This blog posts details how to use basic using image forensics tool and techniques to track you down and hack into your digital assets.
Back in 2012 John MacAfee was in the international spotlight, he was trying to escape Belize, he was singled out as a person of interest in the murder of his next door neighbour. After escaping Belize, one of VICE news’ reporters uploaded a photo of MacAfee and himself, the photo unintentionally blew MacAfee’s cover. The image pinpointed MacAfee in Guatemala not Belize where he was claiming to be in what we can guess was an attempt to throw the Belizean authorities off his trail, despite this blunder MacAfee managed to escape safely to the US (if you are interested in the full story you can find it here)
This example has stuck in the back of my mind since it occurred. If mobile phone photo metadata could be used in an international manhunt, could it be used in some ways by determined hackers to hack your digital identity? No doubt.
Part 1: what our data say about us
To prove my hypothesis I set out to find out what information is actually being stored in your pictures, so on a lazy Sunday afternoon I went for a drive to a remote park (well away from where I live, in case somebody reads this post and gets some ideas). After arriving at the park there is an impressive hill right in the middle which gives you a view of Sydney in the distance so to try and this experiment running I would take two photos on from the hill and then a second near the park’s entrance on my way back out to see what information we could infer from the metadata.
After I had gathered all of the raw data for this experiment I used exiftool to extract the necessary metadata. exiftool is a command line tool but but if your without a PC or a device with command line access there are a number of web based tools to help you do all of this on-line, one example is http://www.imageforensic.org/.
exiftool usage: $ exiftool -a -u /home/sleuth/example.jpg > /home/sleuth/example.txt
Using the above command will extract all of the image metadata into a text file which is handy if you want to come back to examine the output later.
So here it goes below is photo 1, if you look at where the arrow is pointing that’s roughly where I would take photo number 2 from:
I have hand-picked some of the Information I need for this example below:
Lens Make : Apple Lens Model : iPhone 5 back camera 4.12mm f/2.4 . . . GPS Altitude : 138.5 m Above Sea Level GPS Latitude : 33 deg 51' 49.34" S GPS Longitude : 150 deg 51' 41.72" E GPS Position : 33 deg 51' 49.34" S, 150 deg 51' 41.72" E Image Size : 3264x2448 Scale Factor To 35 mm Equivalent: 8.0 Shutter Speed : 1/1043 Create Date : 2014:12:28 15:06:23.872 Date/Time Original : 2014:12:28 15:06:23.872
Below is photo number 2:
Now lets look at the GPS metadata in Photo 2:
Lens Make : Apple Lens Model : iPhone 5 back camera 4.12mm f/2.4 . . . GPS Altitude : 137.8 m Above Sea Level GPS Latitude : 33 deg 51' 46.91" S GPS Longitude : 150 deg 51' 26.61" E GPS Position : 33 deg 51' 46.91" S, 150 deg 51' 26.61" E Image Size : 3264x2448 Scale Factor To 35 mm Equivalent: 8.0 Shutter Speed : 1/2088 Create Date : 2014:12:28 15:13:39.239 Date/Time Original : 2014:12:28 15:13:39.239
so what can we do with this information? For a start, you can find out exactly where I was by plotting the GPS points on a map:
We can than infer:
- Mode of transport
- How long it took me to reach The point I took Photo 2 from
- Place or business I was at
- How I got there
All of this interested me but two photos of a park might not have that many privacy and security implications so I though what if I took a multitude of photos across the space of a day as I went about my daily routine that should provide enough information for somebody to mount something like a spearphising campaign against somebody else or plan something sinister. So on the next day I set out to see what I could do ...
So on the next day I began running my errands for the day while posting photos at random intervals to facebook. Below is a summary of my 4 posts:
|Image||GPS and Time info|
|Photo 3||GPS Position : 33 deg 48' 43.27" S, 150 deg 56' 48.01" E, Date/Time Original : 2014:12:29 09:54:48.367|
|Photo 4||GPS Position : 33 deg 49' 0.88" S, 151 deg 0' 10.00" E, Date/Time Original : 2014:12:29 10:03:52.997|
|Photo 5||GPS Position : 33 deg 46' 4.53" S, 150 deg 54' 7.83" E, Date/Time Original : 2014:12:29 11:16:48.427|
|Photo 6||GPS Position : 33 deg 46' 13.10" S, 150 deg 54' 23.38" E, Date/Time Original : 2014:12:29 11:58:31.255|
Due to the sensitiveness of posting some of these images I have blacked out sensitive material where possible.
Part 2: How an attacker could use this information to Hack you
So you may be asking yourself, how could somebody hack me with the information that was collected in part one? To do this we are going to look at a technique that was referenced at the start of this post which has risen to prominence in recent years “SpearPhishing”
So what is SpearPhishing?
SpearPhishing is a subset of Phishing where miscreants with malicious intent attempt gather as much sensitive information as possible common examples include:
- Bank details
- Credit card info
Phishing accomplishes this by posing as somebody trustworthy like your bank or your IT department at work. Phishing is at its heart a numbers game (you try to get as many details as possible not the details of any one person) SpearPhising is the opposite, its usually not about getting as many credentials as possible (although groups can be targeted via SpearPhishing) it’s about getting the credentials of a fairly small group down to an individual) This makes SpearPhishing an ideal choice for attackers wanting to hack your online identity specifically.
So how do we SpearPhish?
Much like a standard Phishing campaign one of the simplest tools to use is email. In this example we will be using an unsophisticated approach – crafting an email manually however there are many tools which have been specifically built for this an example is SET (Social engineering toolkit) which I will cover in a later blog post or posts depending on how many scenarios I decide to cover which will likely be more than one.
So to figure out where was the best place to target I looked at the 4 images I had posted to Facebook. For this example I chose the last photo as it was taken at a restaurant (all logos and trademarks have been blacked out). This was by far the easiest way to target somebody but even unsuspecting photos could provide ammo for resourceful attackers.
So to begin the hack I created a web page on a PC inside my home network, in the real world I could make this a public page and fill it with malware but for this example it’s a simple, plain benign page.
Secondly, I took a look at the restaurants web page and crafted an email that would appear as if it’s coming from that restaurant with a link to the web page we created earlier. The whole email took about 10 minutes to create and I did it with MS paint.
Thirdly, How do we get a user’s email address – normally these are hidden from your Facebook page – for this example I am going to take a small leap of faith for simplicities sake and imagine that the email is public. This aside there are plenty of ways you could be clever and find a user’s email address (there are numerous websites and Blog posts dedicated to this).
With these steps completed I sent the email:
Notice the IP address link? Good – don’t ever click links that look like this. Now what happens when I click the link to see the new Menu?
That doesn't look promising for whoever opened the link.
That is one of many ways a user’s Facebook posts could be used to hack them.
Part 3: How we can defend against this
While researching the content for this post I found some handy tips:
- Don't post anything personal on-line.
- disable geo-location on your smartphone / tablet.
- Try to limit what you are posting on social media.
- Scrub metadata off anything you upload.
- if you want to upload photos use Instagram - I found that Instagram removes most of the detailed metadata contained in your photos.
- Use aliases or fake names on the Internet to avoid identification.
- This was all completed on my own private network - doing this outside of a network you own is probably illegal. so don't do it.
- While I used an iPhone for all of the photo activities in this post this could happen to you just as easily with Android or Windows phone links on how to turn off them off on these platforms are in the resources section above.
- Most email clients block images, to get this example I specifically had to click a link to view the images in the email.
- I discovered shortly after writing this article a tool exists called creepy which has been built to do all of these location tracking activities for you: http://ilektrojohn.github.io/creepy/
Please let me know if found this article useful or if you didn't, leave a comment below to let me know another area you would be interested in reading posts about.