English

Long Product Life

View All Products

Factory Directly To Consumers And Eliminate Brand Premium

View All Products

Passed Iso- 9001- 2008 International Quality System Certification Andeu Ce Certification

View All Products

How Wi-Fi Spy Drones Snooped On Financial Firm - Slashdot

2022-10-15 13:53:21 By : Ms. Linda Lee

Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Why? You think they write down the serial number at Amazon when you order a drone? BestBuy sometimes does this for warranty/return fraud reasons but most retailers don't.

DJI does track this information. And Amazon probably does keep track of serial numbers on big ticket items.

There was a case [arstechnica.com] a few years ago where a helicopter and a DJI multicopters collided, and they found the owner of the multicopter based on the serial number on one of the motors that had gotten stuck in the helicopter.

Either way, DJI generally requires that you log into their apps, and from that, they'll know all the serial numbers, and possibly they'll know about all your flights and such.

Personally, I'd never suggest using DJI gear for anything criminal, they just keep too much data, and I'm not sure you can trust their disclosures about exactly what they keep and don't keep. That said, it might not be horrible if you were very, very careful about what information DJI and the place that you bought it (used might be wise) has on you, but you would have to be careful.

That's the point of collecting the data - it stops DJI getting a reputation for supplying criminals with untraceable drones.

They were quick to implement things like forced geofences around airports too. They realized early on that some people are asshats and the potential to end up getting regulated out of business was high.

That's the point of collecting the data - it stops DJI getting a reputation for supplying criminals with untraceable drones. They were quick to implement things like forced geofences around airports too. They realized early on that some people are asshats and the potential to end up getting regulated out of business was high.

That's the point of collecting the data - it stops DJI getting a reputation for supplying criminals with untraceable drones.

They were quick to implement things like forced geofences around airports too. They realized early on that some people are asshats and the potential to end up getting regulated out of business was high.

Unless the drone weighs less than .55 pounds (0.2494758 Kg), it has to be registered. https://www.faa.gov/uas/gettin... [faa.gov]

And since commercial entities don't want to be involved in illegal activities, yeah - they'll comply and make certain everything is traceable.

Perhaps if the perp bought all parts of the drone and other equipment for cash off a private seller, they'll be traceable. And then there is that MAC address issue. Spoofable yes, but I'll betchya the the owner of the computer with that address will get a visit. Owner being just a few miles away, drone had to be launched nearby - maybe a completely random coinkydink, but I doubt it.

I'd bet it's someone one knows, or knows of, the guy who had the MAC address. Why would you go to the trouble of the drone and spoofed MAC and then leave a calling card that points to you? I know lots of criminals are dumb, and that's how they get caught, but this simultaneously smart/dumb.

I'd bet it's someone one knows, or knows of, the guy who had the MAC address. Why would you go to the trouble of the drone and spoofed MAC and then leave a calling card that points to you? I know lots of criminals are dumb, and that's how they get caught, but this simultaneously smart/dumb.

Maybe. But I'll bet you the guy gets checked out anyhow, It's just a hellava coincidence, I can imagine the questions, like "Do you know anyone who might have figured out the MAC address of your computer?" And plays with Drones?

In addition, since the drone had a successful mission earlier, if the 4G card was in contact with Cell phone towers, they can track it that way. It is really difficult to work in a vacuum and leave no traces of yourself.

Registration is done by the owner, not the retailer. Source: I fly drones. Call me crazy, but I feel someone buying a drone for criminal use would NOT go to the FAA website and register it.

Registration is done by the owner, not the retailer. Source: I fly drones. Call me crazy, but I feel someone buying a drone for criminal use would NOT go to the FAA website and register it.

Yah, I fly drones and Model aircraft as well. But it's interesting to see that a lot of Slashdot users believe that the thing is impossible to trace. This is pretty intersting as the can't trace the 4G cellular signal, and that the Spoofed MAC address from a computer a couple miles away has nothing to do with anything.

Anyhow, I was just pointing out the legalities, and yah, I know that they probably didn't register it. But it's a hella leap from that to think that the ultimate untraceable attack vector

DJI does track this information.

DJI does track this information.

So don't register your account with real info. If you are going to perform corporate espionage, I don't think lying to a Chinese drone maker is going to bother you much.

And Amazon probably does keep track of serial numbers on big ticket items.

And Amazon probably does keep track of serial numbers on big ticket items.

Drones are not big-ticket items, and I can assure you, Amazon does not track their serial numbers. Even if they did, there are plenty other retailers and 2nd hand ways to get a drone without being tracable.

There was a case [arstechnica.com] a few years ago where a helicopter and a DJI multicopters collided, and they found the owner of the multicopter based on the serial number on one of the motors that had gotten stuck in the helicopter. Either way, DJI generally requires that you log into their apps, and from that, they'll know all the serial numbers, and possibly they'll know about all your flights and such.

There was a case [arstechnica.com] a few years ago where a helicopter and a DJI multicopters collided, and they found the owner of the multicopter based on the serial number on one of the motors that had gotten stuck in the helicopter. Either way, DJI generally requires that you log into their apps, and from that, they'll know all the serial numbers, and possibly they'll know about all your flights and such.

It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.

But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser.

But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser.

Who is a straw buyer unconnected to the hackers.

But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser. And this can be further corroborated with logs of SIM card and/or wifi connections in the area. It's *a lot* harder to be anonymous than you think it is. Even if you pay someone to buy it for you they can probably pick your picture out when they are detained for "questioning".

But the purchase can be traced back to time and date, and Walmart and most malls have cameras everywhere... Sprinkle in a little facial recognition tech from your favorite alphabet soup agency and you can probably nail down the identity of the purchaser. And this can be further corroborated with logs of SIM card and/or wifi connections in the area.

It's *a lot* harder to be anonymous than you think it is. Even if you pay someone to buy it for you they can probably pick your picture out when they are detained for "questioning".

But each of the tracking methods mentioned have easy workarounds. Use cash. Don't carry a phone. Wear a throwaway hoodie and a Covid mask. And for extras, park your car half a mile from the parking lot.

It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.

It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.

So will those selling their used drone.

It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.

It is very easy to buy these drones with cash. Any Walmart and outlet mall where they are available will let you use cash.

And every part of the device, the RPi, and other external stuff. All would require buying off a private seller for cash. And then there is the spoofed MAC address - from a legit one a few miles away.

I don't think the perp should think that they are completely scott free and untraceable.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Whomever sent that drone to the rooftop wasn't expecting it to fly home after, so if they were smart enough to build it they should be smart enough to pay cash or order online to anonymous drop box using a pre-paid credit card.

Maybe they were intending to fly it home after. It seems pretty clear that they had round-tripped it before, since the employee's credentials were hardcoded. Either the drone was flown to the employee's hypothetical other work location or it had been to the rooftop in the past. It sounds to me like they bumped something on the way down or just didn't notice when they were discovered.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them. Whomever sent that drone to the rooftop wasn't expecting it to fly home after, so if they were smart enough to build it they should be smart enough to pay cash or order online to anonymous drop box using a pre-paid credit card.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Unless both of those drones were bought with cash it would be fairly easy to track down who bought them.

Whomever sent that drone to the rooftop wasn't expecting it to fly home after, so if they were smart enough to build it they should be smart enough to pay cash or order online to anonymous drop box using a pre-paid credit card.

If they were so smart, they would have spoofed a MAC address that wasn't just a couple miles away from the Drone.

Of course, why soesn't someone here re-create the incident, then repoort back to us? 8^)

This hack could have been done just the same by someone infiltrating the cleaning company and just put the same equipment in a toolbox left on the roof or in any equipment closet.

Yes, using a drone reduce the need of the hacker to go physically, or hire someone to, but the summary already said the hacker had done internal reconnaissance for several weeks, so he had already successfully gained entry. The use of a drone seemed quite unnecessary.

cleaning company can also get into rooms with network switches or even plug something into the printer network line.

And for a properly secured network that won't matter either.

you can clone the printers mac and / or stick an 2 nic mini system inline.

And there's 0 reason why a printer would have access to anything production related other than being in the VPN for the printer server.

HP printers let you install an VPN on the printer / jet direct card? and what If the printers are managed by some 3rd party that does printers?

Network VPNs. You know. Network security wise separating your network. (Not the 'internet' kind).

You are correct. My brain's broken.

In any real company, janitorial personnel most definitely can NOT access data closets or on-site server rooms. Badge access and cameras in those spaces is the standard for anyone who has any sort of security oversight/regulation at all.

That is up to how the building is set up and some cases the janitorial personnel works for the building and the building staff may have keys to each door / that can by pass any Badge.

Maybe if the real company owns the building but in some cases that floor network switch may be in the same room with some janitorial / other storage As people may not want to be in an room with an lot of fan sound.

This hack could have been done just the same by someone infiltrating the cleaning company and just put the same equipment in a toolbox left on the roof or in any equipment closet.

This hack could have been done just the same by someone infiltrating the cleaning company and just put the same equipment in a toolbox left on the roof or in any equipment closet.

Definitely. And I have no doubt it has been done. But the drone makes it something story-worthy and that is why we get to read about it. Yes, this is stupid.

Recent changes in the company. Remember bad guys only have to be right one time. Defenders have to be right all the time.

Something doesn't add up here. They say that one of the drones was used to intercept a user's credentials. What credentials?

Connection to the WiFi network should be via WPA2 or WPA3, depending on if they need to support older devices. There is currently no known way to recover the pre-shared key for either of those. The only known attacks on them rely on already knowing the pre-shared key.

So it sounds like someone already had access to their WiFi network.

In any case, they should treat the WiFi as insecure. Someone's device with the pre-shared key could be lost or stolen. Any devices connecting over it should only have access to their VPN server and nothing else, and again if they are using up to date software there are no known attacks that can recover credentials for Wireshark or OpenVPN.

From a security standpoint, if someone can land on your roof then they can perform the same attack with a high gain antenna from a nearby location. The drones are a distraction, there is something badly wrong with their network.

I once did a war-walk in a building with all "RF shielding Glass". Turns out that was for the _last_ generation of wireless only and the current one got though it just fine. Even found one employee that had rented a flat about 300m away with line-of-sight and had the company wireless LAN at home with a somewhat high-gain antenna...

Countless times I have told people when they come into the office to work they should connect to the network using the network cable, not use the wireless. They give me that bug-eyed look of, "But wireless is so much easier" (because plugging a cable into the machine or docking station is so difficult).

This is just another example, and another reason, of why you use a hardwire at your work. While not in the financial sector, we do have a multitude of personal information which should not get out under any c

Countless times I have told people when they come into the office to work they should connect to the network using the network cable, not use the wireless. They give me that bug-eyed look of, "But wireless is so much easier" (because plugging a cable into the machine or docking station is so difficult).

Countless times I have told people when they come into the office to work they should connect to the network using the network cable, not use the wireless. They give me that bug-eyed look of, "But wireless is so much easier" (because plugging a cable into the machine or docking station is so difficult).

Why not put the wifi on one unroutable IP range and wired on another, 192.168.x.x and 10.x.x.x? Create no bridge between them. You don't plug in you have no access to the resources you need to do your work. Also white list the corporate, no access to social media. You can use your phone on breaks on the wifi for that.

Because I don't have that option. The network team controls this and they decided the entire building needs to have wireless rather than just the conference rooms.

Mind you, with everyone working from home, there is less than 100 people in the building which normally houses well over 1,000 people on any given day.

If it were up to me, there would be no wireless except the conference rooms.

Danny Ocean has entered the chat.

And move the C-suite away from the top floor...

This is an impressive plot for a thriller!

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Signal To Phase Out SMS Support From the Android App

Greece Runs On 100% Renewables For the First Time On Record

All power corrupts, but we need electricity.

Featured Products

News & Blog