Seven months ago, Ars documented CreepyDOL, a low-cost, distributed network of Wi-Fi sensors that stalks smartphone-toting people as they move about neighborhoods or even entire cities. As each node is small enough to be slipped into an overlooked nook at the nearby gym, cafe, or break room, the system can assemble a shockingly detailed dossier of personal data, including the schedules, e-mail addresses, personal photos, and current or past whereabouts of the person or people it monitors.
Now, CreepyDOL—short for Creepy Distributed Object Locator—is about to be outdone by a newly updated DIY stalker device that has the potential to collect orders of magnitude more data from people. Dubbed Snoopy, it can track not only Wi-Fi, but also signals based on radio frequency identification (RFID) and the Bluetooth and 802.15 specifications. Combined with a GPS card that correlates signals to the location where they're detected, the capabilities let Snoopy spy not only on phones, tablets, and computers, but also, potentially, on pacemakers, fitness bracelets, smartcards, and other electronics. Plus, the geographically aware Snoopy can also be mounted on a low-cost aerial drone so it can locate and maintain radio contact even when subjects are on a morning run or situated in a high-rise building, a country inn, or some other out-of-the way location.
The researchers behind an earlier version of Snoopy that tracked only Wi-Fi signals have already used it to track more than 42,000 unique devices during a single 14-hour experiment in 2012 at the King's Cross train station in London. They have also unleashed Snoopy in a variety of other environments over the past two years, including at several security conferences. By taking careful notice of the Wi-Fi networks the devices have previously accessed (and continue to search for), the researchers were able to detect likely relationships among users. Four devices that hailed an SSID that the researchers geolocated to a London branch of one of the UK's largest banks, for instance, were presumed to belong to coworkers of the financial institution.