The iPhone wireless LAN ownage in a box

In May, Erratasec founder and researcher David Maynor sent out these pictures to a small security list beaming with joy as if to show off his new baby.  He asked us to guess what it’s for and a number of us made some educated guesses.  He then tipped us off that the battery on the bottom of the box would run for 5 days and that it was intended to be shipped to a nonexistent person.  Well that was all the clues I needed to solve the riddle of the iPhone in a shipping box.

Basically, the iPhone is a mini Apple computer running a stripped down specialized version of Mac OS X which is based on UNIX.  This allows David to install a set of passive or active wireless reconnaissance or penetration tools on the unlocked iPhone and run it for 5 days on an extended battery.  When the box is shipped to a nonexistent person at a company, organization, or government institution, the box will sit in the shipping and receiving area without an owner to claim it until it gets returned to the original shipper which might be some anonymous PO box.  Because the iPhone is well within range of the wireless network, it can be remotely controlled via the iPhone AT&T wireless 3G data service.

Traditionally, the wireless hacker must physically sit near a site in a car or building with a high powered directional antenna aimed at the target site.  Having the iPhone in a box inside the building means this would be completely unnecessary which saves on travel and reduces the risk of being caught on site.  Discovering the device in passive mode is practically impossible because wireless intrusion detection systems are incapable of analyzing wireless mobile data services.  This is the ultimate remote wireless hacking tool which could be used for ethical penetration testing or for criminal purposes and this is the subject of David Maynor’s presentation at DEFCON 16 tomorrow in Las Vegas.

It’s going to be interesting what the state of development is and I’m eager to get an update on whether FreeRADIUS-WPE, the ultimate enterprise wireless penetration tool (MUST READ for security professionals), has been implemented yet.  I’m hoping this will raise awareness that many enterprise wireless LANs have not been properly secured and Microsoft needs to fix their wireless client so that it is less suceptible to these attacks.

Developing …

14 thoughts on “The iPhone wireless LAN ownage in a box”

  1. Well, to interrogate the device in the box on site, the wireless provider AT&T is proxy dhcp, so since you don’t know what ip is issued (AT&T signal may drop in transit and reconnect issuing a new dyanmic ip), I would assume they’ve either used DDNS or have a shell script that will set up a reverse ssh tunnel (ssh -R) to an intermediary server to a designated port, say 10000. If the reverse tunnel is established you make the connection via ssh to the intermediary acting as a proxy. I would imagine to avoid detection they are setting the wireless card into passive (vs promiscuous) mode and running character-based kismet over ‘screen’ so that they can log on with ssh and ‘attach’ or ‘detach’ at will to the session. And log to a file for 5 days.

    Very clever!

  2. The device phones home so you don’t need to worry about what IP address it’s on. As you pointed out, they can also use DDNS which updates the DNS record dynamically so they can always go to predictable URL.

  3. Oooookay. Was Maynor’s original plan to dress up a Blackberry in a trenchcoat and fake mustache, send it to reception, and in a vague accent say "I eem here to fix-a the toileet?"

    Granted, Maynor hasn’t given his presentation yet. However, this plan assumes that every company/institution is just going to look this box and go "Huh. I’ll just put it here for the time being" and forget about it. I would imagine many companies are going to open it ASAP when they try to deliver the box to the fake person.

    Geez, George, what is your deal with Apple? Did Jobs kick your puppy and Woz shine a laser in its eyes when you were a kid?

  4. Mattand,

    Get a clue. In case you didn’t recognize it, this is a COOL usage of the iPhone.

    Your typical shipping department will leave a box in the shipping room for some time if they’re not sure who it’s going to.

    George Ou

  5. @George:

    Define "cool," please. Deliberate vandalism or adolescent prank? I mean, considering the effort is aimed at a target that scores cheap site hits.

  6. Oh lord, here comes the Mac fanboy fanatics that can’t even distinguish a complement to an Apple product when they see one.

    Anyone with a brain can see that the iPhone is a revolutionary device and I’ve said as much. This just makes the iPhone that much cooler, in the sense of useful.

  7. After reading your article and discussing it with a couple of people I know down at the pub, we had to try it. I posted it to where I work and let it loose on the publicly available wireless network that we use for delegates, so no need to worry about any annoying legalities or security issues. The box ended up sitting in Finance of all places, for a few days before being returned to sender.

    For fun we also included bluetooth scanning and controlled that remotely, catching (amongst others) the CIO and the CEO not following the bluetooth security policy that they insisted that all staff obey or be disciplined.

    It worked exactly as advertised, up until the battery died a couple of days later (the bluetooth really sucked down the power fast). This is an interesting approach to an old problem. A seriously cool idea.

  8. This solution is deadly simple and evil from a security perspective while deadly cool from a hacker’s perspective. Now let’s hope it raises some awareness for wireless security.

  9. Its a great idea, IF you have the money to lose! Potentially someone might open it and steal your iphone! That would be my main concern. Otherwise I like it.

Comments are closed.