Saturday, March 3, 2012

The Little White Box That Can Hack Your Network

By Robert McMillan
March 2, 2012

Easy to overlook, the PwnPlug offers a tiny back door to the corporate network. Photo: Ariel Zambelich/Wired

Wired.com:


When Jayson E. Street broke into the branch office of a national bank in May of last year, the branch manager could not have been more helpful. Dressed like a technician, Street walked in and said he was there to measure “power fluctuations on the power circuit.” To do this, he’d need to plug a small white device that looked like a power adapter onto the wall.

The power fluctuation story was total bullshit, of course. Street had been hired by the bank to test out security at 10 of its West Coast branch offices. He was conducting what’s called a penetration test. This is where security experts pretend to be bad guys in order to spot problems.

In this test, bank employees were only too willing to help out. They let Street go anywhere he wanted — near the teller windows, in the vault — and plug in his little white device, called a PwnPlug. Pwn is hacker-speak for “beat” or “take control of.”

“At one branch, the bank manager got out of the way so I could put it behind her desk,” Street says. The bank, which Street isn’t allowed to name, called the test off after he’d broken into the first four branches. “After the fourth one they said, ‘Stop now please. We give up.’”

Built by a startup company called Pwnie Express, the PwnPlug is pretty much the last thing you ever want to find on your network — unless you’ve hired somebody to put it there. It’s a tiny computer that comes preloaded with an arsenal of hacking tools. It can be quickly plugged into any computer network and then used to access it remotely from afar. And it comes with “stealthy decal stickers” — including a little green flowerbud with the word “fresh” underneath it, that makes the device look like an air freshener — so that people won’t get suspicious.

The basic model costs $480, but if you’re willing to pay an extra $250 for the Elite version, you can connect it over the mobile wireless network. “The whole point is plug and pwn,” says Dave Porcello, Pwnie Express’s CEO. “Walk into a facility, plug it in, wait for the text message. Before you even get to the parking lot you should know it’s working.”

Porcello decided to start making the PwnPlug after coming across the SheevaPlug, a miniature low-power Linux computer built by Globalscale Technologies that looks just like a power adapter. “I saw it and I was like, ‘Oh my god this is the hacker’s dropbox,’” Porcello says. Dropboxes have been around for a few decades, but until now they’ve been customized computers that hackers or pen testers like Street build and sneak, unobserved onto corporate networks.

Now Pwnie Express has taken the idea commercial and built a product that anyone can easily configure and use. It turns out that they’re also a great way for corporations to test out security at their regional offices. Porcellos says that the Bank of America is mailing the PwnPlug to its regional offices and having bank mangers plug them into the network. Then security experts at corporate HQ can check the network for vulnerabilities.

Another internet service provider — Porcello wasn’t allowed to name them — is using the devices to remotely connect to regional offices via a GSM mobile wireless network and troubleshoot networking problems.

The device can save companies big money, Porcello says. “You’ve got companies like T.J.Maxx that have thousands of retail stores and every single one of them has got a computer network,” he says. “Right now they’re actually flying people out to the stores to spot check and do penetration basis, but now with something like this you don’t have to travel.”

Porcello was just a bored security manager at an insurance company when he started building the PwnPlugs back in 2010. But pretty soon he was selling enough to quit his day job. “We started getting orders from Fortune 50 companies and the DoD and I was like, ‘OK I’ll do this now instead.’”

No comments:

Post a Comment