Attacks/Breaches

8/5/2009
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Weaponizing Apple's iPod Touch

Security expert converts popular music/movie player and browsing device into a penetration testing, hacking tool

It fits behind a coffee machine, inside a desk drawer, or in your pocket, and it doesn't arouse suspicion if you walk into a bank or office tapping away on it -- and that's why a security expert has turned an iPod Touch into a full-blown hacking tool.

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week's Defcon17 conference in Las Vegas how Apple's seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

"Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn't before," Wilhelm says. "If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect]," he says.

But like any security tool, this handy and stealthy iPod Touch hacking tool cuts both ways. "I know [the iPod Touch] has been abused, and I know it will be," he says. "But network administrators need to know what the potential threats are."

It's not the first handheld hacking tool. Immunity sells the Silica handheld, a PDA look-alike that's really a mini, hardware-based version of Immunity's Canvaas pen-testing tool. And Errata Security last year showed how it sometimes ships iPhones running security tools to its clients' sites to remotely conduct elements of a penetration test, such as TCP dump and Nmap. The idea of overnighting an iPhone-based pen-testing tool came mostly out of necessity for Robert Graham, CEO of Errata, and David Maynor, CTO, as a way to efficiently conduct packet sniffing without traveling out of state.

So why the iPod Touch instead of the iPhone? Wilhelm says it's cheaper up-front and doesn't come with the phone's monthly subscription fees. And it lets the penetration tester or hacker control which network the device connects to, which is not really possible with the iPhone. "The iPhone is attractive because it includes a camera...and can be used to record voice," he says. "But for me, the iPod Touch makes more sense from a cost perspective and network-control perspective."

The iPhone Touch can also perform ARP spoofing and force nodes to use it as a gateway. "The coolest thing with the iPod Touch is that it can tell every computer in the network that it's the gateway, and that when you talk to Google, you have to go through it," Wilhelm says. "Then it captures all of the packets that go across the network."

Wilhelm says the Unix-compatible iPod Touch didn't require much configuration to become a hacking tool, either. Once he "jail broke" it, he was able to easily install pen-test apps from Cydia. "There was very little I had to do to configure it," he says.

The tool can do most of what a laptop-based pen-test tool can do, he says, although at about only one-tenth of the computing power. The other drawback is when you plant the iPod Touch on-site, you have to find some way to provide it a power source. So Wilhelm designed his own camouflaged power setup with parts he purchased at Home Depot. It's basically an electric box with an empty faceplate affixed to a wall to hide the iPod, which is plugged into the wall outlet.

Another trade-off is it only works with a wireless connection. You have to jump onto a WiFi connection either legitimately or via MAC spoofing: "Once you're on there, you do information-gathering and find out what servers are on the network, do port scans, banner grabbing, and identify potential vulnerabilities, and try to exploit them with Metasploit," Wilhelm says.

And with the device hidden on-site, you can set up a backdoor and remotely connect to the iPod Touch to perform additional attacks. "Anything you can do in a real pen-test, you can do on this thing," Wilhelm says. "Other people have demonstrated some of this functionality before. I wanted to present to the world how robust the iPod Touch is as an attack platform, and some of the social engineering vectors that can be used to actually conduct a pen test."

Wilhelm says that as mainstream portable electronic devices get smaller and more powerful, they could become even more useful -- as well as potentially dangerous if abused.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...