Schneier on Security
A blog covering security and security technology.
« Fear-Mongering at TED |
| Fake Irises Fool Scanners »
July 31, 2012
Hacking Tool Disguised as a Power Strip
This is impressive:
The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions.
A "text-to-bash" feature allows sending commands to the device using SMS messages. Power Pwn is preloaded with Debian 6, Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools and. It really can function as a 120/240v AC outlet strip.
It was funded with DARPA money.
Posted on July 31, 2012 at 6:30 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The ethernet socket on the side is a bit of a giveaway.
Even my mother would be suspicious of a power strip connected to the network like this.
A better disguise would be a powerline network adapter.
Regarding the ethernet ports, I assume that this has a built-in ethernet switch so that you could plug this into the ethernet wall jack, then plug your computer into this device.
Ethernet sockets, while not common, have been on surge protectors for a while, and are not necessarily suspicious. http://www.belkin.com/IWCatProductPage.process?... They (ostensibly) serve to protect a network connection from a surge of electricity.
This is similar to how surge protectors can have plugs for phone lines and coax (TV) lines.
Why not simply disguise it as a cable modem, router, switch, etc? Oh, I guess that only works if you're China.
"The ethernet socket on the side is a bit of a giveaway."
Have you looked at a surge protector in the past 5 years? Go to google images and search for "surge protector". Anything that's not a simple power strip has RJ11 and coax connectors. More expensive ones have RJ45.
I've had power strips with RJ11s for phone line surge suppressors. If you used 3 pair connectors you could actually have a real phone line surge suppressor in the strip, using the center pair and have ethernet on the outer two pairs.
@Arfnarf: many companies sell surge-protecting power strips with extra protectiong ports for phone and Ethernet lines, so it is not so suspicious. But do I see USB port on that photo?
@Tom: why not a cable modem/router: medium to large offices don't use cable modems or cheap $50 routers. Besides, IT staff would likely refuse connecting a device they not have previously approved, acquired, tested and configured. Power strip/surge protector looks innocent, right?
Bruce and all: really impressive. Check out their other, smaller stuff that could be disguised as an electric air freshener etc.
Personally, I'd add a few features to this gizmo:
1. Power-line communications interface - for out-of-band non-RF (ok, non-obvious-RF like BT or 3G) comms.
2. Precise current measurement instrumentation on the AC sockets - for power sidechannel attacks (possibly conflicts with 1.)
3. A microphone (or an array of them) - for listening in.
4. Maybe a video camera (possibly behind IR filter) - but not of much use, requires a good placement of the device.
5. A phone line "surge protection" - for tapping/making phone calls.
6. I'd leave the console USB port under the hood - it will look less suspicious this way.
More ideas, anyone?
Impressive and scary! Once they start making models that look like particular brands (APC clones), you might see some real nefarious use!
These guys had a booth at both Blackhat and Defcon. Talked to the at length. They do have cheaper options (couple hundred $) and other ways of camouflage using stickers and form factors.
Same for that USB port: A quick "Quality approved 5", barcode or "safety warning" sticker takes care of it.
Function that was not mentioned:
The network card can work in "transparent mode", as it clones the MAC and IP of whatever is plugged into it. That makes it impossible to find using MAC filtering.
@Peter A. "do I see USB port on that photo?"
Increasingly USB ports are appearing on these sorts of things to facilitate charging of phones and iThings. No suspicion from me.
The Pwnie Express products are actually quite popular with professional pentesters who have been adding them to their traditional arsenal of tools. I know several people using them on a regular basis.
One thing to bear in mind with regards to visible USB and ethernet ports is that this is just a prototype. Something like this could easily be stuffed into a belkin enclosure, for example.
I happened to meet one of the guys involved with this, and he commented that not only was the form factor highly mutable, but that it also served as a useful gauge for the social-engineering part of penetration testing. Just go in with a coverall and something that looks like an ID badge, say you're from corporate IT if anyone asks, and away you go. Fewer points if you only get away with installing it as a power strip in an unused office, more if someone offers to help you connect it to the wired network.
@peter a: power analysis crossed my mind, too, but I highly doubt if that would work through an SMPS, with large buffer capacitors on both the input and output, a usually somewhat unstable control loop, another buck converter near the CPU, with both control loop time constants far greater than a CPU cycle, and possibly a boost converter with yet another control loop for the power factor correction.
The only current analysis attacks I've seen so far work by accurately measuring the DC current into the CPU with an insanely high bandwidth.
You couldn't do the fancy stuff about which CPU blocks are getting hot, but I bet that even moderate power info combined with packet inspection and traffic analysis could be awfully useful over the longer term. Knowing what requests trigger what scales of computational response could be quite interesting in some cases.
I think it'd be possible to do the hardware part with less 150$
35$ a protected power strip
25$ of openwrt router wiki.openwrt.org/toh/tp-link/tl-wr703n
40$ UMTS usb modem
5$ usb hub
15$ usb pendrive
10$ cables, connectors...
Otherwise a bit more using a raspberry PI, but much more powerful.
It needs only a custom openwrt.
At a social engineering level:
"Hacking Tool Disguised as a Power Strip"
Sounds like a typical VAGINA.
Beware of EVIL MAIDS!
Eventually, if not already in some sectors, hardware like this, I kid you not, will become mandatory under the umbrella of national security.
Typical consumers may not know of it when it happens, just like most computer users don't know about the TLA back doors in various commercial routers and other networking equipment they purchase.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.