Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

Uploaded on

Weaponizing the Nokia N900 and some other stuff.

Weaponizing the Nokia N900 and some other stuff.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Weaponizing the Nokia N900(and some other stuff…)
    Shawn Merdinger
    TakeDownCon, Dallas, TX, USA
    19 May, 2011
  • 2. Obligatory Speaker Slide
    Network security analyst at University of Florida, Academic Health Center
    Former Cisco Systems (STAT), Tippingpoint, and some other places…
    6 years as independent security researcher
    Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc.
    Presented at bunch of great hacker cons
    Limited availability for product security evaluations
    Typically a under-NDA eval in exchange for EFF donation
    Contact me if interested
  • 3. Objectives
    Weaponizing consumer grade gear
    Nokia N900
    Fonera 2100
    Review of several tools and attack vectors
    Focus on technical capability -- not motivation, ethics
    Espionage and legitimate pen-testing
    Raise awareness
    You won’t look at this gear the same way again
  • 4. Re-Boxing the Apple iPod
    Will not focus on iPod for a number of reasons
    Apple too controlling of hardware/software
    Rather work on more open gear
    If you’re determined…
    Thomas Wilhelm’s DEFCON 17 preso
  • 5. Sorry to all of the Apple FanBoys
  • 6. Fonera 2100
    La Fonera 2100 wifi access-point
    Spanish company
    Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots
  • 7. Weaponizing the Fon 2100
    Easiest to use Jasager
    Simple re-flash firmware
    OpenWrt based image
    Get you several things
    Nice, clean Web interface
    Framework, tools, scripts to set-up for attack
    Pairs very well with BackTrack, SET
    Bottom line?
    Easiest way to weaponize a wifi AP
    With BT, a solid learning platform
  • 8. Weaponizing the Fon 2100
    Jasager scripts
    Basic port scanning, probes
    Customize and roll-your-own scripts
    Powerful with BackTrack
    SideJacking with Ferret/Hamster
    SET (Social Engineering Toolkit)
    Metasploit ……’nuf said
  • 9. Weaponizing the Fon 2100
    USB power hack
    Run Fon off laptop USB port
    See Simple Nomad’s "Hacking the Friendly Skies“ talk
    Add Fon to a Sheeva / PwnPlug USB port
    5v Solar? Toss on target’s roof?
  • 10. Surprise future device: Raspberry Pi
    $25 embedded PC on USB stick
    Target market: kids in developing countries
    700 mhz chip, 128 RAM, HDMI, WiFi
    Browser, OpenOffice, Python, etc.
  • 11. SmartPhones
    "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“
    FBI Special Agent in Charge Alan Peters
    “In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.”
    Shawn Merdinger
  • 12. Nokia N900
    Smartphone / Tablet
    Basic specs
    OMAP 3430 ARM Cortex A8 @ 600mhz
    128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD
    802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS
    Linux-based OS
    Maemo 5
    MeeGo 1.2 (special developer edition for N900)
  • 13. N900 Apps
    Many stable, vetted and free apps available
    GUI app manager or CLI via Debian APT
    Extra Debian APT repositories
    Thousands more packages
    Solid community docs
  • 14. N900 Attack Tools
    Many of the ‘classic’ security tools
    Fyoder’s Top 100 list
    Maemo .deb packaged tools
    A few examples
    Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG
    Pwnitter (Firesheep for N900)
    Trucrypt, OpenVPN, TOR
  • 15. N900 Challanges
    Some tools require an advanced kernel
    Especially wireless attacks like injection, de-authentication
    Tools may require a certain level of tweaking
    Linking libraries, conflicts, OpenSSL versions, etc.
    Tough to install ALL the cool attack tools
    N900 is for you if you want…
    a Linux box in your pocket
    to “get your geek on”
    specific pen-testing objectives
    a “Poor Man’s Immunity SILICA”
  • 16. N900 Data Ex-filtration Capability
    On board storage is 32 GB
    MicroSD card up to 16 GB
    Network paths
    Tunnel over SSL
    Tunnel over DNS requests
  • 17. N900 Wireless Attacks
    Rouge AP
    With SET hotness!
    Packet injection
    Ettercap + sslstrip
    Tcpdump, ngrep, dsniff
    Can sniff actual GSM interface
    Potential for GSM attacks?
    See KarstenNohl’s26C3 GSM Sniffing Talk
    Todo: crack my own A5/1 crypto key
  • 18. N900 Wireless Attacks
    Wireless de-authentication attack
    Via Simon @ KnowNokia.ca
    “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900.
    “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”
  • 19. ohnoez!
    “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”
  • 20. Unlocking N900 Wifi Frequencies
    “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia
    Got Stealth?
  • 21. Other Wireless: Bluetooth and Zigbee
    In-progress projects to watch
    USB dongle to N900
    New attack capabilities
    Ubertooth Project
    Michael Ossmann
    Expanding Bluetooth attack surface exploration
    Joshua Wright, InGuardians
    Zigbee attack toolkit
    Possible future statement?
    “Dude, I just Pwned your house’s smartmeter with with my phone”
  • 22. N900 VoIP
    VoIP capabilities
    Skype by default, integrated with contacts
    Google Voice app
    SIP clients
    Asterisk – is that a telco in your pocket?
    See VOIPSA security tool list
    Opens many attack and stealth possibilities
    SIP attacks, spitter, etc.
    CID spoofing
    Asterisk to Asterisk
    IPsec tunnels with IAX crypto
  • 23. N900 (a little more) Anonymous
    Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900
    Via Kyle Young @ http://zitstif.no-ip.org
    Disabling tracking
    Location tracking (GPA and triangulation)
    Auto connecting to Internet
    Enabling Privacy
    Not encrypted FS
    Crypto keys
  • 24. BabyPhone
    Simple yet effective spy tool
    From babyroom to boardroom ;)
    Measures audio level threshold & starts phone call
  • 25. LiveCast Mobile
    Stream live audio/video from N900to web
    Go to webpage, listen and watch
    Flexible archive options
    None, N900-only, Web-only, N900+Web
    Use front or back camera
  • 26. SMSCON
    Control N900 via SMS messages
    SMSCON Editor companion app
    Read Python scripts to see behind-the-scenes 
    Example stock functions
    GPS Location and email to address
    Lock screen, reboot, “wipe” device data
    Start reverse-ssh session 
    Connect back to N900 root shell via external ssh server
    Get your lost or stolen N900 back!
    See ZoZ’z“Pwned by the owner” DEFCON 18 talk
  • 27. SMSCON & SMSCON Editor
  • 28. N900 Avoid Forensics
    Can easily wipe and re-flash N900
    Well-documented, step-by-step
    Two levels: rootfs and eMMC
    Truly concerned could feasibly
    Back-up personal data to micro-sd
    *encrypt - leave in phone, hide, give to trusted person
    Re-flash both rootfs and eMMC
    Retains core call/sms functionality
    Once safe, decrypt micro-sd card and restore data
    Run a custom apt-get script to install packages not in back-up
  • 29. N900 Anti-Forensics Potential?
    Rumors of warrantless forensics on cellphones
    CellBrite UFED (Universal Forensic Extraction Device)
    Some models are $800 on eBay 
    Interesting research and POC idea…
    Just ideas. Better check with lawyers if you do this (DMCA)
    Fingerprint CellBrite USB connect
    “Hide your wife, hide your kids” mode
    Script encrypt/wipe real data
    Spoof a fake phone filesystem?
  • 30. N900 Attack Forensics Potential?
    Technically possible to turn the tables?
    Attack the forensics collector itself?
    Low-level USB driver attacks
    Malicious data 4u
    And upstream PC
    Parser, viewer, etc.
  • 31. Running another OS on N900
    Easy Debian OS
    Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc. 
    Backtrack 5 (ARM distro) via chroot
    Other cool hacks to check out
    Dual Booting with Maemo and Android
    rU l33t? Roll-your-own OS! See BackupMenu tool
  • 32. Booting a PC with the N900
    Use USB + bootable image on MicroSD card
    Useful for on-the-spot support
    Potentially quite evil espionage
    Corporate office, Internet cafes, Kiosks
    Tested with BackBox Linux, Backtrack 5
    Props to Kyle Young
  • 33. Buying a Pre-weaponized N900
    Lazy, in a hurry or want technical support…
    Best bets as of today
    PwnieExpress.com N900 PwnPhone
    NeoPwn project seems kinda AWOL
  • 34. Thank you!
    Thank you for your time 
    Check InfoSecIsland for more N900 posts
    Huge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums