, they turned their tools to specific traffic created by leading web applications and services.

Once the actual eavesdropping really got under way, encryption kept some of Henn’s data from getting intercepted: corporate emails, Voice over IP phone (VoIP) calls, and other official communications.

That, by the way, is what should happen: encryption should be shielding our communications from interception. It should happen far more than it now does.

That’s why the recent Reset the Net day focused on using, demanding and improving encryption.

Unfortunately, encryption didn’t keep everything Henn did from seeping out where Project Eavesdrop could find it.

The team found that many popular internet services’ implementations of encryption don’t completely thwart eavesdropping.

One example: even though Google now encrypts searches by default, its PREF cookies, which track user identity separately from Google logins, leak data about users, given that they contain numeric codes that uniquely identify people’s browsers.

Gallagher points to The Washington Post’s coverage of how the NSA uses these unencrypted cookies, piggybacking on Google’s tracking of consumers to better target advertising, to pinpoint targets for its own tracking purposes as well as for offensive hacking.

During the course of eavesdropping week, the Project Eavesdrop team intercepted uncut interview tape, tracked Henn from site to site, scoured sites for email addresses and telephone numbers of interview subjects, and guessed what he was writing about in spite of Google’s default search encryption.

That, in fact, is a hint at what the NSA can find out about us through surveillance.

Naked Security often gets comments on stories about surveillance from those who can’t see what all the fuss is about.

A few excerpts of one such, from commenter Sizzle, regarding what admittedly seems to be a pretty innocuous data point:

Oh, the NSA can now see the picture of my tortoise that my girlfriend just sent me? I hope they enjoy it as much as I did.

The fact that you're still typing posts on here is either a) you're not a threat and haven't been thrown into a dirty cell b) they really don't care about you. I'd opt for the latter.

A photo of a tortoise: pretty trivial, right?

But as Mark Stockley replied to Sizzle, just because they might not care about you (or your tortoise) *today* doesn’t really mean much.

The broader point about pervasive data capture – as well as MAC address tracking by the likes of Nordstrom, Wi-Fi enabled trash cans in London, or Twitter tracking the websites you visit, for example – isn’t that everyone is being actively watched by interested agents but that data is being recorded and stored, possibly forever.

(Of course, that data can also be used by outfits that profit off its sale, such as Facebook, Google, data brokers, data-stealing botnets found in data brokers’ servers, etc.)

Maybe the entities collecting all this data are playing safely and honourably with it now, but we can’t predict what will happen in the future, which could entail:

  • Getting taken over by overlords that have different privacy policies and business models (case in point: Moves, the fitness app that changed its privacy policy within 11 days of getting acquired by Facebook);
  • Selling the data to someone else;
  • Losing the data to someone else; or
  • Aggregating apparently innocuous or anonymous data into some form that is neither.

There are too many organisations that are profiting from our data for us to shrug off surveillance, be it targeted on our buying habits, our locations, those with whom we communicate, or our tortoises.

If you didn’t tune in to Reset the Net on its official 5 June launch, you can still check out its Privacy Pack – a list of everyday software that uses encryption – along with its ways to turn on encryption you already have.

Like the Reset the Net motto says,

Don't ask for your privacy. Take it back.

Image of eavesdropping courtesy of Shutterstock.