CreepyDOL Is Really, Really Creepy
Anything called CreepyDOL is likely to give people the chills, but the chills the titular CreepyDOL gives won’t be based in irrational fears. CreepyDOL stands for Creepy Distributed Object Locator. It works with some delightful hardware called F-BOMB, for Falling or Ballistically Launched Object that Makes Backdoors. Together, these devices make it possible to use Wi-Fi networks to collect identity and location information for most anyone with a smartphone or other mobile device, whether they connect to those networks or not.
Brendan O’Connor got creeped out by his own CreepyDOL when he tested it and, once the workings are understood, it’s not hard to figure out why. The CreepyDOL is really a collection of sensors. F-BOMBs are small—as in easily concealed—devices that communicate with the CreepyDOL system. The system takes information that is freely given up by mobile devices. For instance, if you have a VPN service on your iPhone or other mobile device, there is a short delay before the device connects to the VPN after it connects to a Wi-Fi. In that short amount of time, your MAC address and other information may be shared over the network without any encryption.
Take all of this information from a variety of different locations and you can put together a very complete picture of just about anyone. The F-BOMBS communicate whatever information they gather over a secure network. This is communicated to the main node on the system, which can be located on the person using the system’s own network. This information is updated constantly and, because all of the nodes can communicate information independently, taking one down does not destroy the system.
An article in Ars Technica details all of this and details how a stalker, a spy or anyone else with this system could easily keep tabs on someone without the victim ever knowing it. By distributing a few F-BOMBS in a neighborhood, for instance, information could be gathered from the target—and other people’s—mobile devices on an ongoing basis. O’Connor himself found his first name, a picture of himself and a dating site he uses among the information he gathered on himself during his tests.
Avoiding the CreepyDOL
If one person has come up with an idea like this, it’s likely that others have, as well. The best way to avoid this type of spying is to turn off your Wi-Fi connection on your mobile devices when you’re away from your home, never use public Wi-Fi and make sure you use your VPN connection when you’re at your own house.