Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011


Published on

Weaponizing the Nokia N900 and some other stuff.

Published in: Technology
  • Be the first to comment

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

  1. 1. Weaponizing the Nokia N900(and some other stuff…) <br />Shawn Merdinger<br />TakeDownCon, Dallas, TX, USA<br />19 May, 2011<br />
  2. 2. Obligatory Speaker Slide<br />Network security analyst at University of Florida, Academic Health Center<br />Former Cisco Systems (STAT), Tippingpoint, and some other places…<br />6 years as independent security researcher<br />Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc.<br />Presented at bunch of great hacker cons<br />Limited availability for product security evaluations <br />Typically a under-NDA eval in exchange for EFF donation<br />Contact me if interested<br />
  3. 3. Objectives<br />Weaponizing consumer grade gear<br />Nokia N900<br />Fonera 2100<br />Surprises<br />Review of several tools and attack vectors<br />Goals<br />Focus on technical capability -- not motivation, ethics<br />Espionage and legitimate pen-testing<br />Raise awareness<br />You won’t look at this gear the same way again<br />Demo<br />
  4. 4. Re-Boxing the Apple iPod<br />Will not focus on iPod for a number of reasons<br />Apple too controlling of hardware/software<br />Rather work on more open gear<br />If you’re determined…<br />Thomas Wilhelm’s DEFCON 17 preso<br /><br />Hakin9<br /><br />
  5. 5. Sorry to all of the Apple FanBoys<br />
  6. 6. Fonera 2100<br />La Fonera 2100 wifi access-point<br />Fon<br />Spanish company<br />Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots<br />
  7. 7. Weaponizing the Fon 2100<br />Easiest to use Jasager<br />Simple re-flash firmware<br />OpenWrt based image<br />Get you several things<br />Nice, clean Web interface<br />Framework, tools, scripts to set-up for attack<br />Pairs very well with BackTrack, SET<br />Bottom line?<br />Easiest way to weaponize a wifi AP<br />With BT, a solid learning platform<br />
  8. 8. Weaponizing the Fon 2100<br />Karma<br />Jasager scripts<br />Basic port scanning, probes<br />Customize and roll-your-own scripts<br />Powerful with BackTrack<br />SSLstrip<br />SideJacking with Ferret/Hamster<br />SET (Social Engineering Toolkit) <br />Metasploit ……’nuf said<br />
  9. 9. Weaponizing the Fon 2100<br />USB power hack<br />Run Fon off laptop USB port<br />See Simple Nomad’s "Hacking the Friendly Skies“ talk<br />Add Fon to a Sheeva / PwnPlug USB port<br />5v Solar? Toss on target’s roof?<br />
  10. 10. Surprise future device: Raspberry Pi<br />$25 embedded PC on USB stick<br />Target market: kids in developing countries<br />700 mhz chip, 128 RAM, HDMI, WiFi<br />Browser, OpenOffice, Python, etc.<br /><br />
  11. 11. SmartPhones<br /> "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“<br />FBI Special Agent in Charge Alan Peters<br />“In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.”<br /> Shawn Merdinger<br />
  12. 12. Nokia N900<br />Smartphone / Tablet<br />Basic specs<br />OMAP 3430 ARM Cortex A8 @ 600mhz<br />128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD <br />802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS <br />Linux-based OS<br />Maemo 5<br />MeeGo 1.2 (special developer edition for N900)<br />
  13. 13. N900 Apps<br />Many stable, vetted and free apps available<br />GUI app manager or CLI via Debian APT<br />Extra Debian APT repositories<br />Thousands more packages<br />Solid community docs<br /><br />
  14. 14. N900 Attack Tools<br />Many of the ‘classic’ security tools<br />Fyoder’s Top 100 list<br />Maemo .deb packaged tools<br />A few examples<br />Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG<br />Pwnitter (Firesheep for N900) <br />Trucrypt, OpenVPN, TOR<br />MobileHotspot<br />Wireshark<br />
  15. 15. N900 Challanges<br />Some tools require an advanced kernel<br />Especially wireless attacks like injection, de-authentication<br />Tools may require a certain level of tweaking<br />Linking libraries, conflicts, OpenSSL versions, etc.<br />Tough to install ALL the cool attack tools<br />N900 is for you if you want…<br />a Linux box in your pocket<br />to “get your geek on”<br />specific pen-testing objectives<br />a “Poor Man’s Immunity SILICA” <br />
  16. 16. N900 Data Ex-filtration Capability<br />On board storage is 32 GB<br />MicroSD card up to 16 GB<br />Network paths<br />Evernote<br />DropBox<br />TOR<br />Stunnel<br />Tunnel over SSL<br />Iodine<br />Tunnel over DNS requests<br />
  17. 17. N900 Wireless Attacks<br />Rouge AP<br /><br />With SET hotness!<br />Packet injection<br /><br />Mitm<br />Ettercap + sslstrip<br />Sniffing<br />Kismet<br />Tcpdump, ngrep, dsniff<br />Can sniff actual GSM interface<br />Potential for GSM attacks?<br />See KarstenNohl’s26C3 GSM Sniffing Talk<br />Todo: crack my own A5/1 crypto key<br />
  18. 18. N900 Wireless Attacks<br />Wireless de-authentication attack<br />Via Simon @<br /> “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. <br /> “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”<br />
  19. 19. ohnoez! <br />“I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”<br />
  20. 20. Unlocking N900 Wifi Frequencies<br /> “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia<br />Before<br />After<br />Got Stealth?<br />
  21. 21. Other Wireless: Bluetooth and Zigbee<br />In-progress projects to watch<br />USB dongle to N900<br />New attack capabilities<br />Ubertooth Project<br />Michael Ossmann<br />Expanding Bluetooth attack surface exploration<br />KillerBee<br />Joshua Wright, InGuardians<br />Zigbee attack toolkit<br />Possible future statement?<br />“Dude, I just Pwned your house’s smartmeter with with my phone”<br />
  22. 22. N900 VoIP<br />VoIP capabilities<br />Skype by default, integrated with contacts<br />Google Voice app<br />SIP clients <br />Asterisk – is that a telco in your pocket?<br />See VOIPSA security tool list<br />Opens many attack and stealth possibilities<br />SIP attacks, spitter, etc.<br />CID spoofing<br />Asterisk to Asterisk<br />IPsec tunnels with IAX crypto <br />
  23. 23. N900 (a little more) Anonymous<br />Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900<br />Via Kyle Young @<br />Disabling tracking<br />Location tracking (GPA and triangulation)<br />Auto connecting to Internet<br />Enabling Privacy<br />TOR<br />ProxyChains<br />TruCrypt<br />Limits<br />Not encrypted FS <br />Crypto keys<br />
  24. 24. BabyPhone<br />Simple yet effective spy tool<br />From babyroom to boardroom ;) <br />Measures audio level threshold & starts phone call<br />
  25. 25. LiveCast Mobile<br />Stream live audio/video from N900to web<br />Go to webpage, listen and watch<br />Flexible archive options<br />None, N900-only, Web-only, N900+Web<br />Use front or back camera<br />
  26. 26. SMSCON<br />Control N900 via SMS messages<br />SMSCON Editor companion app<br />Read Python scripts to see behind-the-scenes <br />Example stock functions<br />GPS Location and email to address<br />Lock screen, reboot, “wipe” device data<br />Start reverse-ssh session <br />Connect back to N900 root shell via external ssh server<br />Get your lost or stolen N900 back!<br />See ZoZ’z“Pwned by the owner” DEFCON 18 talk <br />
  27. 27. SMSCON & SMSCON Editor<br />
  28. 28. N900 Avoid Forensics<br />Can easily wipe and re-flash N900<br />Well-documented, step-by-step<br />Two levels: rootfs and eMMC<br />Truly concerned could feasibly<br />Back-up personal data to micro-sd<br /> *encrypt - leave in phone, hide, give to trusted person <br />Re-flash both rootfs and eMMC<br />Retains core call/sms functionality<br />Once safe, decrypt micro-sd card and restore data<br />Run a custom apt-get script to install packages not in back-up<br />
  29. 29. N900 Anti-Forensics Potential?<br />Rumors of warrantless forensics on cellphones<br />CellBrite UFED (Universal Forensic Extraction Device)<br />Some models are $800 on eBay <br />Interesting research and POC idea…<br />Just ideas. Better check with lawyers if you do this (DMCA)<br />Fingerprint CellBrite USB connect<br />“Hide your wife, hide your kids” mode<br />Script encrypt/wipe real data<br />Spoof a fake phone filesystem?<br />
  30. 30. N900 Attack Forensics Potential?<br />Technically possible to turn the tables?<br />Attack the forensics collector itself?<br />Low-level USB driver attacks<br />Malicious data 4u<br />And upstream PC<br />Parser, viewer, etc.<br />
  31. 31. Running another OS on N900<br />Easy Debian OS<br />Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc. <br />Backtrack 5 (ARM distro) via chroot<br />Other cool hacks to check out<br />Dual Booting with Maemo and Android<br />rU l33t? Roll-your-own OS! See BackupMenu tool<br />
  32. 32. Booting a PC with the N900<br />Use USB + bootable image on MicroSD card<br />Useful for on-the-spot support<br />Potentially quite evil espionage<br />Corporate office, Internet cafes, Kiosks <br />Tested with BackBox Linux, Backtrack 5<br />Props to Kyle Young<br />
  33. 33. Buying a Pre-weaponized N900<br />Lazy, in a hurry or want technical support…<br />Best bets as of today<br /> N900 PwnPhone<br />NeoPwn project seems kinda AWOL<br />
  34. 34. Thank you!<br />Thank you for your time <br />Check InfoSecIsland for more N900 posts<br />Huge ‘thank you’ to folks who made this preso possible: Kyle Young,, folks on Maemo forums<br />