This document summarizes Shawn Merdinger's presentation on weaponizing consumer devices like the Nokia N900 smartphone. Some key points: 1) The Nokia N900 is highlighted as a powerful open platform that can run security tools like nmap, Kismet, and Ettercap out of the box. 2) Wireless attacks demonstrated on the N900 include rogue access point deployment, packet injection, MITM attacks, and wireless sniffing. 3) Other attacks discussed include using the N900 for voip attacks, Bluetooth/Zigbee attacks, SMS command and control, and digital forensics avoidance. 4) Running alternative operating systems on the N900

1. Weaponizing the Nokia N900(and some other stuff…) Shawn MerdingerTakeDownCon, Dallas, TX, USA19 May, 2011

2. Obligatory Speaker SlideNetwork security analyst at University of Florida, Academic Health CenterFormer Cisco Systems (STAT), Tippingpoint, and some other places…6 years as independent security researcherReported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc.Presented at bunch of great hacker consLimited availability for product security evaluations Typically a under-NDA eval in exchange for EFF donationContact me if interested

3. ObjectivesWeaponizing consumer grade gearNokia N900Fonera 2100SurprisesReview of several tools and attack vectorsGoalsFocus on technical capability -- not motivation, ethicsEspionage and legitimate pen-testingRaise awarenessYou won’t look at this gear the same way againDemo

4. Re-Boxing the Apple iPodWill not focus on iPod for a number of reasonsApple too controlling of hardware/softwareRather work on more open gearIf you’re determined…Thomas Wilhelm’s DEFCON 17 presohttp://www.metacafe.com/watch/5815191/defcon_17_hacking_with_the_ipod_touch_2011/Hakin9 http://hakin9.org/category/tutorials/

5. Sorry to all of the Apple FanBoys

6. Fonera 2100La Fonera 2100 wifi access-pointFonSpanish companyCommunity-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots

7. Weaponizing the Fon 2100Easiest to use JasagerSimple re-flash firmwareOpenWrt based imageGet you several thingsNice, clean Web interfaceFramework, tools, scripts to set-up for attackPairs very well with BackTrack, SETBottom line?Easiest way to weaponize a wifi APWith BT, a solid learning platform

8. Weaponizing the Fon 2100KarmaJasager scriptsBasic port scanning, probesCustomize and roll-your-own scriptsPowerful with BackTrackSSLstripSideJacking with Ferret/HamsterSET (Social Engineering Toolkit) Metasploit ……’nuf said

9. Weaponizing the Fon 2100USB power hackRun Fon off laptop USB portSee Simple Nomad’s "Hacking the Friendly Skies“ talkAdd Fon to a Sheeva / PwnPlug USB port5v Solar? Toss on target’s roof?

10. Surprise future device: Raspberry Pi$25 embedded PC on USB stickTarget market: kids in developing countries700 mhz chip, 128 RAM, HDMI, WiFiBrowser, OpenOffice, Python, etc.http://www.raspberrypi.org

11. SmartPhones "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“FBI Special Agent in Charge Alan Peters“In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.” Shawn Merdinger

12. Nokia N900Smartphone / TabletBasic specsOMAP 3430 ARM Cortex A8 @ 600mhz128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD 802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS Linux-based OSMaemo 5MeeGo 1.2 (special developer edition for N900)

13. N900 AppsMany stable, vetted and free apps availableGUI app manager or CLI via Debian APTExtra Debian APT repositoriesThousands more packagesSolid community docswww.maemo.org

14. N900 Attack ToolsMany of the ‘classic’ security toolsFyoder’s Top 100 listMaemo .deb packaged toolsA few examplesNmap, Kismet, Ettercap, ssltrip , Aircrack-NGPwnitter (Firesheep for N900) Trucrypt, OpenVPN, TORMobileHotspotWireshark

15. N900 ChallangesSome tools require an advanced kernelEspecially wireless attacks like injection, de-authenticationTools may require a certain level of tweakingLinking libraries, conflicts, OpenSSL versions, etc.Tough to install ALL the cool attack toolsN900 is for you if you want…a Linux box in your pocketto “get your geek on”specific pen-testing objectivesa “Poor Man’s Immunity SILICA”

16. N900 Data Ex-filtration CapabilityOn board storage is 32 GBMicroSD card up to 16 GBNetwork pathsEvernoteDropBoxTORStunnelTunnel over SSLIodineTunnel over DNS requests

17. N900 Wireless AttacksRouge APhttp://zitstif.no-ip.org/?p=459With SET hotness!Packet injectionhttp://zitstif.no-ip.org/?p=473MitmEttercap + sslstripSniffingKismetTcpdump, ngrep, dsniffCan sniff actual GSM interfacePotential for GSM attacks?See KarstenNohl’s26C3 GSM Sniffing TalkTodo: crack my own A5/1 crypto key

18. N900 Wireless AttacksWireless de-authentication attackVia Simon @ KnowNokia.ca “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”

19. ohnoez! “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”

20. Unlocking N900 Wifi Frequencies “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokiaBeforeAfterGot Stealth?

21. Other Wireless: Bluetooth and ZigbeeIn-progress projects to watchUSB dongle to N900New attack capabilitiesUbertooth ProjectMichael OssmannExpanding Bluetooth attack surface explorationKillerBeeJoshua Wright, InGuardiansZigbee attack toolkitPossible future statement?“Dude, I just Pwned your house’s smartmeter with with my phone”

22. N900 VoIPVoIP capabilitiesSkype by default, integrated with contactsGoogle Voice appSIP clients Asterisk – is that a telco in your pocket?See VOIPSA security tool listOpens many attack and stealth possibilitiesSIP attacks, spitter, etc.CID spoofingAsterisk to AsteriskIPsec tunnels with IAX crypto

23. N900 (a little more) AnonymousSmart Phone Privacy and Steps Towards Anonymizing the Nokia N900Via Kyle Young @ http://zitstif.no-ip.orgDisabling trackingLocation tracking (GPA and triangulation)Auto connecting to InternetEnabling PrivacyTORProxyChainsTruCryptLimitsNot encrypted FS Crypto keys

24. BabyPhoneSimple yet effective spy toolFrom babyroom to boardroom ;) Measures audio level threshold & starts phone call

25. LiveCast MobileStream live audio/video from N900to webGo to webpage, listen and watchFlexible archive optionsNone, N900-only, Web-only, N900+WebUse front or back camera

26. SMSCONControl N900 via SMS messagesSMSCON Editor companion appRead Python scripts to see behind-the-scenes Example stock functionsGPS Location and email to addressLock screen, reboot, “wipe” device dataStart reverse-ssh session Connect back to N900 root shell via external ssh serverGet your lost or stolen N900 back!See ZoZ’z“Pwned by the owner” DEFCON 18 talk

27. SMSCON & SMSCON Editor

28. N900 Avoid ForensicsCan easily wipe and re-flash N900Well-documented, step-by-stepTwo levels: rootfs and eMMCTruly concerned could feasiblyBack-up personal data to micro-sd *encrypt - leave in phone, hide, give to trusted person Re-flash both rootfs and eMMCRetains core call/sms functionalityOnce safe, decrypt micro-sd card and restore dataRun a custom apt-get script to install packages not in back-up

29. N900 Anti-Forensics Potential?Rumors of warrantless forensics on cellphonesCellBrite UFED (Universal Forensic Extraction Device)Some models are $800 on eBay Interesting research and POC idea…Just ideas. Better check with lawyers if you do this (DMCA)Fingerprint CellBrite USB connect“Hide your wife, hide your kids” modeScript encrypt/wipe real dataSpoof a fake phone filesystem?

30. N900 Attack Forensics Potential?Technically possible to turn the tables?Attack the forensics collector itself?Low-level USB driver attacksMalicious data 4uAnd upstream PCParser, viewer, etc.

31. Running another OS on N900Easy Debian OSLike Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc. Backtrack 5 (ARM distro) via chrootOther cool hacks to check outDual Booting with Maemo and AndroidrU l33t? Roll-your-own OS! See BackupMenu tool

32. Booting a PC with the N900Use USB + bootable image on MicroSD cardUseful for on-the-spot supportPotentially quite evil espionageCorporate office, Internet cafes, Kiosks Tested with BackBox Linux, Backtrack 5Props to Kyle Young

33. Buying a Pre-weaponized N900Lazy, in a hurry or want technical support…Best bets as of todayPwnieExpress.com N900 PwnPhoneNeoPwn project seems kinda AWOL

34. Thank you!Thank you for your time Check InfoSecIsland for more N900 postsHuge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums