SlideShare a Scribd company logo

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

S
shawn_merdinger

Weaponizing the Nokia N900 and some other stuff.

Technology
1 of 34
Weaponizing the Nokia N900(and some other stuff…) Shawn Merdinger TakeDownCon, Dallas, TX, USA 19 May, 2011
Obligatory Speaker Slide Network security analyst at University of Florida, Academic Health Center Former Cisco Systems (STAT), Tippingpoint, and some other places… 6 years as independent security researcher Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc. Presented at bunch of great hacker cons Limited availability for product security evaluations Typically a under-NDA eval in exchange for EFF donation Contact me if interested
Objectives Weaponizing consumer grade gear Nokia N900 Fonera 2100 Surprises Review of several tools and attack vectors Goals Focus on technical capability -- not motivation, ethics Espionage and legitimate pen-testing Raise awareness You won’t look at this gear the same way again Demo
Re-Boxing the Apple iPod Will not focus on iPod for a number of reasons Apple too controlling of hardware/software Rather work on more open gear If you’re determined… Thomas Wilhelm’s DEFCON 17 preso http://www.metacafe.com/watch/5815191/defcon_17_hacking_with_the_ipod_touch_2011/ Hakin9  http://hakin9.org/category/tutorials/
Sorry to all of the Apple FanBoys
Fonera 2100 La Fonera 2100 wifi access-point Fon Spanish company Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots
Weaponizing the Fon 2100 Easiest to use Jasager Simple re-flash firmware OpenWrt based image Get you several things Nice, clean Web interface Framework, tools, scripts to set-up for attack Pairs very well with BackTrack, SET Bottom line? Easiest way to weaponize a wifi AP With BT, a solid learning platform
Weaponizing the Fon 2100 Karma Jasager scripts Basic port scanning, probes Customize and roll-your-own scripts Powerful with BackTrack SSLstrip SideJacking with Ferret/Hamster SET (Social Engineering Toolkit) Metasploit ……’nuf said
Weaponizing the Fon 2100 USB power hack Run Fon off laptop USB port See Simple Nomad’s "Hacking the Friendly Skies“ talk Add Fon to a Sheeva / PwnPlug USB port 5v Solar? Toss on target’s roof?
Surprise future device: Raspberry Pi $25 embedded PC on USB stick Target market: kids in developing countries 700 mhz chip, 128 RAM, HDMI, WiFi Browser, OpenOffice, Python, etc. http://www.raspberrypi.org
SmartPhones "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“ FBI Special Agent in Charge Alan Peters “In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.” Shawn Merdinger
Nokia N900 Smartphone / Tablet Basic specs OMAP 3430 ARM Cortex A8 @ 600mhz 128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD 802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS Linux-based OS Maemo 5 MeeGo 1.2 (special developer edition for N900)
N900 Apps Many stable, vetted and free apps available GUI app manager or CLI via Debian APT Extra Debian APT repositories Thousands more packages Solid community docs www.maemo.org
N900 Attack Tools Many of the ‘classic’ security tools Fyoder’s Top 100 list Maemo .deb packaged tools A few examples Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG Pwnitter (Firesheep for N900) Trucrypt, OpenVPN, TOR MobileHotspot Wireshark
N900 Challanges Some tools require an advanced kernel Especially wireless attacks like injection, de-authentication Tools may require a certain level of tweaking Linking libraries, conflicts, OpenSSL versions, etc. Tough to install ALL the cool attack tools N900 is for you if you want… a Linux box in your pocket to “get your geek on” specific pen-testing objectives a “Poor Man’s Immunity SILICA”
N900 Data Ex-filtration Capability On board storage is 32 GB MicroSD card up to 16 GB Network paths Evernote DropBox TOR Stunnel Tunnel over SSL Iodine Tunnel over DNS requests
N900 Wireless Attacks Rouge AP http://zitstif.no-ip.org/?p=459 With SET hotness! Packet injection http://zitstif.no-ip.org/?p=473 Mitm Ettercap + sslstrip Sniffing Kismet Tcpdump, ngrep, dsniff Can sniff actual GSM interface Potential for GSM attacks? See KarstenNohl’s26C3 GSM Sniffing Talk Todo: crack my own A5/1 crypto key
N900 Wireless Attacks Wireless de-authentication attack Via Simon @ KnowNokia.ca “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”
ohnoez! “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”
Unlocking N900 Wifi Frequencies “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia Before After Got Stealth?
Other Wireless: Bluetooth and Zigbee In-progress projects to watch USB dongle to N900 New attack capabilities Ubertooth Project Michael Ossmann Expanding Bluetooth attack surface exploration KillerBee Joshua Wright, InGuardians Zigbee attack toolkit Possible future statement? “Dude, I just Pwned your house’s smartmeter with with my phone”
N900 VoIP VoIP capabilities Skype by default, integrated with contacts Google Voice app SIP clients Asterisk – is that a telco in your pocket? See VOIPSA security tool list Opens many attack and stealth possibilities SIP attacks, spitter, etc. CID spoofing Asterisk to Asterisk IPsec tunnels with IAX crypto
N900 (a little more) Anonymous Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900 Via Kyle Young @ http://zitstif.no-ip.org Disabling tracking Location tracking (GPA and triangulation) Auto connecting to Internet Enabling Privacy TOR ProxyChains TruCrypt Limits Not encrypted FS Crypto keys
BabyPhone Simple yet effective spy tool From babyroom to boardroom ;) Measures audio level threshold & starts phone call
LiveCast Mobile Stream live audio/video from N900to web Go to webpage, listen and watch Flexible archive options None, N900-only, Web-only, N900+Web Use front or back camera
SMSCON Control N900 via SMS messages SMSCON Editor companion app Read Python scripts to see behind-the-scenes  Example stock functions GPS Location and email to address Lock screen, reboot, “wipe” device data Start reverse-ssh session  Connect back to N900 root shell via external ssh server Get your lost or stolen N900 back! See ZoZ’z“Pwned by the owner” DEFCON 18 talk
SMSCON & SMSCON Editor
N900 Avoid Forensics Can easily wipe and re-flash N900 Well-documented, step-by-step Two levels: rootfs and eMMC Truly concerned could feasibly Back-up personal data to micro-sd *encrypt - leave in phone, hide, give to trusted person Re-flash both rootfs and eMMC Retains core call/sms functionality Once safe, decrypt micro-sd card and restore data Run a custom apt-get script to install packages not in back-up
N900 Anti-Forensics Potential? Rumors of warrantless forensics on cellphones CellBrite UFED (Universal Forensic Extraction Device) Some models are $800 on eBay  Interesting research and POC idea… Just ideas. Better check with lawyers if you do this (DMCA) Fingerprint CellBrite USB connect “Hide your wife, hide your kids” mode Script encrypt/wipe real data Spoof a fake phone filesystem?
N900 Attack Forensics Potential? Technically possible to turn the tables? Attack the forensics collector itself? Low-level USB driver attacks Malicious data 4u And upstream PC Parser, viewer, etc.
Running another OS on N900 Easy Debian OS Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc.  Backtrack 5 (ARM distro) via chroot Other cool hacks to check out Dual Booting with Maemo and Android rU l33t? Roll-your-own OS! See BackupMenu tool
Booting a PC with the N900 Use USB + bootable image on MicroSD card Useful for on-the-spot support Potentially quite evil espionage Corporate office, Internet cafes, Kiosks Tested with BackBox Linux, Backtrack 5 Props to Kyle Young
Buying a Pre-weaponized N900 Lazy, in a hurry or want technical support… Best bets as of today PwnieExpress.com N900 PwnPhone NeoPwn project seems kinda AWOL
Thank you! Thank you for your time  Check InfoSecIsland for more N900 posts Huge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums

Recommended

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdingershawn_merdinger
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedJoseph Schorr
 
Digital Security
Digital SecurityDigital Security
Digital SecurityMilford Public Library
 
Digital security
Digital securityDigital security
Digital securityFred Danowski
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiPrivateWave Italia SpA
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 

Recommended

Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide MerdingerCsi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdingershawn_merdinger
 
FETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedFETC - A Laptop in Every Classroom: Lessons Learned
FETC - A Laptop in Every Classroom: Lessons LearnedJoseph Schorr
 
Digital Security
Digital SecurityDigital Security
Digital SecurityMilford Public Library
 
Digital security
Digital securityDigital security
Digital securityFred Danowski
 
Information Security - A Discussion
Information Security - A DiscussionInformation Security - A Discussion
Information Security - A DiscussionKaushik Patra
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiPrivateWave Italia SpA
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Mobile Privacy And Security
Mobile Privacy And SecurityMobile Privacy And Security
Mobile Privacy And SecurityJames Wernicke
 
NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2Charles Klondike
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data SecurityFrederik Questier
 
Hacking intro
Hacking introHacking intro
Hacking introMilind Mishra
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalistsShanmugavel Sankaran
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?IoT Academy
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreveerababu penugonda(Mr-IoT)
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardianearthmouse
 
Chapter 2
Chapter 2Chapter 2
Chapter 2shahhardik27
 
Hacking
Hacking Hacking
Hacking mohammedramadan15
 
Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Signals Defense, LLC
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure mannerKevin Bryant
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014Anita Lösch
 
Essential Technologies for Psychologists
Essential Technologies for PsychologistsEssential Technologies for Psychologists
Essential Technologies for PsychologistsBradnor444
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With GflixacademyGaurav Mishra
 
Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick
 
Słownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finSłownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finMagda Górak
 
Daniel gonzález actor cv
Daniel gonzález actor cvDaniel gonzález actor cv
Daniel gonzález actor cvTeranyina Teatre
 

More Related Content

What's hot

Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Sina Manavi
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?IoT Academy
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardianearthmouse
 
Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Signals Defense, LLC
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsDario Caliendo
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure mannerKevin Bryant
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014Anita Lösch
 
Essential Technologies for Psychologists
Essential Technologies for PsychologistsEssential Technologies for Psychologists
Essential Technologies for PsychologistsBradnor444
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With GflixacademyGaurav Mishra
 

What's hot (19)

NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2NWSLTR_Volume5_Issue2
NWSLTR_Volume5_Issue2
 
Computer & Data Security
Computer & Data SecurityComputer & Data Security
Computer & Data Security
 
Hacking intro
Hacking introHacking intro
Hacking intro
 
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
Android Application Security Awareness Talk, OWASP MEETUP Q3, 2015
 
Cyber security for journalists
Cyber security for journalistsCyber security for journalists
Cyber security for journalists
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
Mark de Groot - Meetup: Help Mijn IoT-device wordt gehackt?
 
IoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangaloreIoT security zigbee -- Null Meet bangalore
IoT security zigbee -- Null Meet bangalore
 
Earthmouse: Mobile Guardian
Earthmouse: Mobile GuardianEarthmouse: Mobile Guardian
Earthmouse: Mobile Guardian
 
Chapter 2
Chapter 2Chapter 2
Chapter 2
 
Hacking
Hacking Hacking
Hacking
 
Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective Cyber Security: Stalking Prey: An RF Hackers Perspective
Cyber Security: Stalking Prey: An RF Hackers Perspective
 
iOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanismsiOS backdoors attack points and surveillance mechanisms
iOS backdoors attack points and surveillance mechanisms
 
Computing remotely in a secure manner
Computing remotely in a secure mannerComputing remotely in a secure manner
Computing remotely in a secure manner
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
OmniSpotlight 05-2014
OmniSpotlight 05-2014OmniSpotlight 05-2014
OmniSpotlight 05-2014
 
Essential Technologies for Psychologists
Essential Technologies for PsychologistsEssential Technologies for Psychologists
Essential Technologies for Psychologists
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
Learn Hacking With Gflixacademy
Learn Hacking With GflixacademyLearn Hacking With Gflixacademy
Learn Hacking With Gflixacademy
 

Viewers also liked

Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick
 
Słownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finSłownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finMagda Górak
 
Operaciones Vinculadas
Operaciones VinculadasOperaciones Vinculadas
Operaciones VinculadasEAE
 
Ibm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierungIbm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierungIBM Switzerland
 
Spa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroomSpa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroomSara Febrero
 
Making Strange: Risk, Design & Foresight
Making Strange: Risk, Design & ForesightMaking Strange: Risk, Design & Foresight
Making Strange: Risk, Design & ForesightGreg Van Alstyne
 
Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013Rosanna Alpi
 
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...Edenred España
 
Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013inghaimar
 
AILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-UnisAILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-UnisAILS séjours linguistiques
 
Portafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardoPortafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardoCPESUPIAYMARMATO
 
Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013Guayasenses
 
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...Carlos Mujica
 
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 IProyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 IROCIO ROSAS
 
Dd de autor modificatoria
Dd de autor modificatoriaDd de autor modificatoria
Dd de autor modificatoriaMary Domínguez
 
Introduction to Case Law
Introduction to Case LawIntroduction to Case Law
Introduction to Case LawCharlotte Gill
 
Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990Academia de Ingeniería de México
 

Viewers also liked (20)

Roger Glick CV May 2015
Roger Glick CV May 2015Roger Glick CV May 2015
Roger Glick CV May 2015
 
Słownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka finSłownik frekwencyjny polskiego facebooka fin
Słownik frekwencyjny polskiego facebooka fin
 
Daniel gonzález actor cv
Daniel gonzález actor cvDaniel gonzález actor cv
Daniel gonzález actor cv
 
Operaciones Vinculadas
Operaciones VinculadasOperaciones Vinculadas
Operaciones Vinculadas
 
Ibm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierungIbm symp14 referent_philipp kessler_storage virtualisierung
Ibm symp14 referent_philipp kessler_storage virtualisierung
 
Spa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroomSpa mat dev_-_using_songs_in_the_classroom
Spa mat dev_-_using_songs_in_the_classroom
 
Making Strange: Risk, Design & Foresight
Making Strange: Risk, Design & ForesightMaking Strange: Risk, Design & Foresight
Making Strange: Risk, Design & Foresight
 
Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013Rosanna Alpi Spring Summer 2013
Rosanna Alpi Spring Summer 2013
 
SEBLOD CCK
SEBLOD CCKSEBLOD CCK
SEBLOD CCK
 
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
Primeros pasos en redes sociales e internet para restaurantes, de Ticket Rest...
 
Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013Aguas residuales Alto de Reinas Edgar Vesga 2013
Aguas residuales Alto de Reinas Edgar Vesga 2013
 
AILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-UnisAILS séjours linguistiques | une année académique aux Etats-Unis
AILS séjours linguistiques | une année académique aux Etats-Unis
 
Portafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardoPortafolio - maria, oscar, bernardo, gerardo
Portafolio - maria, oscar, bernardo, gerardo
 
Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013Periódico digital de la Prefectura del Guayas - Mayo 2013
Periódico digital de la Prefectura del Guayas - Mayo 2013
 
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
Revista Iglesia y Vida Salvatorianos Venezuela - Iglesia Católica - Diciembre...
 
Apresentação Institucional
Apresentação InstitucionalApresentação Institucional
Apresentação Institucional
 
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 IProyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
Proyecto de Reciclaje Electrónico "DAR"UMG San Marcos 2015 I
 
Dd de autor modificatoria
Dd de autor modificatoriaDd de autor modificatoria
Dd de autor modificatoria
 
Introduction to Case Law
Introduction to Case LawIntroduction to Case Law
Introduction to Case Law
 
Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990Efectos de la inversión extranjera en la industria minera a partir de 1990
Efectos de la inversión extranjera en la industria minera a partir de 1990
 

Similar to Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoTPriyanka Aash
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfDefconRussia
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoTVasco Veloso
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-bBbAOC
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngI am Cipher
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf064ChetanWani
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowSkycure
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptxDISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptxmahendrarm2112
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gearshawn_merdinger
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosisP-e-t-a-r
 
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.Jan Geirnaert
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityVitor Domingos
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professionalciso_insights
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016joebursell
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" shawn_merdinger
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsB.A.
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionService2Media
 

Similar to Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011 (20)

Exfiltrating Data through IoT
Exfiltrating Data through IoTExfiltrating Data through IoT
Exfiltrating Data through IoT
 
Keynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourselfKeynote fx try harder 2 be yourself
Keynote fx try harder 2 be yourself
 
Privacy and security in IoT
Privacy and security in IoTPrivacy and security in IoT
Privacy and security in IoT
 
Module5 desktop-laptop-security-b
Module5 desktop-laptop-security-bModule5 desktop-laptop-security-b
Module5 desktop-laptop-security-b
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
Intro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web DesigninngIntro to Android, IOT, Hacking & Web Designinng
Intro to Android, IOT, Hacking & Web Designinng
 
pegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdfpegasus-whatyouneedtoknow-160916194631 (1).pdf
pegasus-whatyouneedtoknow-160916194631 (1).pdf
 
Pegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to KnowPegasus Spyware - What You Need to Know
Pegasus Spyware - What You Need to Know
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptxDISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
DISCOVERING PUBLIC Wi-Fi VULNERABILITIES USING RASBERRY PI AND.pptx
 
CSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage GearCSI - Poor Mans Guide To Espionage Gear
CSI - Poor Mans Guide To Espionage Gear
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
 
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
World of Signals - Devices - Connectivity - Signals - RF - Cyber Security.
 
Confraria Security & IT - Mobile Security
Confraria Security & IT - Mobile SecurityConfraria Security & IT - Mobile Security
Confraria Security & IT - Mobile Security
 
IT Security for the Physical Security Professional
IT Security for the Physical Security ProfessionalIT Security for the Physical Security Professional
IT Security for the Physical Security Professional
 
OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016OWASP Cambridge Chapter Meeting 13/12/2016
OWASP Cambridge Chapter Meeting 13/12/2016
 
Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers" Defcon 18 "Hacking Electronic Door Access Controllers"
Defcon 18 "Hacking Electronic Door Access Controllers"
 
A pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security SolutionsA pinguin as a bouncer... Open Source Security Solutions
A pinguin as a bouncer... Open Source Security Solutions
 
Webinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcriptionWebinar Security: Apps of Steel transcription
Webinar Security: Apps of Steel transcription
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Weaponizing the Nokia N900 -- TakeDownCon, Dallas, 2011

  • 1. Weaponizing the Nokia N900(and some other stuff…) Shawn Merdinger TakeDownCon, Dallas, TX, USA 19 May, 2011
  • 2. Obligatory Speaker Slide Network security analyst at University of Florida, Academic Health Center Former Cisco Systems (STAT), Tippingpoint, and some other places… 6 years as independent security researcher Reported vulnerabilities in electronic door access control systems, VoIP phones, SCADA HMI, etc. Presented at bunch of great hacker cons Limited availability for product security evaluations Typically a under-NDA eval in exchange for EFF donation Contact me if interested
  • 3. Objectives Weaponizing consumer grade gear Nokia N900 Fonera 2100 Surprises Review of several tools and attack vectors Goals Focus on technical capability -- not motivation, ethics Espionage and legitimate pen-testing Raise awareness You won’t look at this gear the same way again Demo
  • 4. Re-Boxing the Apple iPod Will not focus on iPod for a number of reasons Apple too controlling of hardware/software Rather work on more open gear If you’re determined… Thomas Wilhelm’s DEFCON 17 preso http://www.metacafe.com/watch/5815191/defcon_17_hacking_with_the_ipod_touch_2011/ Hakin9  http://hakin9.org/category/tutorials/
  • 5. Sorry to all of the Apple FanBoys
  • 6. Fonera 2100 La Fonera 2100 wifi access-point Fon Spanish company Community-oriented: share wifi, get wifi on the road at 3 million worldwide hotspots
  • 7. Weaponizing the Fon 2100 Easiest to use Jasager Simple re-flash firmware OpenWrt based image Get you several things Nice, clean Web interface Framework, tools, scripts to set-up for attack Pairs very well with BackTrack, SET Bottom line? Easiest way to weaponize a wifi AP With BT, a solid learning platform
  • 8. Weaponizing the Fon 2100 Karma Jasager scripts Basic port scanning, probes Customize and roll-your-own scripts Powerful with BackTrack SSLstrip SideJacking with Ferret/Hamster SET (Social Engineering Toolkit) Metasploit ……’nuf said
  • 9. Weaponizing the Fon 2100 USB power hack Run Fon off laptop USB port See Simple Nomad’s "Hacking the Friendly Skies“ talk Add Fon to a Sheeva / PwnPlug USB port 5v Solar? Toss on target’s roof?
  • 10. Surprise future device: Raspberry Pi $25 embedded PC on USB stick Target market: kids in developing countries 700 mhz chip, 128 RAM, HDMI, WiFi Browser, OpenOffice, Python, etc. http://www.raspberrypi.org
  • 11. SmartPhones "The public doesn't realize the power they're holding in their hands…They have eyes and ears in their hand that can be exploited. It's intruding into their lives if it's not handled properly.“ FBI Special Agent in Charge Alan Peters “In understanding the technical capabilities of our phones, and by having full access to code and hardware, we can mitigate our risks and better protect our personal data and privacy.” Shawn Merdinger
  • 12. Nokia N900 Smartphone / Tablet Basic specs OMAP 3430 ARM Cortex A8 @ 600mhz 128 MB RAM, 1 GB virtual memory, 32 gb total memory, MicroSD 802.11 Wifi, Bluetooth, 5MP camera back, 2MP camera front, GPS Linux-based OS Maemo 5 MeeGo 1.2 (special developer edition for N900)
  • 13. N900 Apps Many stable, vetted and free apps available GUI app manager or CLI via Debian APT Extra Debian APT repositories Thousands more packages Solid community docs www.maemo.org
  • 14. N900 Attack Tools Many of the ‘classic’ security tools Fyoder’s Top 100 list Maemo .deb packaged tools A few examples Nmap, Kismet, Ettercap, ssltrip , Aircrack-NG Pwnitter (Firesheep for N900) Trucrypt, OpenVPN, TOR MobileHotspot Wireshark
  • 15. N900 Challanges Some tools require an advanced kernel Especially wireless attacks like injection, de-authentication Tools may require a certain level of tweaking Linking libraries, conflicts, OpenSSL versions, etc. Tough to install ALL the cool attack tools N900 is for you if you want… a Linux box in your pocket to “get your geek on” specific pen-testing objectives a “Poor Man’s Immunity SILICA”
  • 16. N900 Data Ex-filtration Capability On board storage is 32 GB MicroSD card up to 16 GB Network paths Evernote DropBox TOR Stunnel Tunnel over SSL Iodine Tunnel over DNS requests
  • 17. N900 Wireless Attacks Rouge AP http://zitstif.no-ip.org/?p=459 With SET hotness! Packet injection http://zitstif.no-ip.org/?p=473 Mitm Ettercap + sslstrip Sniffing Kismet Tcpdump, ngrep, dsniff Can sniff actual GSM interface Potential for GSM attacks? See KarstenNohl’s26C3 GSM Sniffing Talk Todo: crack my own A5/1 crypto key
  • 18. N900 Wireless Attacks Wireless de-authentication attack Via Simon @ KnowNokia.ca “Sometimes I’m hanging with friends of mine who are big on Android and iPhone, and they make feeble attempts to mock my N900. “That thing is a brick”. “Nice resistive touch screen. Made in the 90’s?”. “Does it have apps?”. “Hey, let’s all play iScrabbleand stare at our phones while we’re sitting in front of each other!”
  • 19. ohnoez! “I’ve learned to quietly brush off their comments, calmly finish replying to my text message and enter a few key commandsand place the N900 in my pocket.”
  • 20. Unlocking N900 Wifi Frequencies “If you live like a criminal and run your 802.11 networks on the upper channels of 12, 13 or 14 in North America…” – Simon @ knowknokia Before After Got Stealth?
  • 21. Other Wireless: Bluetooth and Zigbee In-progress projects to watch USB dongle to N900 New attack capabilities Ubertooth Project Michael Ossmann Expanding Bluetooth attack surface exploration KillerBee Joshua Wright, InGuardians Zigbee attack toolkit Possible future statement? “Dude, I just Pwned your house’s smartmeter with with my phone”
  • 22. N900 VoIP VoIP capabilities Skype by default, integrated with contacts Google Voice app SIP clients Asterisk – is that a telco in your pocket? See VOIPSA security tool list Opens many attack and stealth possibilities SIP attacks, spitter, etc. CID spoofing Asterisk to Asterisk IPsec tunnels with IAX crypto
  • 23. N900 (a little more) Anonymous Smart Phone Privacy and Steps Towards Anonymizing the Nokia N900 Via Kyle Young @ http://zitstif.no-ip.org Disabling tracking Location tracking (GPA and triangulation) Auto connecting to Internet Enabling Privacy TOR ProxyChains TruCrypt Limits Not encrypted FS Crypto keys
  • 24. BabyPhone Simple yet effective spy tool From babyroom to boardroom ;) Measures audio level threshold & starts phone call
  • 25. LiveCast Mobile Stream live audio/video from N900to web Go to webpage, listen and watch Flexible archive options None, N900-only, Web-only, N900+Web Use front or back camera
  • 26. SMSCON Control N900 via SMS messages SMSCON Editor companion app Read Python scripts to see behind-the-scenes  Example stock functions GPS Location and email to address Lock screen, reboot, “wipe” device data Start reverse-ssh session  Connect back to N900 root shell via external ssh server Get your lost or stolen N900 back! See ZoZ’z“Pwned by the owner” DEFCON 18 talk
  • 27. SMSCON & SMSCON Editor
  • 28. N900 Avoid Forensics Can easily wipe and re-flash N900 Well-documented, step-by-step Two levels: rootfs and eMMC Truly concerned could feasibly Back-up personal data to micro-sd *encrypt - leave in phone, hide, give to trusted person Re-flash both rootfs and eMMC Retains core call/sms functionality Once safe, decrypt micro-sd card and restore data Run a custom apt-get script to install packages not in back-up
  • 29. N900 Anti-Forensics Potential? Rumors of warrantless forensics on cellphones CellBrite UFED (Universal Forensic Extraction Device) Some models are $800 on eBay  Interesting research and POC idea… Just ideas. Better check with lawyers if you do this (DMCA) Fingerprint CellBrite USB connect “Hide your wife, hide your kids” mode Script encrypt/wipe real data Spoof a fake phone filesystem?
  • 30. N900 Attack Forensics Potential? Technically possible to turn the tables? Attack the forensics collector itself? Low-level USB driver attacks Malicious data 4u And upstream PC Parser, viewer, etc.
  • 31. Running another OS on N900 Easy Debian OS Like Vmware & Full Debian desktop, useful for tools e.g. full Nessus install, Gimp, etc.  Backtrack 5 (ARM distro) via chroot Other cool hacks to check out Dual Booting with Maemo and Android rU l33t? Roll-your-own OS! See BackupMenu tool
  • 32. Booting a PC with the N900 Use USB + bootable image on MicroSD card Useful for on-the-spot support Potentially quite evil espionage Corporate office, Internet cafes, Kiosks Tested with BackBox Linux, Backtrack 5 Props to Kyle Young
  • 33. Buying a Pre-weaponized N900 Lazy, in a hurry or want technical support… Best bets as of today PwnieExpress.com N900 PwnPhone NeoPwn project seems kinda AWOL
  • 34. Thank you! Thank you for your time  Check InfoSecIsland for more N900 posts Huge ‘thank you’ to folks who made this preso possible: Kyle Young, Simon@knownokia.ca, folks on Maemo forums