SlideShare a Scribd company logo

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

S
shawn_merdinger

Weaponizing the Nokia N900 and some other stuff.

Technology
1 of 34
Weaponizing the Nokia N900(and some other stuff…) Shawn Merdinger TakeDownCon, Dallas, TX, USA 19 May, 2011
Obligatory Speaker Slide Network security analyst at University of Florida, Academic Health Center Former Cisco Systems (STAT), Tippingpoint, and some other places… 6 years as independent security researcher Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc. Presented at bunch of great hacker cons Limited availability for product security evaluations Typically a under-NDA eval in exchange for EFF donation Contact me if interested
Objectives Weaponizing consumer grade gear Nokia N900 Fonera 2100 Surprises Review of several tools and attack vectors Goals Focus on technical capability -- not motivation, ethics Espionage and legitimate pen-testing Raise awareness You won’t look at this gear the same way again Demo
Re-Boxing the Apple iPod Will not focus on iPod for a number of reasons Apple too controlling of hardware/software Rather work on more open gear If you’re determined… Thomas Wilhelm’s DEFCON 17 preso http://www.metacafe.com/watch/5815191/defcon_17_hacking_with_the_ipod_touch_2011/ Hakin9  http://hakin9.org/category/tutorials/
Sorry to all of the Apple FanBoys
Fonera 2100 La Fonera 2100 wifi access-point Fon Spanish company Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots
Weaponizing the Fon 2100 Easiest to use Jasager Simple re-flash firmware OpenWrt based image Get you several things Nice, clean Web interface Framework, tools, scripts to set-up for attack Pairs very well with BackTrack, SET Bottom line? Easiest way to weaponize a wifi AP With BT, a solid learning platform
Weaponizing the Fon 2100 Karma Jasager scripts Basic port scanning, probes Customize and roll-your-own scripts Powerful with BackTrack SSLstrip SideJacking with Ferret/Hamster SET (Social Engineering Toolkit) Metasploit ……’nuf said
Weaponizing the Fon 2100 USB power hack Run Fon off laptop USB port See Simple Nomad’s "Hacking the Friendly Skies“ talk Add Fon to a Sheeva / PwnPlug USB port 5v Solar? Toss on target’s roof?
Surprise future device: Raspberry Pi $25 embedded PC on USB stick Target market: kids in developing countries 700 mhz chip, 128 RAM, HDMI, WiFi Browser, OpenOffice, Python, etc. http://www.raspberrypi.org
SmartPhones "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“ FBI Special Agent in Charge Alan Peters “In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.” Shawn Merdinger
Nokia N900 Smartphone / Tablet Basic specs OMAP 3430 ARM Cortex A8 @ 600mhz 128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD 802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS Linux-based OS Maemo 5 MeeGo 1.2 (special developer edition for N900)
N900 Apps Many stable, vetted and free apps available GUI app manager or CLI via Debian APT Extra Debian APT repositories Thousands more packages Solid community docs www.maemo.org
N900 Attack Tools Many of the ‘classic’ security tools Fyoder’s Top 100 list Maemo .deb packaged tools A few examples Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG Pwnitter (Firesheep for N900) Trucrypt, OpenVPN, TOR MobileHotspot Wireshark
N900 Challanges Some tools require an advanced kernel Especially wireless attacks like injection, de-authentication Tools may require a certain level of tweaking Linking libraries, conflicts, OpenSSL versions, etc. Tough to install ALL the cool attack tools N900 is for you if you want… a Linux box in your pocket to “get your geek on” specific pen-testing objectives a “Poor Man’s Immunity SILICA”
N900 Data Ex-filtration Capability On board storage is 32 GB MicroSD card up to 16 GB Network paths Evernote DropBox TOR Stunnel Tunnel over SSL Iodine Tunnel over DNS requests
N900 Wireless Attacks Rouge AP http://zitstif.no-ip.org/?p=459 With SET hotness! Packet injection http://zitstif.no-ip.org/?p=473 Mitm Ettercap + sslstrip Sniffing Kismet Tcpdump, ngrep, dsniff Can sniff actual GSM interface Potential for GSM attacks? See KarstenNohl’s26C3 GSM Sniffing Talk Todo: crack my own A5/1 crypto key
N900 Wireless Attacks Wireless de-authentication attack Via Simon @ KnowNokia.ca “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”
ohnoez! “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”
Unlocking N900 Wifi Frequencies “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia Before After Got Stealth?
Other Wireless: Bluetooth and Zigbee In-progress projects to watch USB dongle to N900 New attack capabilities Ubertooth Project Michael Ossmann Expanding Bluetooth attack surface exploration KillerBee Joshua Wright, InGuardians Zigbee attack toolkit Possible future statement? “Dude, I just Pwned your house’s smartmeter with with my phone”
N900 VoIP VoIP capabilities Skype by default, integrated with contacts Google Voice app SIP clients Asterisk – is that a telco in your pocket? See VOIPSA security tool list Opens many attack and stealth possibilities SIP attacks, spitter, etc. CID spoofing Asterisk to Asterisk IPsec tunnels with IAX crypto
N900 (a little more) Anonymous Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900 Via Kyle Young @ http://zitstif.no-ip.org Disabling tracking Location tracking (GPA and triangulation) Auto connecting to Internet Enabling Privacy TOR ProxyChains TruCrypt Limits Not encrypted FS Crypto keys
BabyPhone Simple yet effective spy tool From babyroom to boardroom ;) Measures audio level threshold & starts phone call
LiveCast Mobile Stream live audio/video from N900to web Go to webpage, listen and watch Flexible archive options None, N900-only, Web-only, N900+Web Use front or back camera
SMSCON Control N900 via SMS messages SMSCON Editor companion app Read Python scripts to see behind-the-scenes  Example stock functions GPS Location and email to address Lock screen, reboot, “wipe” device data Start reverse-ssh session  Connect back to N900 root shell via external ssh server Get your lost or stolen N900 back! See ZoZ’z“Pwned by the owner” DEFCON 18 talk
SMSCON & SMSCON Editor
N900 Avoid Forensics Can easily wipe and re-flash N900 Well-documented, step-by-step Two levels: rootfs and eMMC Truly concerned could feasibly Back-up personal data to micro-sd *encrypt - leave in phone, hide, give to trusted person Re-flash both rootfs and eMMC Retains core call/sms functionality Once safe, decrypt micro-sd card and restore data Run a custom apt-get script to install packages not in back-up
N900 Anti-Forensics Potential? Rumors of warrantless forensics on cellphones CellBrite UFED (Universal Forensic Extraction Device) Some models are $800 on eBay  Interesting research and POC idea… Just ideas. Better check with lawyers if you do this (DMCA) Fingerprint CellBrite USB connect “Hide your wife, hide your kids” mode Script encrypt/wipe real data Spoof a fake phone filesystem?
N900 Attack Forensics Potential? Technically possible to turn the tables? Attack the forensics collector itself? Low-level USB driver attacks Malicious data 4u And upstream PC Parser, viewer, etc.
Running another OS on N900 Easy Debian OS Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc.  Backtrack 5 (ARM distro) via chroot Other cool hacks to check out Dual Booting with Maemo and Android rU l33t? Roll-your-own OS! See BackupMenu tool
Booting a PC with the N900 Use USB + bootable image on MicroSD card Useful for on-the-spot support Potentially quite evil espionage Corporate office, Internet cafes, Kiosks Tested with BackBox Linux, Backtrack 5 Props to Kyle Young
Buying a Pre-weaponized N900 Lazy, in a hurry or want technical support… Best bets as of today PwnieExpress.com N900 PwnPhone NeoPwn project seems kinda AWOL
Thank you! Thank you for your time  Check InfoSecIsland for more N900 posts Huge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums

Recommended

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons Learned
Joseph Schorr
 
Digital Security
Digital SecurityDigital Security
Digital Security
Milford Public Library
 
Digital security
Digital securityDigital security
Digital security
Fred Danowski
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
Kaushik Patra
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosanti
PrivateWave Italia SpA
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
James Wernicke
 

Recommended

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons Learned
Joseph Schorr
 
Digital Security
Digital SecurityDigital Security
Digital Security
Milford Public Library
 
Digital security
Digital securityDigital security
Digital security
Fred Danowski
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A Discussion
Kaushik Patra
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosanti
PrivateWave Italia SpA
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And Security
James Wernicke
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
Charles Klondike
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
Frederik Questier
 
Hacking intro
Hacking introHacking intro
Hacking intro
Milind Mishra
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Sina Manavi
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
Shanmugavel Sankaran
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
antitree
 
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
IoT Academy
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
veerababu penugonda(Mr-IoT)
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardian
earthmouse
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
shahhardik27
 
Hacking
Hacking Hacking
Hacking
mohammedramadan15
 
Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective
Signals Defense, LLC
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
Dario Caliendo
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure manner
Kevin Bryant
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Klein
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014
Anita Lösch
 
Essential Technologies for Psychologists
Essential Technologies for PsychologistsEssential Technologies for Psychologists
Essential Technologies for Psychologists
Bradnor444
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With Gflixacademy
Gaurav Mishra
 
Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015
Roger Glick
 
Słownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finSłownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka fin
Magda Górak
 
Daniel gonzález actor cv
Daniel gonzález actor cvDaniel gonzález actor cv
Daniel gonzález actor cv
Teranyina Teatre
 

More Related Content

What's hot

Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
IoT Academy
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
Dario Caliendo
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014
Anita Lösch
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
WSO2
 

What's hot (19)

NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Hacking intro
Hacking introHacking intro
Hacking intro
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardian
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
Hacking
Hacking Hacking
Hacking
 
Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure manner
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014
 
Essential Technologies for Psychologists
Essential Technologies for PsychologistsEssential Technologies for Psychologists
Essential Technologies for Psychologists
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With Gflixacademy
 

Viewers also liked

Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015
Roger Glick
 
Ibm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierungIbm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierung
IBM Switzerland
 
Spa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroomSpa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroom
Sara Febrero
 
Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013
Rosanna Alpi
 
Portafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardoPortafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardo
CPESUPIAYMARMATO
 

Viewers also liked (20)

Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015
 
Słownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finSłownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka fin
 
Daniel gonzález actor cv
Daniel gonzález actor cvDaniel gonzález actor cv
Daniel gonzález actor cv
 
Operaciones Vinculadas
Operaciones VinculadasOperaciones Vinculadas
Operaciones Vinculadas
 
Ibm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierungIbm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierung
 
Spa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroomSpa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroom
 
Making Strange: Risk, Design & Foresight
Making Strange: Risk, Design & ForesightMaking Strange: Risk, Design & Foresight
Making Strange: Risk, Design & Foresight
 
Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013
 
SEBLOD CCK
SEBLOD CCKSEBLOD CCK
SEBLOD CCK
 
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
 
Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013
 
AILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-UnisAILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-Unis
 
Portafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardoPortafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardo
 
Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013
 
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
 
Apresentação Institucional
Apresentação InstitucionalApresentação Institucional
Apresentação Institucional
 
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 IProyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
 
Dd de autor modificatoria
Dd de autor modificatoriaDd de autor modificatoria
Dd de autor modificatoria
 
Introduction to Case Law
Introduction to Case LawIntroduction to Case Law
Introduction to Case Law
 
Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990
 

Similar to Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
DefconRussia
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-b
BbAOC
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Zoltan Balazs
 
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptxDISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
mahendrarm2112
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
ciso_insights
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
Service2Media
 

Similar to Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011 (20)

Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-b
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web Designinng
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptxDISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
 
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

  • 1. Weaponizing the Nokia N900(and some other stuff…) Shawn Merdinger TakeDownCon, Dallas, TX, USA 19 May, 2011
  • 2. Obligatory Speaker Slide Network security analyst at University of Florida, Academic Health Center Former Cisco Systems (STAT), Tippingpoint, and some other places… 6 years as independent security researcher Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc. Presented at bunch of great hacker cons Limited availability for product security evaluations Typically a under-NDA eval in exchange for EFF donation Contact me if interested
  • 3. Objectives Weaponizing consumer grade gear Nokia N900 Fonera 2100 Surprises Review of several tools and attack vectors Goals Focus on technical capability -- not motivation, ethics Espionage and legitimate pen-testing Raise awareness You won’t look at this gear the same way again Demo
  • 4. Re-Boxing the Apple iPod Will not focus on iPod for a number of reasons Apple too controlling of hardware/software Rather work on more open gear If you’re determined… Thomas Wilhelm’s DEFCON 17 preso http://www.metacafe.com/watch/5815191/defcon_17_hacking_with_the_ipod_touch_2011/ Hakin9  http://hakin9.org/category/tutorials/
  • 5. Sorry to all of the Apple FanBoys
  • 6. Fonera 2100 La Fonera 2100 wifi access-point Fon Spanish company Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots
  • 7. Weaponizing the Fon 2100 Easiest to use Jasager Simple re-flash firmware OpenWrt based image Get you several things Nice, clean Web interface Framework, tools, scripts to set-up for attack Pairs very well with BackTrack, SET Bottom line? Easiest way to weaponize a wifi AP With BT, a solid learning platform
  • 8. Weaponizing the Fon 2100 Karma Jasager scripts Basic port scanning, probes Customize and roll-your-own scripts Powerful with BackTrack SSLstrip SideJacking with Ferret/Hamster SET (Social Engineering Toolkit) Metasploit ……’nuf said
  • 9. Weaponizing the Fon 2100 USB power hack Run Fon off laptop USB port See Simple Nomad’s "Hacking the Friendly Skies“ talk Add Fon to a Sheeva / PwnPlug USB port 5v Solar? Toss on target’s roof?
  • 10. Surprise future device: Raspberry Pi $25 embedded PC on USB stick Target market: kids in developing countries 700 mhz chip, 128 RAM, HDMI, WiFi Browser, OpenOffice, Python, etc. http://www.raspberrypi.org
  • 11. SmartPhones "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“ FBI Special Agent in Charge Alan Peters “In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.” Shawn Merdinger
  • 12. Nokia N900 Smartphone / Tablet Basic specs OMAP 3430 ARM Cortex A8 @ 600mhz 128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD 802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS Linux-based OS Maemo 5 MeeGo 1.2 (special developer edition for N900)
  • 13. N900 Apps Many stable, vetted and free apps available GUI app manager or CLI via Debian APT Extra Debian APT repositories Thousands more packages Solid community docs www.maemo.org
  • 14. N900 Attack Tools Many of the ‘classic’ security tools Fyoder’s Top 100 list Maemo .deb packaged tools A few examples Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG Pwnitter (Firesheep for N900) Trucrypt, OpenVPN, TOR MobileHotspot Wireshark
  • 15. N900 Challanges Some tools require an advanced kernel Especially wireless attacks like injection, de-authentication Tools may require a certain level of tweaking Linking libraries, conflicts, OpenSSL versions, etc. Tough to install ALL the cool attack tools N900 is for you if you want… a Linux box in your pocket to “get your geek on” specific pen-testing objectives a “Poor Man’s Immunity SILICA”
  • 16. N900 Data Ex-filtration Capability On board storage is 32 GB MicroSD card up to 16 GB Network paths Evernote DropBox TOR Stunnel Tunnel over SSL Iodine Tunnel over DNS requests
  • 17. N900 Wireless Attacks Rouge AP http://zitstif.no-ip.org/?p=459 With SET hotness! Packet injection http://zitstif.no-ip.org/?p=473 Mitm Ettercap + sslstrip Sniffing Kismet Tcpdump, ngrep, dsniff Can sniff actual GSM interface Potential for GSM attacks? See KarstenNohl’s26C3 GSM Sniffing Talk Todo: crack my own A5/1 crypto key
  • 18. N900 Wireless Attacks Wireless de-authentication attack Via Simon @ KnowNokia.ca “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”
  • 19. ohnoez! “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”
  • 20. Unlocking N900 Wifi Frequencies “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia Before After Got Stealth?
  • 21. Other Wireless: Bluetooth and Zigbee In-progress projects to watch USB dongle to N900 New attack capabilities Ubertooth Project Michael Ossmann Expanding Bluetooth attack surface exploration KillerBee Joshua Wright, InGuardians Zigbee attack toolkit Possible future statement? “Dude, I just Pwned your house’s smartmeter with with my phone”
  • 22. N900 VoIP VoIP capabilities Skype by default, integrated with contacts Google Voice app SIP clients Asterisk – is that a telco in your pocket? See VOIPSA security tool list Opens many attack and stealth possibilities SIP attacks, spitter, etc. CID spoofing Asterisk to Asterisk IPsec tunnels with IAX crypto
  • 23. N900 (a little more) Anonymous Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900 Via Kyle Young @ http://zitstif.no-ip.org Disabling tracking Location tracking (GPA and triangulation) Auto connecting to Internet Enabling Privacy TOR ProxyChains TruCrypt Limits Not encrypted FS Crypto keys
  • 24. BabyPhone Simple yet effective spy tool From babyroom to boardroom ;) Measures audio level threshold & starts phone call
  • 25. LiveCast Mobile Stream live audio/video from N900to web Go to webpage, listen and watch Flexible archive options None, N900-only, Web-only, N900+Web Use front or back camera
  • 26. SMSCON Control N900 via SMS messages SMSCON Editor companion app Read Python scripts to see behind-the-scenes  Example stock functions GPS Location and email to address Lock screen, reboot, “wipe” device data Start reverse-ssh session  Connect back to N900 root shell via external ssh server Get your lost or stolen N900 back! See ZoZ’z“Pwned by the owner” DEFCON 18 talk
  • 27. SMSCON & SMSCON Editor
  • 28. N900 Avoid Forensics Can easily wipe and re-flash N900 Well-documented, step-by-step Two levels: rootfs and eMMC Truly concerned could feasibly Back-up personal data to micro-sd *encrypt - leave in phone, hide, give to trusted person Re-flash both rootfs and eMMC Retains core call/sms functionality Once safe, decrypt micro-sd card and restore data Run a custom apt-get script to install packages not in back-up
  • 29. N900 Anti-Forensics Potential? Rumors of warrantless forensics on cellphones CellBrite UFED (Universal Forensic Extraction Device) Some models are $800 on eBay  Interesting research and POC idea… Just ideas. Better check with lawyers if you do this (DMCA) Fingerprint CellBrite USB connect “Hide your wife, hide your kids” mode Script encrypt/wipe real data Spoof a fake phone filesystem?
  • 30. N900 Attack Forensics Potential? Technically possible to turn the tables? Attack the forensics collector itself? Low-level USB driver attacks Malicious data 4u And upstream PC Parser, viewer, etc.
  • 31. Running another OS on N900 Easy Debian OS Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc.  Backtrack 5 (ARM distro) via chroot Other cool hacks to check out Dual Booting with Maemo and Android rU l33t? Roll-your-own OS! See BackupMenu tool
  • 32. Booting a PC with the N900 Use USB + bootable image on MicroSD card Useful for on-the-spot support Potentially quite evil espionage Corporate office, Internet cafes, Kiosks Tested with BackBox Linux, Backtrack 5 Props to Kyle Young
  • 33. Buying a Pre-weaponized N900 Lazy, in a hurry or want technical support… Best bets as of today PwnieExpress.com N900 PwnPhone NeoPwn project seems kinda AWOL
  • 34. Thank you! Thank you for your time  Check InfoSecIsland for more N900 posts Huge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums