Breaking Into a Home With an iPhone

This is going to be one of these quick posts which just makes you think what the information security landscape will be like in 5 years. Before I move on with my commentary, here is a video which is essential for you to watch.

Got the idea? No? Let me explain. What you see in the video above is an application for the iPhone which gives you detailed characteristics of properties (houses) in USA. You can either search the map or just use your GPS coordinates to get information such as price of the house, number of floors, number of rooms, pictures taken from inside the house if the house was part of any register (letting agencies etc.) before you moved in, and other interesting information.

This is the kind of information gathering you see only in the movies. I won't be surprised if future versions of these kind of applications can pool even essential blueprints which show not only how the house was constructed from architectural point of view but also show the power and gas grids and perhaps even any other wiring such as telephone, coaxial, etc.

All of this information is also available through easily accessible APIs. Perhaps these APIs are not publicly known but anyone who can run a sniffer most certainly can get hold of the URLs and their formats. Now mash this APIs with any other tool such as one that correlates IP address to physical location (not very accurate btw) or better yet a wardriving tool and you have a infowar machine in your pocket that will make any criminal organization proud of.

This was the main purpose of my Web2.0 talk/research from two years ago. Back then I made a very simple analogy which I would like to bring once again. When the email was invented nobody even suspected that it will be used for things such as spam and malware. That was something unimaginable. Today spam is the fastest growing criminal industry and malware delivered over email is the most successful one. In summary, we cannot foresee how a technology will be used/abused. That depends on the imagination of the people.

The same goes for the Web2.0 meme. The more we use it, the more ways we will find to abuse it. However it is also important to say that the more we use it the more accustomed we will become to it. Therefore, when the shit hits the fan there will be very little that we can do.

The reason I am bringing this up is not because I would like to start even more FUD around the Web2.0 mem but it is time for us to stop looking into the technical aspects and start thinking in terms of technologies that affect normal people. Sometimes, we just lack the realism and we fail to spot the obvious problems.

Archived Comments

Alexander Sverdlov

as much as I like your blog, this is overreacting. A stone can be used to kill or sit on - are stones to be banned or considered a security vulnerability, writing articles on the danger of having stones just lying around on the streets? Same way, an application giving you useful information can be used in thousands of ways - if only one of them can be used for malicious purposes, you should prosecute the criminal, NOT the application. You can't ban all useful web 2.0 apps, just because some jerk will start using it for bad things. Higher punishment for crime and real prosecution of criminals - that is what we need more than panic over the possible uses of all great apps and devices we have around.

pdp

Hi Alexander, Thanks for the comment. I just want to make clear that some of the posts are not meant to point and expose security issues but to start a dialog. I saw the video and I thought that it is an interesting thing that can be shared. My aim is not to ban applications :) but rather than elaborate how these applications, that data that is out there but yet undiscovered, can be used to create insecure situations or scenarios.

Jason

Just to add on to this, Zillow allows pretty much anyone to create a developer account to access their APIs. I signed up for it once upon a time and iirc, all I needed was a valid email address. You get a token to use to authenticate your calls to their app and then you are good to go.

David G from Zillow.com

Hi, this is David from Zillow, I must agree with Alexander. Property information is actually part of the public record in the US. We as a society decided that things like property taxes and transactions would be more likely to be fair if they were publicly recorded. Zillow uses that information and additional details posted by our users to empower home-shoppers with data and functionality useful for selling, buying and financing a home. We are certainly sensitive to owners' privacy concerns (which vary greatly.) Ownership information, for example, is also part of the public record, but Zillow selects not to display it. As we've seen from the success of the Zillow iPhone app, people find the real estate data Zillow publishes very useful while visiting homes for sale ... or simply walking around the neighborhoods. Nothing sinister about it!

pdp

Hi David, Thanks for stopping by. Please do not interpret my efforts to start a conversation as a personal attack against Zillow. Your video just happened to grab my attention. You are correct that Zillow provides already public information. That's not the problem. The problem is that this information, regardless how harmless it my look to you, could be used for sinister purposes when combined with other sources of information and tools. In other words, your application, although obviously useful to many, facilitates easier research for malicious purposes. Zillow is among all other web2.0 enabled services out there. I am not arguing that we should abolish these tools and stop using them because of security and privacy concerns. I am only arguing that the web2.0 meme facilitates a different kind of future which mostly relays on openness. I am also arguing that web2.0 tools facilitate that openness in an unimaginable ways. And that is my only argument. Keep in mind that I am not anti-web2.0 person. I am running web2.0 infrastructures myself in other projects unrelated to GNUCITIZEN.

Banana

I have to agree to pdp. (although the responds from Alexander and David are also valid) But as pdp already say, at the start of the e-mail nobody thought if missusing it. And now everybody is aware of the Spam. This can happen to this application too. I would also go this far to say that with everyinformation you can do harm or not. It is up to the ppl to decide what to do. And it is also up to us to whatch over what ppl are doing with information since information can also be used as a "weapon". It would be foolish to believe that information will only be used for the purpose it was created. Banana

rvdh

I agree PDP. useful for terrorists, Scheier always thinks this stuff is movie plot material, well guess what 9/11 was no movie plot, it happened due to technological advancements. Information in that sense is power. But as always, we think it's innocent untill it gets abused.

rwnin

this issue lines up with my latest blog post ( http://rwnin.blogspot.com/2009/04/effective-selective-near-real-time-mass.html ) in the sense that prior to the internet this type of information was kept secret mainly via obscurity and the difficultly in performing the recon. nowadays, all that info is dumped into databases and apps like zillow make it accessible. it isn't really a new vuln, because attackers can do recon with or without zillow. the bar is just lowered for attackers and raised for defenders. traditional home defenses beyond obscurity (locks, alarms, dogs, weapons, piles of dirty underwear, etc) don't loose effectiveness when zillow is introduced. thusly, it kinda reinforces that obscurity isn't defense, but is more like keeping off the radar... imho :)

Elisha Grey

After downloading the app and takeing a look at its features the thing most apparent is this "isn't the movies" The street names in the area surveyed are all wrong, the values on the home are incorrect. But the GPS and images were spot on. I hope potential attackers think long and hard before trusting this sort of data. Google Maps and an MLS site would probably get you a lot further. For more infromation city hall might be the place to check... The best thing about the information age is so much of the data is crap. Interesting post, I could defiantly see how this could be a useful tool if the data was more reliable. The whole town is messed up.

xen

I agree with PDP too. Just take Google Maps as an example. People are using it to find pools so they can have little swim if the feel like it. I understand that Alexander and especially David want to tone it down, but it's still possible what PDP says. People laughed when Apple released their iPod, and who knew people would use Google Maps for finding pools to swim in. I'm pretty sure some chuckled when they read or saw the movie 1984. I must say it's really bad to see someone using a strawman argument. Yes, the stone example is a perfect example of a strawman. It's like when someone says we should ban cars, because they can kill people. PDP addresses a really good subject. Just look at the information we have access to now. To visit USA I had to go there. Now I can just go on Google Maps and even look at someone front door. I have no intentions on using this information for criminal activities, but I can with 100% confidence tell you that there is people who will. And punishment won't stop people from committing the crime. Education will! Again, great article!

NTBugtraq

From…who would have thought that the idea of having people live in houses close together might have led to the plague?...to…who would have thought that the idea of computer networking might have led to a worm like SQL Slammer? Your fear is merely your interpretation of stuff humans have been thinking more or less since we began thinking. We come up with a good idea, and someone else uses it in another way. Often this is beneficial; practically all new inventions or theories are based on modifications of an older version. Whomever came up with the idea of a master key that would open any of their locks probably saved a lot of safes, meanwhile another person soon realized that if they could steal one, or forge it, they could break into lots of safes. What I think you’re overlooking is the fact that we, as humans, have been dealing with the cons from our pros for eons. There are people, like myself, whose job it is to figure out how to secure things. Most of us don’t spend our time coming up with ideas for the criminals to abuse…instead; we consider how to secure the stuff people are concerned about. Consider: - Is the app going to actually give criminals information that would lead them to target a given home? Probably not. Standing outside or simply driving by should give them a good enough idea regarding which is a likely target. Why would they want to pick only one anyway? - Is the app going to give war-drivers more information than they can already get? Again, probably not. So what if there’s coax or telephone lines, how will that tell you more? Driving by and seeing a FIOS box or a cable truck from Company XYZ will tell you more. Finally, does any of this matter if I have decent locks, a reasonable security system, and insurance? Perhaps your concerns were focused more on the privacy aspect? Even there, if you’ve taken pictures inside your house and given them to a lister, you’ve already asked that they make them available to the public…haven’t you? Those details, which you somehow perceive as being abused, are the very things which may get you the money you want for the sale of your house. You can’t have your cake and eat it too! Regardless, the choice is still yours. In the end, however, I’d ask you to ask yourself…are you truly thinking of ways to better secure people…or are you thinking of criminal acts not yet thought of? If it’s the latter, perhaps there’s a better use for such thoughts than publication to wanna-be criminals-at-large rather than making suggestions about how to use new devices criminally.

averno

Hi everyone. I read the article and I couldn't resist on giving my opinion. First of all we can not deny that apps like Zillow has two faces: one is the development of marvellous dynamic applications that are extremely useful for the "good guys", and another that is equally useful for the "bad guys". Like it or not, that is the fact. But as pdp says, we can not Ban this apps just because they have "another" use; or should we ban Wireless transmissions based on 802.11x just because they can be eavesdropped or misused?? There is a reality in all this, and this is that people have to be more up to date with different security issues, and I don't just mean in the Internet. The paradox resides in that regular people are not informed and that makes the real security issue in these cases. Clearly now, the inners of their homes are exposed to everyone. I take this chance to thank you, pdp, for this Great Blog and to apologize for my poor English. Regards, averno.

pdp

NTBugtraq, I like your comment although rather long. Question: do you agree that more accessible information has made you more vulnerable than ever, before? If yes, than you see my point. pdp

b0und

I have noticed the prevalence of access to this type of highly detailed databases become common place. My initial thought is to analyze all vectors as to how this spread of highly targeted data can be used and misused. This particular database is much less intrusive than it will be in the future. Multiple sources of data will be indexed and mashed up against each other. Searching by location to find the highest income individual in an area, and a full bio on them. An article in the current 2600 sums it up better than I can. Database of marriage licenses and birth records correlated to find maiden names: security words. Author says and exploit that works against .01% of a big number is still a big number The amount of information readily available in public data sources can be benign by themselves. When they are all referenced together is when things get scary. It brings me to the realization that much of our societies idea of 'security' is in fact obfuscation that can readily be brought to light.

Cyph3rdk

pdp Your point is valid in a lot of ways, but then again... IMHO, if people want to use information in a "sinister" way, be it real estate or something else, there's nothing stopping you from doing some wardriving, logging to maps, finding points of interest, and getting the blueprints somewhere else. I have to admit, I don't how things are in the US, but here, when it comes to real estate, blueprints can be bought very cheap from the city planners office with no questions asked what s ever. So, maybe it isn't so much a discussion about "what" info there should be floating around, opposed to how easy it is to get without some logging on _who_ got the information, and for what purpose.... just a thought..

Farik

ever heard about personal data protection and the right for privacy ey ?

chris

this is a total invasion of privacy. what is this world comming 2? what next we are gonna be able to see eachother walking around from satelite images.... great way for stalkers...