Sunday, April 3, 2016

Social Engineering

This task somewhat annoyed my personal ethics, as the task I was required to perform was to obtain the phone passwords of 4 people by means of "shoulder surfing".

I considered the easiest way to accomplish this was to target a make and model, where actual tapes to the keypad would be used, and not finger swipes. This meant that I needed to target Apple iPhone users and the larger iPhones would be easier to see the screen due to the larger size.

I targeted several areas for one hour each.

The first area I targeted was the student lounge at the junction between the E and G buildings on the 2nd floor. I casually strolled around and looked for people who would pick up their phones, and type in a passcode, and then for me to move away from. I also did not look direct at them, but rather looked down and forward with my head, and cast my eyes to the side to look at the face of the phone as they reached for it.

I also went to on of the student lounges on the 2nd floor of the B building and perform the same method, and then the library.

All of these were public spaces, with no expectation of privacy by the users, and the phone face, and entry on the keypad

My yield of passcodes was far in excess of the required 4, as I was able to harvest 29 passcode, and 17 cases I watched the same phone more than once to confirm the passcode, during the three hours I spend slowly performing this task.

I did not feel that it was morally or legally permissible to record these passcodes as the "permit access to private data" so I would commit them to memory merely to acquire an accurate tally, and to try to confirm when I watched them login on 2-3 times of more in some cases. I did not videotape or photograph their passcodes, nor did I commit these to paper for legal and moral reasons.

With this information, gained through shoulder surfing, I could feasibly obtain their phones, login, copy the content to inflict a malicious software app, and then return the phone to them in the manner in which it was taken.

I also observed that student login to the BHCC networks and that through shoulder surfing I could obtain usernames and passwords.




2 comments: