Death from the mailroom – iPhone hacks your company from the inside

Posted by Humphrey Cheung

Las Vegas (NV) – The Apple iPhone is great for phone calls and viewing YouTube videos, but it can also be turned into one heck of a wireless hacking tool capable of wrecking havoc on almost any company or government organization from the inside.  In a talk at the Defcon security convention, Robert Graham and David Maynor of Errata Security explained how they could defeat firewalls, intrusion detection systems and even armed security guards by Fedexing a modified iPhone to a fictitious employee.   The phone calls home every hour and can then be instructed to sniff network traffic, discover nearby wireless devices and even download information.

Robert Graham, co-founder and CTO of Errata Security

Graham and Maynor first came up with the idea of the hacking iPhone when a client wanted them to perform a wireless penetration test at a faraway facility.  Graham told TG Daily that such a test would have required costly travel and losing nearly a day sitting in airports and on a plane.  The simpler way seemed to send them an iPhone with special scanning tools installed.

Installing the software wasn’t the biggest problem as you can pretty much do anything to the phone after you jailbreak it.  Graham and Maynor had to figure out how to power the phone for several days as it crisscrossed the United States.  They also had to figure out how to control the phone from anywhere in the United States because the phone’s IP address would constantly change as it traversed cell towers and wireless access points on its journey.

An APC extended battery pack fixed the power issue by providing approximately five days of power in a deck of cards form factor.  Graham and Maynor solved the control issue by having the phone call home every hour with an SSH connection.  Once connected, the pair could instruct the phone to launch wireless sniffing tools like Graham’s Ferret which enumerates nearby computers and all the hotspots they’ve connected to recently.

The phone and the APC battery fit inside the original iPhone box which worked out great for Maynor as he walked to the local UPS store to ship the unit.  “I just told people that someone won an eBay auction for an iPhone,” he joked.

In initial runs, the iPhone’s scanning showed some interesting results.  Graham told the audience that the phone would just sit in a receiving facility, usually a mailroom, for a long time.  Fedex and UPS generally will deliver numerous boxes in a shipment and then a secretary or internal mailman (in larger companies) will then sort everything to its final destination.  But if the package is addressed to someone who doesn’t work at the company, then employees will have no real urge to move it.  Calls need to be made to verify that the employee doesn’t exist and then someone will finally call the shipping company to pick the package – this all takes time, time that the phone can use to scan the internal network.

Once the phone was inside a business, Graham said most of the wireless networks were wide open.  This should probably come as no surprise as companies usually trust employees and anyone’s who has made it past the front door must be friendly.

While the notion of an iPhone attack may seem a bit too Hollywood-ish to some, Graham and Maynor say the idea is much better than a hacker sitting outside of a company sniffing for wireless traffic.  They say police and even average citizens are quite suspicious of people sitting in their cars with glowing computers screens.  Furthermore sending a company an iPhone means you can completely anonymous with a jailbroken iPhone and a third-party SIM card.

Companies typically spend thousands even millions of dollars on physical and network security, but Maynor said their iphone can foil all of that by “getting past all the firewalls and crap that they’re buying.”  He added that many organizations have armed guards that will stop any intruders, yet they let in the Fedex guy at 10 AM every morning.

Graham was scheduled to demonstrate the sniffing software and promises to release it as open source in the near future.  Unfortunately Graham and Maynor weren’t able to demonstrate the software because they accidentally left the prototype in a Las Vegas cab.  “Some cabbie now has the power to take down the CIA,” Graham joked.