Pwn Pulse: Patagonia Edition

As Product Manager, I have the great privilege of getting to sit in on a lot of demonstrations and on-boarding sessions. This past Tuesday was no different; I sat and watched my colleague provide a demo for a prospective customer. The material is quite familiar to me at this point, and so I wasn’t paying close attention until I saw a familiar name under the list of probes:

 

my wi-fi probes

 

Now, seeing my computer show up in a Pulse demonstration wasn’t especially shocking — this kind of visibility is what Pulse excels at. However, this particular probe stood out because that SSID is for a hotel in Patagonia, Chile, a place I had visited six months prior. With a different phone. And a different computer. None of the items I carry in my possession now have ever been with me to Patagonia.

So why was it showing up in the list of probes now?

Perhaps, naively, I used my long-standing  iCloud account to set up my new computer and with it came my cloud-backed Keychain, which also happened to store a historical record of every Wi-Fi network I’ve connected to in the last 2 years. Parents. Friends. Former jobs…. All of it.

Looking at the probes from other devices in Pwn Pulse, I can see that plenty of people do this, as the average person in the United States generally has 3 Internet-connected devices on them at any point in time. Furthermore, the concept of “the office” has evolved to include home, the airport, and the local coffee shop. Even more alarming is the fact that the pool of networks my i-devices “trust” grows with every new connection I make, whether it’s on my phone, my tablet, or my laptop. The idea behind it is noble: you can move seamlessly from device to device with nearly no break in service or user experience. However, with this information, I can take any one of my i-devices back to any one of those Wi-Fi networks and my device would automatically connect (assuming the password hasn’t changed).

Nice idea, but bad for privacy. Potentially bad for my company, too, but this is about me now. This information, combined with a little social engineering, could be exceptionally damaging in the wrong hands. Which begs the question: in a world of BYOD and CEOD (company/employer-owned devices), where do we draw the line between employee privacy and company-proprietary business? I don’t know the answer to that question, but I do know that I don’t want my whereabouts advertised to my company at all times just because my devices are thirsty. The crazy thing is, some of the probes on that list are for networks I’ve never connected to (sorry gogoinflight, I just don’t trust you), yet my phone attempted to connect to them while I had Wi-Fi turned on and there it goes… into the pool.

So what do I do about it, and what can you?  Well, the first thing I did was to go back and remove all of those old networks from my keychain. Then I set my phone and computer to NOT remember networks, with the exception of one or two. Divorcing my computer from my iCloud account is the logical next step, but I’m not ready to go there yet. We’ll call it separation anxiety.

I only came to this epiphany when I happened to be sitting in the right Pwn Pulse demo at the right time. I shudder to think about how many other people are spewing data like this about themselves without even knowing it.

My trip to Patagonia was awesome, by the way – thanks for asking.

 

 

1 reply
  1. Don Kelloway
    Don Kelloway says:

    An excellent blog post and right on point! The opportunity to attack and often compromise a company, government or organization by leveraging the wealth of information disclosed is very, very easy. And it’s unfortunate this is how many successful compromises begin.

    Reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *