The following was originally published, on https://noctilucent.noblogs.org/mass-surveillance-in-russia-%d0%bf%d0%be%d0%b2%d1%81%d0%b5%d0%bc%d0%b5%d1%81%d1%82%d0%bd%d0%be%d0%b5-%d0%bd%d0%b0%d0%b1%d0%bb%d1%8e%d0%b4%d0%b5%d0%bd%d0%b8%d0%b5-%d0%b2-%d1%80%d0%be%d1%81%d1%81/ A collection of facts and commentary on mass surveillance in the Russian Federation. Факты и комментарии, касающиеся тотальной слежки за людьми в РФ. Original work // Оригинальный текст: portablemail@firemail.cc English translation // Перевод на английский: noctilucent I’ll start from the very end, specifically from what was the last straw. https://sohabr.net/habr/post/341560/ >How to get inside a visitor’s head, or a few words on Wi-Fi analytics. >Imagine that – we can analyze the paths the customers and their shopping carts take: where and how they were moving. This can be exploited to improve merchandising, learn which wares from which groups are bought together, and much more. But the most interesting part begins when a person already approaches the point of sale – the time spent in the shop, the route taken and the last purchase can all be synchronized, and this information can be combined with a loyalty program by the client organization. The first pic https://habrastorage.org/getpro/habr/post_images/c3f/a8a/eb9/c3fa8aeb92252ab3f25297930f896439.png Remind you of anything? I think it’s reminiscent of kismet wireless. >Every modern mobile phone has a Wi-Fi module, and when it’s on (which is usually the case) it will start transmitting a multitude of signals without the user being aware of it. These guys “catch” such signals through TP-Link equipment and their firmware. The signal contains the phone’s MAC address, the time and strength of the signal’s transmission. There are more than 15 of the various offline metrics that can be calculated using this data. Yet this includes not only the aforementioned data, but unexpectedly also SSIDs of wireless access points you used earlier, and if the SSID is unique it won’t be a problem to detect the coordinates of the said point – we will talk more about it later. Owners of iPhones, where Wi-Fi can’t normally be disabled in the first place (correct me if I’m wrong) could argue that MAC is randomized, but I will note that this randomization is so crude that the real MAC is constantly seen among the random ones. All in all, we have a network of access points working in monitoring mode. And sometimes these points are itinerant – remember the Wi-Fi offered in public transportation and taxi. So basically if you want it – catch the handshakes, which, by the way, will also be sent if you create a point with an SSID sent by your phone, the latter being indifferent to the point’s MAC address. >The crossings – one more metric, interesting for business. This metric indicates where else the visitors of a certain location within a Wi-Fi analytics ecosystem go, including amusement parks, sports facilities. This data will, for example, allow companies a better understanding of their consumer’s behavioral portrait. This is when a centralized database becomes involved. >Internet access for the staff and visitors. And when a client begins using DHCP to access the point, they leak not only MAC address but also DHCP vendor id, read this https://klamp.works/2016/04/29/dhcp.html. Additionally, remember yota modems and such that can pose as a network controller and have a built-in DHCP server? And don’t forget that many smartphone apps transfer data to their servers without any encryption whatsoever, which also gives way to learning what kind of software is installed on your device and further usage of this information to the point of exploiting vulnerabilities. Plus, the Russian government wants to pass the bill which would allow commercial use of information owned by the state https://habr.com/ru/news/t/459654/, though this is only legalizing what is already being practiced because the system is full of breaches and state databases can be easily bought. >Right now granting internet access to visitors equals a loss for many companies. This sounds just plain ridiculous to me, and maybe to you as well. Well, perhaps it’s a valid argument for the target audience who will want to buy this system. >Wi-Fi is a way to communicate with clients. Our project partner %shittyname% comments: “There are various ways of communicating with the client. For example, a user who connected to the guest Wi-Fi saw a banner/video, etc. – this is already communication. But we go further, creating complex integrated systems with a client. Wi-Fi can serve as a tool for recruiting into the loyalty program.” Nothing unusual for now, the classic. The system’s name does not matter, there are tens, or possibly hundreds of them, all identical in ways of functioning. >According to the law on granting public Wi-Fi networks the user must leave contact information and confirm their phone number upon connecting. Since the system is unified, during the first connection the user’s MAC address and phone number are saved in a centralized database. Hence the next time the same user joins Wi-Fi in another cafeteria of the same network, they won’t have to undergo authorization again. Oh, clever guys – they develop the system by taking the Russian law into account. In other countries, they’d have to beg for the information such as phone number – and here it’s taken for granted, and what’s more important – you are legally obliged to disclose it. By the way, buying a SIM card under the current regime in Russia is already quite difficult without producing your passport first. >The %shittyname%’s idea – construction of what is called “Super Geo Communication” today in the world of internet marketing. Meaning that the Wi-Fi analytics system works like a trigger – catching the user’s MAC address and phone number and sending them to the client’s system, who (in case of having permission) creates communication with the user – sending them an SMS at the convenient time. I seem to have forgotten when exactly the SMS spam became illegal. What I do recall is how, before this bill was passed, I’d get tens of SMS messages per hour, all with the same ad, and how glaringly obvious was the money drain on the phone’s balance – and this money could still be spent legally back then. >The further we go, the more interesting it becomes. Maxima Telecom company, which grants Wi-Fi access in the subway, owns the database of more than 19 000 000 of MAC addresses associated with the phone numbers. With this database, it’s possible to expand the scope and function as a trigger. Remember our movable access points in public transportation and stops? That’s right – Maxima Telecom sells out the data left and right, like almost any company these days. I won’t even be able to recall right away one that doesn’t do this. By the way, the Wi-Fi expansion tender was tailored specifically for Maxima Telecom, only they satisfied the requirements (this is a common practice with tenders when a requirement met by a single company is written in). >Catches MAC addresses, which are then transferred to the Maxima Telecom system, where recognition is performed relating the MAC address to a specific phone number that belongs to it. An SMS message containing the text predefined by the client is sent on behalf of Wi-Fi.ru to a person who is passing by the store at a specific moment. The likelihood of “hooking” a passer-by is increased substantially. This process is called “audience expansion” and it’s a new method that Maxima Telecom is now launching together with %shittyname%. Hooking someone who’s at home by the router in a nearby bus, taxi and carsharing – since even a mobile phone’s package can be caught in monitoring mode on a distance that is more than if you wanted to establish a bi-directional internet via Wi-Fi channel. It even becomes possible to conduct targeting based on who’s living with whom, for instance. >It’s common knowledge that all internet sites spy on the users, they stick cookie files on you, and %shittyname% catches your MAC address. So, %shittyname% discovered how to combine cookies with MACs – %shittyname% sends them to the big internet platforms, and the recognition is then performed on their side. Here are the possibilities it opens up: – One can form a more definite picture of their target audience’s interests and not only that. – It becomes possible to assess the effectiveness of investments in advertising (contextual ads, banners, etc.) – for instance, conversion from internet ads. In the past, it was a pretty difficult task for a traditional offline business. Nowadays the %shittyname% Wi-Fi analytics can help – by aggregating MAC addresses in offline mode, for example, one can learn how many people from those who have seen the ad online visited an offline location, and much more. – This data is also potentially useful for retargeting – it’s possible to aggregate the audience who visited a specific store into a single segment and present this to the client. After this the client can, via precise targeting or “Super Geo”, direct online communication towards these users, attract them, stimulate recurrence and thereby develop loyalty. This is a new product which many clients are starting to find useful. One more product on the border between network equipment, software and Bluetooth technologies – a Bluetooth adapter with custom firmware is inserted in a device, and it becomes possible to work with iBeacon or Eddystone, which grants a decently precise indoor navigation. Bluetooth! Ble! iPhone! Smart clock, cars, fitness trackers! By the way, the latter is slowly moving away from ble to ant+, which will soon be tampered with I think. Ha-ha. https://github.com/hexway/apple_bleee (It’s possible to extract even your phone number! On a side note, the first three digits are the operator’s code, in Russia under current regime it’s 8 plus only two digits to bruteforce, and considering that mobile operators’ codes are not kept secret and are unique for each city, with geolocation a successful bruteforce will be executed only after a few tries of sending “silent SMS”). And by the way, the MAC address of Bluetooth and ble matches that one of Wi-Fi. I’d like to note from my own experience that it’s pretty hard to track paired Bluetooth (not ble!) devices, and they probably didn’t learn to do that yet. Some of the modern Bluetooth headsets interact with smartphones via ble as well, and since these sets have two separate earphones, two separate transceivers, by analyzing the level of the signal from different earphones we can detect the where user’s sight is directed with 180 degrees accuracy. Here the fact about people seldom walking backward, but often walking forward comes into play – and we have the right direction. In McDonald’s they started to install a system where employees deliver food right to the table – the client takes a numbered card, containing 2 separate ble beacons (just like 2 separate headphones), specifically 2 (seems like they use nrf51\52 chips), in my opinion, they’d install only one, if given the opportunity. >Personnel tracking is retail’s pivotal need. In what way will the need be fulfilled, I wonder. Will they really, put a bracer on one’s leg? Won’t be surprised by that. >The server part represents a combination of data storage clusters, servers with preprocessing services, and individual tools which secure the targeted functionality of the solution’s every part. This involves the usage of both virtual and physical servers in several independent data centers. Yeeeah, right. “Independent data centers”. And also, of course, “independent” communication channels to and from them. >In 95% of %shittyname% projects in retail, trade centers and HoReCa objects (and this includes about 2500 devices in Moscow, St. Petersburg, million cities and other smaller ones) TP-Link equipment is in use. “TP-Link equipment, which is utilized by us, has characteristics allowing uninterrupted and stable work in all modes. Right now we work using TP-Link models EAP115, EAP110 of Auranet line. The outdoor solutions CPE210 v.1 and EAP110-Outdoor are currently in testing. Won’t you share the MAC ranges of these devices? >A pic of TP-Link 9 dBi external Wi-Fi access point, Pharos line, CPE210 The scope you see for yourself, the coverage is going to extend far and deep, considering a high quantity of intermediate radio-links all of this will become ss7 on a single common vulnerability. >The system has in its base a whole set of interesting algorithms, starting from “smart” object calibration and ending with data-mining algorithms. Even the seemingly trivial tasks like forming and processing of technical logs are not so simple. A lot of the developers’ and hardware resources’ energy is spent on fighting the noises and radio interferences. Around 60-70% of the signal is useless and won’t take part in “useful” calculations Can’t call myself a fuckin’ specialist, so can’t imagine what is considered “useless” in a signal – can you perhaps? >As %shittyname% put it: “Our work in Wi-Fi analytics resembles a taxidermist’s (a person who makes sculptures out of an animal’s body parts) work at times – when we are given a rabbit’s carcass torn to shreds by a grenade. Using whatever pieces left, we try to make it “beautiful”. http://nag.ru/articles/article/31835/desyataya-chast-polzovateley-gotova-platit-chtobyi-ne-videt-reklamu.html This article is a bit older, but it fills the gaps – looks like at the time of writing the monitoring system was not yet in use, and everything functions merely in access point mode, but maybe not, there was also another article between the first and this one, where monitoring mode wasn’t mentioned directly, but judging from what I’ve read there I concluded that some things aren’t possible to implement by means other than monitoring, and so it’s there. But I’ve lost that article so you’ll have to do with my bullshit, and actually, this is the reason the thread was created in the first place – because now we have proofs of the monitoring mode existing. >In order to do that, you need to download or update “MT Cabinet” app, and this will allow you to access Wi-Fi “Kak Doma” (Translator’s note: “Like At Home”) service in Moscow subway, buses, trolleybuses, tramways, Central Suburban Passenger Company electric trains, Moscow Central Circle trains and in “Aeroexpresses”. Lol, even the countryside is affected. Let’s take a look at the size and permissions of an app that is only supposed to authorize you in the network… Oh fuck, almost 12 megabytes, download it yourself and look at permissions it’s asking for, I’m sure you’ll find something more interesting than just permissions if you start to dig deeper. By the way, earlier the city Wi-Fi had a breach that allowed to track a person’s movement if you knew their phone number and they were careless enough to use the said Wi-Fi network. >The new conditions, which became known at the beginning of June, are in effect since the 27th of May 2017. Earlier you had to pay less for getting no ads for a month on the subway – 129 rubles (for three months – 330 rubles, half a year – 576, a year without ads – 888 rubles). The fee was separate for “blocking” the ads on Moscow surface transportation. Pay for getting into the subway, pay for the Wi-Fi, pay for getting into surface transport, pay for Wi-Fi in it. I can’t understand why people pay for this Wi-Fi, it’s much better to simply pay to the mobile provider. Lately, some of my acquaintances say that on subway stations where you could previously have 3G and even LTE there’s nothing now. A coincidence? Ha. >A Wi-Fi network operator faced a problem where passengers connecting to the wireless network “Maxima Telecom” started to search for ways to continue using the free internet access, while somehow mitigating the advertising manipulation of their brain. As a way of shielding themselves, the subscribers tried to utilize the ad-blocking apps. And so we fucking banned them. Lately, I hear more and more critiques from wired and wireless internet users, where for example Rostelecom or Beeline plant the ads even in a paid account, sometimes even through https, which leaves a lot of food for thought. >As has been mentioned earlier, Maxima Telecom company has the opportunity to accumulate and aggregate the information about the free Wi-Fi network users. After analyzing the million audience’s data (and in MT_FREE network there are 12 million registered devices) the network operator is ready to use it throughout the partnership with any companies, interested in targeted ad placement. Your data will be sold left and right – you did tick off “I agree” yourself, after all. Oh yeah, now that we’ve installed the systems working in monitoring mode we can fuck the check-mark, it’s not needed anymore – you broadcast all the packages we’re interested in yourself. >A pic showing a phone’s price, model, etc… A browser’s User Agent, DHCP vendor id, welcome, also interesting how they’d get the operator, if this is taken from the phone number then errors are possible when a client changes operator while preserving the number, or maybe they already have all the data, I’m not very competent here, but I don’t rule out the possibility that operator will be disclosed by the app mentioned above, or maybe by DHCP vendor id, unfortunately, I haven’t dug deep in there yet, and I really should. >https://nag.ru/upload/images/20170615-0006.jpeg >100% organic traffic. A humorous note ITT. Not human traffic. Organic. >this is the way it works in 10 Russian airports, including Novosibirsk, Irkutsk, Kazan, and others. A piece of information appeared in the media regarding the operator’s intentions to expand their business both in Russia and abroad. Even IMSI catchers in the airports are not enough for them now. Remember how in the beginning I was talking about locating the access point with a unique name? There are things like Wigle databases and others, but why they are needed if there’s a national one, which updates almost in realtime and collects the data with almost any smartphone http://telegra.ph/O-tom-kak-VKontakte-sobiraet-informaciyu-o-nas-chast-2-07-31 Of course there’s more in there aside from Wi-Fi, but right now I’m concerned by it primarily, since your point gets written into database with all the consequences and without your approval, though I wouldn’t be surprised if it’s also scanning the net from the inside, like Nmap does on connection, which is the case with certain smartphones made by Huawei or Xiaomi I think, can’t remember which ones but I feel it’s both. And it’s also advisable not to keep wi-fi points open in here: https://nag.ru/news/newsline/104537/roskomnadzor-trebuet-s-provaydera-lichnyie-dannyie-polzovatelya-chya-tochka-dostupa-wi-fi-okazalas-otkryitoy.html. In addition to what’s been said above https://meduza.io/feature/2019/07/09/meriya-moskvy-sozdala-sistemu-slezhki-za-peredvizheniyami-zhiteley-v-ney-ispolzuyut-taksi-videokamery-i-karty-troyka Russian regime admitted the existence of a surveillance system that spies on people through taxi, video cameras, and transportation cards while combining these methods with mobile operators data, https://hightech.plus/2019/03/05/vlasti-otslezhivayut-peremesheniya-moskvichei-uzhe-neskolko-let and by the way, the servicing of transportation cards is performed by a company owned by Alisher Usmanov, https://www.rbc.ru/technology_and_media/26/10/2018/5bd1e8589a7947c4e9701675 more than that, he pays the subway in order to have the opportunity to serve the transportation cards – it like if you were paying for having the opportunity to work. He also owns the biggest mobile operator in Russia. There’s much more interesting to say on the topic of tracking in Russia, (for instance, about Wi-Fi routers from operators like Rostelecom with their gpon routers that combine granting the internet access with the usual city phone channel) but I tried to write primarily on tracking through wireless network channels, emitted from smartphones and other everyday devices, excluding things like face recognition, which have already been analyzed in depth. And you say Link NYC.