Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
My last two posts have touched on the privacy perspective in relation tomobile applications. This post continues on with that privacy theme, howeverlooking at the smart phone itself and how the constant polling to a mail servercan reveal your location and activity.
I was looking through my mail server logs for a specific entry, glancing over the usual brute force login attempts and those from successful users when it dawned on me how useful this information is. Forget what I was looking for initially, this is much more interesting.
So smart phones, you got to love them. They allow you to grab your e-mail from anywhere. Most mail settings are setup to "fetch" (or poll) IMAP/POP3 mail servers every 5-15 minutes. This polling reminds me of an infected host calling home to a botnet command and control server reporting its IP address. Now what is interesting about this is when you think of the polling element and its potential for tracking purposes. A smart phone is usually always on you so reflects where you are. Forget "Find my iPhone" and all that for a moment - that requires permission. Although the geo-location way of tracking people's locations that I'm about to discuss is not new, I'm looking at it from another perspective – a mobile one.
It is possible to use mail server logs and polling from a smart phone to determine a user's activity and ultimately track their location.
Let me give you some background.
When you access data from your smart phone over a cellular network you use your mobile network operator as a gateway. For example, if I access my webserver from my phone right now (using 3G) then 86.176.X.X will show up in the log files. This IP address belongs to "O2Online" which would make sense, as my mobile operator is O2.
Makes sense right?
Now most people have their smart phones jump on their wireless network when they get home, namely to save on data usage and because it's faster. If I now reload my web server's page on my smart phone my broadband IP address is shown - 86.140.X.X for the purposes of this post. My ISP British Telecom (BT) owns this IP address (BT-CENTRAL-PLUS).
So in my case, when the phone is out of the house it uses O2, when at home, BT. I also have a whole bag of preferred wireless networks which my smart phone could jump onto (karmameta sploit… but that's another story).
Now where in the world am I going with this?
Recall back to the start of this post where I stated smart phone mail clients would poll typically every 5-15 minutes to check for new messages. If I am able to read mail server log files (either through a compromise or malicious system administrator) then I can determine movements and ultimately a user's location. I look up all the IP addresses that the user is connecting from and can easily see which is the cellular IP and which is the broadband IP. Now I can tell whether the user is at home or not. I can also add to these locations based on additional wireless access points the smart phone connects to.
Let me show you a case study I carried out. The results are quite interesting.
A user, let's call him Winston, is followed over roughly a 5 day period, purely from analysing mail logs. Here is a snippet of his entries from/var/log/maillog. Beside each of them I have determined if he is at home or not(e.g. = HOME/NOT HOME) based on the IP address owner.
Sep 16 11:52:21 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
Sep 16 11:52:54 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 12:23:40 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 13:24:38 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
Sep 16 13:25:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 14:27:37 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 15:39:58 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 16:40:32 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 17:42:23 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 18:47:08 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
Sep 16 18:47:42 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 19:48:13 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 21:51:16 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
Sep 16 21:51:51 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 22:52:30 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 16 23:53:05 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
Sep 16 23:53:48 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=90.198.X.X, lip=1.1.1.1, TLS = HOME
Sep 17 08:13:55 gibson dovecot: imap-login: Login:user=<winston>, method=PLAIN, rip=82.132.X.X, lip=1.1.1.1, TLS = NOT HOME
---CUT FOR BREVITY---
Let's look at the graph below, as it is more interesting than a load of log entries. I am aware it looks like piano keys, but bear with me.
(A) On 16th September you can see the smart phone check in from the user's broadband and mobile network. This is a Sunday so no doubt Winston was going about his leisurely business.
(B) On 17th September, a Monday no less, you can see that Winston is at work due to not being at home between the hours of 9-5. However, he appears to be running a little late as he is still at home at 09.06. Winston walks through his front door at 17:04.
(C) At 19:59 his smart phone checks e-mail from a pub's wireless hotspot– this is highlighted as number 2 on the graph. It flicks between the mobile network and the wireless (pub/not home) during his time there. I'm guessing caused by going out of the wireless hotspot range – cigarette breaks? At 23:34 he is back home.
(D) The same happens again on Tuesday 18th September – he is out most of the day, as you'd expect for a working week. However, Winston leaves the house a little earlier this time at 08:08. Home again at 17:02, like clockwork.
(E) Wednesday 19th September, 07:42 leaves home. 17:06 back home.
(F) Thursday 20th September, 08:05 leaves home. 16:40 back home, an early one!
Your mail server logs reveal a wealth of information about you. So do web server logs also, right? However, the constant predictable polling (fetch) that mobile mail clients carry out make it possible to get constant updates of activity/location unlike the odd web server request. I'm also not able to track you as easily through web server logs, whereas you supply a username when you log into the mail server so I know right away.
Not keen on your activity/location being tracked via your mail server? Turn off wireless on your smart phone so that mail is always accessed over your mobile network operator's gateway. A little extreme some may say, but if you value your privacy then this is something to explore. One would hope that employers are behaving ethically and wouldn't use this type of information to the detriment of employees.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.