

The Pwn Plug is a little white box that can hack your network - bmunro
http://arstechnica.com/business/news/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network.ars

======
dhx
An air freshener with network connectivity? Better disguises immediately come
to mind.

The power brick approach is an improvement but still makes the following
assumptions:

* location of network ports is at floor level hidden under desks

* power and network cable colours match

* an employee won't disconnect a seemingly useless box when they need to charge their phone

* port security is not in use

A replacement "trojan horse" computer or printer that has been modified
externally is a stealthier approach. Such devices have a reason for being
connected to a power source and the network and do not raise suspicion
(especially if the replacements are soiled and have worn asset stickers
attached). Local IT staff will ensure the devices have network connectivity
and will likely assume (in the case of a computer) that suspicious network
traffic is the result of a virus.

Failing that full blown approach, even a "signal booster" could be a better
disguise. An average person will think of their analogue TV and radio signal
boosters. Further disguise can be added by soiling the devices, attaching
asset stickers and stickers for a matching fake brand name and fake website
where suspicious users can have their fears alleviated. The website has the
added benefit of alerting the attacker that their device has been potentially
compromised.

~~~
inchcombec
You're assuming that the local IT staff regularly monitor network traffic and
are generally competent. Sadly, that isn't always the case. The attacker may
also only need a few hours to get the data he is after, a fairly small window.
As well, they'd have to be monitoring internal traffic, not just outgoing, as
with one of these plugged in an attacker would be on the internal network.
Most likely this type of attack would have to be detected by noticing that
someone was accessing files, or trying to anyway, they had no business
accessing rather than network traffic per se.

I like the idea of a signal booster. That is actually a great idea for
disguising these things. I've seen these things before and figured it would be
best to just run the Ethernet behind a printer or something and hope that
people don't notice it was still continuing on past the device, but your idea
is even better. Everyone complains on some level about their Internet, just
install the 'signal booster' to give them a stronger connection. ;-)

------
someone13
I built a similar device myself, following instructions given at [1]. Very
handy little device, for multiple non-malicious reasons. I can carry a
wireless router, power supply and cable around in my jacket pocket, and you
can do fun stuff like telling the wireless router to transparently send all
traffic through something like OpenVPN (or Tor, if you're paranoid). Makes
security in potentially hostile environments very straightforward.

[1]: <http://www.minipwner.com/>

------
Juha
It's interesting that the article never mentions that to use that he had to
find a power plug with a free ethernet plug next to it. That might not be
trivial in all environments. It gets a lot more suspicious if he has to search
for that for a long time in the bank. Also someone might question the why the
ethernet cable is there at some point. Just saying the article makes it sound
easier it actually is for a non technical person.

~~~
willvarfar
I think the cluster of bricks around power outlets in bank offices is rarely
examined nor questioned by anyone with any kind of background. And if the chap
sent out to change the printer toner questions it, someone will just tell him
someone from IT put it there a few weeks ago...

There have been cases of cleaners putting dongle keyloggers on bank PCs too
<http://www.theregister.co.uk/2005/04/13/sumitomu_bank/>

Miniaturization will only get better, of course.

------
willvarfar
I hope they are working on the miniature version that is inside a power-strip
or even small enough to be an actual plug.

~~~
bostonvaulter2
You could add an "ethernet surge protecter", I remember some of my old power
strips had those, although maybe that was for phone.

------
nwmcsween
I've done pen testing in the past and I've made similar 'plugs' like this.
It's quite simple to make one of these, all you need is a router that can run
openwrt and a case of some sort (pelican cases work nicely), tear it apart,
flash it, paint the case and that's about it - total cost was about ~$100 + 2
hours of time and as an added bonus openwrt comes with a webui. Maybe this
offers more...

~~~
nikcub
Same. I built one in the late 90s as a pen test project. It only had network
support, no wifi, but you could plug it in anywhere and it would arpflood and
then passive listen for everything, before running through some rules on what
to keep and then sending it back to a dump box (and saving it to disk).

I was part way through setting it up to spoof as an active directory backup
(or primary auth server) before we had the plug pulled.

Did two real pentests with it. Went back to the client with a list of 90% of
their passwords and hundreds of web account authentication details (shopping
sites, email, amazon, slashdot, etc.).

I'd love to build one again today. Battery powered and _a lot_ smaller than
what is seen in that Ars article. They would be so cheap that it wouldn't be
worth retrieving - just letting them run for a week and being able to reverse
shell into it to control it.

Hacking an android phone would be good for this. remove the screen and get 10+
days of battery life of just the OS running (remove bluetooth, etc.). package
it as something that looks innocent of place it under carper or in a void
space in a wall.

------
DanBC
See also (<http://news.ycombinator.com/item?id=3659317>)

------
zobzu
lol-price for installing software and strapping a webui if you ask me. the
original plug is $99.A wifi stick is $20 (their plug is $520).

~~~
nwmcsween
Well the 'elite' version is ~$750... that's getting pretty ridiculous when I
could and have built something similar with openwrt a pelican case for ~$80 +
the 45 or so minutes to tear the router apart and flash openwrt on to it.. As
an added bonus it comes with a webui

~~~
dfc
What are you using for 3G in your $80 box?

~~~
nwmcsween
I never had to use 3G, just an connect to an unbroadcast SSID of the router.
If I was really determined to have 3G I would tether a pay-and-go phone to a
usb port, but I don't see the usefulness of 3G when I have wifi..

~~~
dfc
You said similar for $80. Does your busted pelican box look as innocuous as
this thing does in an average corporate environment?

Have you done a lot of large scale corporate pen tests? I used to do a lot of
pentest/wireless audits for IBM. Sure I could sit in the parking lot of Dr.
Bobs Dermatology's practice and maintain a decent signal strength to his
wireless network. But what are you going to do in downtown Manhattan when the
client is on the 25th-35th floors of a building in the financial district?
Does your pay as you go phone fit into your classy corporate looking pelican
box? How does that pelican box look now that there is a second cord running
out of it to charge the pay as you go phone?

Now do you see the usefulness of built in 3G?

PS: I just noticed that you have posted your description twice now. Is it $80
or $100?

~~~
forza
You would use a 15$ usb 3g modem, just like I assume the pwn plug does.

