You may not know it, but the smartphone in your pocket is spilling some of your deepest secrets to anyone who takes the time to listen. It knows what time you left the bar last night, the number of times per day you take a cappuccino break, and even the dating website you use. And because the information is leaked in dribs and drabs, no one seems to notice. Until now.

Enter CreepyDOL, a low-cost, distributed network of Wi-Fi sensors that stalks people as they move about neighborhoods or even entire cities. At 4.5 inches by 3.5 inches by 1.25 inches, each node is small enough to be slipped into a wall socket at the nearby gym, cafe, or break room. And with the ability for each one to share the Internet traffic it collects with every other node, the system can assemble a detailed dossier of personal data, including the schedules, e-mail addresses, personal photos, and current or past whereabouts of the person or people it monitors.

Short for Creepy Distributed Object Locator, CreepyDOL is the brainchild of 27-year-old Brendan O'Connor, a law student at the University of Wisconsin at Madison and a researcher at a consultancy called Malice Afterthought. After a reading binge of science fiction novels, he began wondering how the growing ubiquity of mobile computing was affecting people's ability to remain anonymous, or at least untracked or unidentified, as they went about their work and social routines each day.

You can run, but you can not hide

"I was wondering if it would be possible [to break] the fundamental assumption about blending into crowds," said O'Connor, who recently demonstrated CreepyDOL at the Black Hat security conference in Las Vegas. "That is, could you design a system that could make it basically impossible in the real world for the scene you see in every action movie where the guy ducks into a mall. There are 10,000 people in there [so] we'll never find him."

To his horror, he soon learned the answer was almost certainly yes. Using CreepyDOL to stalk himself as he went about his normal iPhone routine, he was distressed to see just how effectively the system vacuumed up his personal information. His use of a popular dating website (he's not saying which one) was there, as was the photo of him the site sends in the clear, his first and last name sent over a popular RSS service, and the unique MAC address Wi-Fi devices constantly send whenever they're turned on.

"What a lot of people don't realize is it's talking all the time, whether or not it's connected," O'Connor said of Wi-Fi enabled mobile devices, which in his case happens to be an iPhone. "Every couple of seconds, every wireless device that's on is sending out a huge amount of personally identifiable information. If we have sensors spread out over an area, that means it's sending out both an identifier and its location." And of course, he added, there's often a vast amount of personal data sent in the clear over the Wi-Fi connection itself.

Use of a virtual private networking app—which pipes data through an encrypted channel so it can't be monitored by other Wi-Fi devices nearby—does less than many may think to limit the information that CreepyDOL can collect. That's because the iOS-supplied VPN O'Connor used couldn't be activated until after his iPhone connected to the Wi-Fi network first.

"It takes you five seconds to bring your VPN online," he said. "During that time, iMessage has already pinged for updates, Dropbox has already pinged for updates, your mail client has already pinged for updates. This is incredibly saddening to me. VPNs—the usual solution we all use—don't work because you need an operating-system level of support for saying: 'None shall pass until the VPN is online.' iOS is not set up this way." Other data CreepyDOL can mine includes the apple hardware identifier (model and version) and iOS version he uses. He believes other mobile operating systems, including Google's Android, do no better of a job, although he didn't test them.

And even when people use their mobile devices to connect only to password-protected Wi-Fi networks, there's still a fair amount of data CreepyDOL can collect. That's because the Wi-Fi protocol broadcasts MAC addresses, the names of recently connected networks, and other data whenever Wi-Fi is turned on. At a minimum, that's enough information to track the physical movement of specific devices through a neighborhood or entire city over an extended period of time. And depending on the names of the wireless networks a device has recently connected to, CreepyDOL may be able to know where its owner works, lives, or hangs out.

Dropping the F-BOMB

The CreepyDOL network is made up of sensor nodes O'Connor has dubbed F-BOMB, short for Falling or Ballistically Launched Object that Makes Backdoors. The small black box contains a Raspberry Pi model A computer for low power consumption, two Wi-Fi antennas, and a USB power source that can be plugged into a wall socket. The custom designed software uses one of the antennas to monitor the signals of all Wi-Fi devices within range. The other antenna automatically connects to any available wireless networks, sends the data it collects to all other F-BOMB nodes on the CreepyDOL network, and receives any data collected from other F-BOMB nodes. The devices encrypt the data before sending and communicate as hidden services over the Tor anonymity service. Based on hardware prices in effect when O'Connor was assembling the 10 F-BOMBs for his proof-of-concept project, each node cost just $57.

While the F-BOMBs O'Connor used to spy on himself were deployed in his home, there's not much stopping a more nefarious person from stashing them in bars, cafes, or other locations where open Wi-Fi signals are available. Someone who wants to stalk a specific business competitor or ex-girlfriend can place them in neighborhoods he knows the target frequents. Or the F-BOMBs can be used more opportunistically to indiscriminately vacuum up as much data as possible and filter out e-mail addresses, names, and other potentially useful data later. A CreepyDOL user who distributes 10 F-BOMBs in a neighborhood or small geographic area for a week or two need not recover any of them as long as he has one running on his own network. Because each node receives data from every other node, a single device stores a comprehensive record of everything collected over the network. Strong encryption ensures the data can't be viewed by someone other than the stalker. The design is intended to allow a CreepyDOL user to recover data even if one or more of the F-BOMBs is confiscated or stolen.

At points during last week's talk at Black Hat, O'Connor seemed almost giddy about the myriad ways his CreepyDOL framework could be used to stalk, snoop, or dumpster-dive through the digital detritus millions of us discard every day as we use Wi-Fi-enabled mobile devices. But behind the jokes is a demonstration of just how cheap and easy it is to carry out creepy stalking by unbalanced individuals or dystopic surveillance by governments. O'Connor holds up the project as a wakeup call to the people designing mobile apps, hardware, and services.

"We've created this problem, we in the developer community," he said. "We focused so much on securing our servers that we've forgotten that our clients—you know, actual humans out there in the great big world—are depending on us to protect their identity. We've come into a culture where it's OK to take a whole bunch of data we don't actually need and to not take very good care with it. Ultimately, CreepyDOL points out how unacceptable that is."