Attacks/Breaches

8/5/2009
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Weaponizing Apple's iPod Touch

Security expert converts popular music/movie player and browsing device into a penetration testing, hacking tool

It fits behind a coffee machine, inside a desk drawer, or in your pocket, and it doesn't arouse suspicion if you walk into a bank or office tapping away on it -- and that's why a security expert has turned an iPod Touch into a full-blown hacking tool.

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week's Defcon17 conference in Las Vegas how Apple's seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

"Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn't before," Wilhelm says. "If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect]," he says.

But like any security tool, this handy and stealthy iPod Touch hacking tool cuts both ways. "I know [the iPod Touch] has been abused, and I know it will be," he says. "But network administrators need to know what the potential threats are."

It's not the first handheld hacking tool. Immunity sells the Silica handheld, a PDA look-alike that's really a mini, hardware-based version of Immunity's Canvaas pen-testing tool. And Errata Security last year showed how it sometimes ships iPhones running security tools to its clients' sites to remotely conduct elements of a penetration test, such as TCP dump and Nmap. The idea of overnighting an iPhone-based pen-testing tool came mostly out of necessity for Robert Graham, CEO of Errata, and David Maynor, CTO, as a way to efficiently conduct packet sniffing without traveling out of state.

So why the iPod Touch instead of the iPhone? Wilhelm says it's cheaper up-front and doesn't come with the phone's monthly subscription fees. And it lets the penetration tester or hacker control which network the device connects to, which is not really possible with the iPhone. "The iPhone is attractive because it includes a camera...and can be used to record voice," he says. "But for me, the iPod Touch makes more sense from a cost perspective and network-control perspective."

The iPhone Touch can also perform ARP spoofing and force nodes to use it as a gateway. "The coolest thing with the iPod Touch is that it can tell every computer in the network that it's the gateway, and that when you talk to Google, you have to go through it," Wilhelm says. "Then it captures all of the packets that go across the network."

Wilhelm says the Unix-compatible iPod Touch didn't require much configuration to become a hacking tool, either. Once he "jail broke" it, he was able to easily install pen-test apps from Cydia. "There was very little I had to do to configure it," he says.

The tool can do most of what a laptop-based pen-test tool can do, he says, although at about only one-tenth of the computing power. The other drawback is when you plant the iPod Touch on-site, you have to find some way to provide it a power source. So Wilhelm designed his own camouflaged power setup with parts he purchased at Home Depot. It's basically an electric box with an empty faceplate affixed to a wall to hide the iPod, which is plugged into the wall outlet.

Another trade-off is it only works with a wireless connection. You have to jump onto a WiFi connection either legitimately or via MAC spoofing: "Once you're on there, you do information-gathering and find out what servers are on the network, do port scans, banner grabbing, and identify potential vulnerabilities, and try to exploit them with Metasploit," Wilhelm says.

And with the device hidden on-site, you can set up a backdoor and remotely connect to the iPod Touch to perform additional attacks. "Anything you can do in a real pen-test, you can do on this thing," Wilhelm says. "Other people have demonstrated some of this functionality before. I wanted to present to the world how robust the iPod Touch is as an attack platform, and some of the social engineering vectors that can be used to actually conduct a pen test."

Wilhelm says that as mainstream portable electronic devices get smaller and more powerful, they could become even more useful -- as well as potentially dangerous if abused.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0291
PUBLISHED: 2018-06-20
A vulnerability in the Simple Network Management Protocol (SNMP) input packet processor of Cisco NX-OS Software could allow an authenticated, remote attacker to cause the SNMP application on an affected device to restart unexpectedly. The vulnerability is due to improper validation of SNMP protocol ...
CVE-2018-0292
PUBLISHED: 2018-06-20
A vulnerability in the Internet Group Management Protocol (IGMP) Snooping feature of Cisco NX-OS Software could allow an unauthenticated, adjacent attacker to execute arbitrary code and gain full control of an affected system. The attacker could also cause an affected system to reload, resulting in ...
CVE-2018-0293
PUBLISHED: 2018-06-20
A vulnerability in role-based access control (RBAC) for Cisco NX-OS Software could allow an authenticated, remote attacker to execute CLI commands that should be restricted for a nonadministrative user. The attacker would have to possess valid user credentials for the device. The vulnerability is du...
CVE-2018-0294
PUBLISHED: 2018-06-20
A vulnerability in the write-erase feature of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to configure an unauthorized administrator account for an affected device. The vulnerability exists because the affected software does not properly delete sensitive...
CVE-2018-0295
PUBLISHED: 2018-06-20
A vulnerability in the Border Gateway Protocol (BGP) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the device unexpectedly reloading. The vulnerability is due to incomplete input validation of the BGP update...