The iPhone wireless LAN ownage in a box
In May, Erratasec founder and researcher David Maynor sent out these pictures to a small security list beaming with joy as if to show off his new baby. He asked us to guess what it’s for and a number of us made some educated guesses. He then tipped us off that the battery on the bottom of the box would run for 5 days and that it was intended to be shipped to a nonexistent person. Well that was all the clues I needed to solve the riddle of the iPhone in a shipping box.
Basically, the iPhone is a mini Apple computer running a stripped down specialized version of Mac OS X which is based on UNIX. This allows David to install a set of passive or active wireless reconnaissance or penetration tools on the unlocked iPhone and run it for 5 days on an extended battery. When the box is shipped to a nonexistent person at a company, organization, or government institution, the box will sit in the shipping and receiving area without an owner to claim it until it gets returned to the original shipper which might be some anonymous PO box. Because the iPhone is well within range of the wireless network, it can be remotely controlled via the iPhone AT&T wireless 3G data service.
Traditionally, the wireless hacker must physically sit near a site in a car or building with a high powered directional antenna aimed at the target site. Having the iPhone in a box inside the building means this would be completely unnecessary which saves on travel and reduces the risk of being caught on site. Discovering the device in passive mode is practically impossible because wireless intrusion detection systems are incapable of analyzing wireless mobile data services. This is the ultimate remote wireless hacking tool which could be used for ethical penetration testing or for criminal purposes and this is the subject of David Maynor’s presentation at DEFCON 16 tomorrow in Las Vegas.
It’s going to be interesting what the state of development is and I’m eager to get an update on whether FreeRADIUS-WPE, the ultimate enterprise wireless penetration tool (MUST READ for security professionals), has been implemented yet. I’m hoping this will raise awareness that many enterprise wireless LANs have not been properly secured and Microsoft needs to fix their wireless client so that it is less suceptible to these attacks.