LAS VEGAS -- DefCon 16 -- This time, the iPhone is doing the hacking: a pair of researchers will reveal here tomorrow at DefCon 16 how they ship iPhones running security tools to their client sites to remotely conduct some elements of a penetration test.
Its just one fun hacking method that Errata Securitys Robert Graham and David Maynor will demonstrate in their Bringing Sexy Back: Breaking in With Style session here. The researchers also have created a novel method of spear phishing that they also use for their clients.
Were just saying you have to be a little creative with the tools you have and you can do some fun stuff, says Graham, CEO of Errata Security.
The idea for shipping an iPhone equipped with WiFi auditing tools like TCP dump and Nmap came mostly out of necessity for Graham and Maynor: One of our customers that was out of state wanted us to do a wireless audit for them as part of a pen test, but we would have been sniffing packets and then twiddling our thumbs for the basic audit, Graham says, plus the client had multiple out-of-state sites. This was a simple solution that didnt [require] us going onsite.
So the researchers enable the tools on the iPhone and add a separate battery pack and ship it out via overnight delivery. Once there, the iPhone collects security data on the WiFi network, such as whether encryption is deployed and if so, what type, as well as detecting rogue access points or laptops vulnerable to WiFi-borne hacks. Theres an SSH connection to the iPhone so they can run the tests via a command line, Graham says.
Graham says the data and packets it captures are then run through the firms Ferret WiFi hacking tool. We have a Ferret build for the iPhone, but its not working yet, Graham says. Theyre also looking at running the powerful Metasploit hacking tool on the iPhone as well, he says.
WiFi fuzzing is another option for this, Graham says, and the researchers may try it with the Nokia N810 smart phone.
Graham and Maynor have also added a few twists to gauging a firms vulnerability to a targeted, or spear phishing attack. They set up a phony 401K management firm site for a client that looks a lot like a legitimate company. The researchers then gather user email addresses from their client, and send out a bogus message purportedly from the human resources department saying that the company is changing 401K providers.
It says the user needs to log on and opt in, Graham says. So we can get usernames and passwords. But unlike most phishing attacks that attack the desktop directly, this one goes after the browser using an ActiveX tool that it gets signed, so it appears legitimate and will run on the victims machine. They also managed to establish legitimacy for the site and were able to purchase an SSL certificate from VeriSign, he says. So the user will download and run the ActiveX code and now we own their computer, he says. They get a nice, trusted SSL connection.
Most [phishing] hackers arent doing this because they have low margins... they would not pay $1,000, he says. But for us, we create one Website with $1,000 and do all of the phishing attacks for our clients penetration tests, he says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.