Attacks/Breaches
8/5/2009
03:02 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Weaponizing Apple's iPod Touch

Security expert converts popular music/movie player and browsing device into a penetration testing, hacking tool

It fits behind a coffee machine, inside a desk drawer, or in your pocket, and it doesn't arouse suspicion if you walk into a bank or office tapping away on it -- and that's why a security expert has turned an iPod Touch into a full-blown hacking tool.

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week's Defcon17 conference in Las Vegas how Apple's seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

"Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn't before," Wilhelm says. "If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect]," he says.

But like any security tool, this handy and stealthy iPod Touch hacking tool cuts both ways. "I know [the iPod Touch] has been abused, and I know it will be," he says. "But network administrators need to know what the potential threats are."

It's not the first handheld hacking tool. Immunity sells the Silica handheld, a PDA look-alike that's really a mini, hardware-based version of Immunity's Canvaas pen-testing tool. And Errata Security last year showed how it sometimes ships iPhones running security tools to its clients' sites to remotely conduct elements of a penetration test, such as TCP dump and Nmap. The idea of overnighting an iPhone-based pen-testing tool came mostly out of necessity for Robert Graham, CEO of Errata, and David Maynor, CTO, as a way to efficiently conduct packet sniffing without traveling out of state.

So why the iPod Touch instead of the iPhone? Wilhelm says it's cheaper up-front and doesn't come with the phone's monthly subscription fees. And it lets the penetration tester or hacker control which network the device connects to, which is not really possible with the iPhone. "The iPhone is attractive because it includes a camera...and can be used to record voice," he says. "But for me, the iPod Touch makes more sense from a cost perspective and network-control perspective."

The iPhone Touch can also perform ARP spoofing and force nodes to use it as a gateway. "The coolest thing with the iPod Touch is that it can tell every computer in the network that it's the gateway, and that when you talk to Google, you have to go through it," Wilhelm says. "Then it captures all of the packets that go across the network."

Wilhelm says the Unix-compatible iPod Touch didn't require much configuration to become a hacking tool, either. Once he "jail broke" it, he was able to easily install pen-test apps from Cydia. "There was very little I had to do to configure it," he says.

The tool can do most of what a laptop-based pen-test tool can do, he says, although at about only one-tenth of the computing power. The other drawback is when you plant the iPod Touch on-site, you have to find some way to provide it a power source. So Wilhelm designed his own camouflaged power setup with parts he purchased at Home Depot. It's basically an electric box with an empty faceplate affixed to a wall to hide the iPod, which is plugged into the wall outlet.

Another trade-off is it only works with a wireless connection. You have to jump onto a WiFi connection either legitimately or via MAC spoofing: "Once you're on there, you do information-gathering and find out what servers are on the network, do port scans, banner grabbing, and identify potential vulnerabilities, and try to exploit them with Metasploit," Wilhelm says.

And with the device hidden on-site, you can set up a backdoor and remotely connect to the iPod Touch to perform additional attacks. "Anything you can do in a real pen-test, you can do on this thing," Wilhelm says. "Other people have demonstrated some of this functionality before. I wanted to present to the world how robust the iPod Touch is as an attack platform, and some of the social engineering vectors that can be used to actually conduct a pen test."

Wilhelm says that as mainstream portable electronic devices get smaller and more powerful, they could become even more useful -- as well as potentially dangerous if abused.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.