Networking

Hacking a wireless network with an iPod Touch

TechRepublic blogger Paul Mah posed some questions to Thomas Wilhelm, who demonstrated using Apple's iPod Touch as a full-blown hacking tool against wireless networks at the Defcon17 conference earlier this month.

The dangers of network threats emanating from behind the firewall is hardly a new topic to TechRepublic members. With the increasing popularity of wireless networks, however, I believe that this threat vector is one that certainly deserves more attention.

With this in mind, I posed some questions to Thomas Wilhelm, who demonstrated hacking a wireless network using the Apple iPod Touch at the Defcon17 conference earlier this month. My questions and Wilhelm's answers appear below along with my additional comments.

Feel free to post your comments and thoughts in the discussion area below.

Q: The mainstream news reports of your demonstration do not elaborate on the steps to break in to a wireless network using the iPod Touch. What are they, and what applications did you use to achieve it? Wilhelm: Unfortunately, the iPod Touch wireless chip cannot be put into promiscuous mode yet, so attacks against WEP and WPA are not possible with the Touch, unless you simply try to brute force the password during the initial connection request. However, if the Touch can connect to a network that requires the user to sign up for connectivity to the Internet, such as those found in coffee shops, airports, or hotels, the Touch can spoof its Media Access Control (MAC) address to be the same as a valid user on the network or worse -- the network gateway.

If the Touch is used to spoof the network gateway, all network traffic can be collected with a program called pirni and analyzed later for sensitive data, such as usernames and passwords, using a program such as Wireshark. For real-time collection, the iPod Touch can be installed with the dsniff application, which allows the attacker to respond to findings more quickly.

Mah: The danger of an iPod Touch against a properly secured enterprise wireless network is still limited. However, the danger from the use of wireless access points from outside the company, which might be used by executives to connect to the corporate network, is real. As such, an encrypted VPN connection should be considered as the bare minimum, and executives must be made aware of this. Q: Why use the iPod Touch? Wilhelm: From a technical point, the iPod Touch is an inexpensive device that can be deployed covertly, such as in a drawer, behind a coffeemaker, or under a table. In addition, it uses a Unix-compatible operating system, meaning I can compile and install network and system penetration tools directly on the device. Hard drive size was also another consideration; for its size and capability, the iPod Touch provides a very solid platform for conducting both local and remote attacks.

From a social engineering perspective, the iPod Touch looks just like the iPhone; if I walk into a building and start conducting an attack, people [will] simply assume I am texting, listening to music, or something just as innocent. Public opinions surrounding a laptop may not always be as positive, depending on the location.

Mah: One thing for sure, the increasing capabilities of smartphone and hand-held gadgets are changing the parameters of what constitute threats and what devices to watch out for. Network administrators need to be aware and keep up-to-date with the latest attack vectors on the network. Q: Would you consider it even possible to adequately secure a wireless network? Wilhelm: We have all heard the mantra that given enough time, resources, and motivation, any system or network can be broken in to. So from that perspective, it is not possible to secure a network to prevent an intrusion. From a practical perspective, the more advanced security protocols can provide adequate defenses against attack, as long as they are properly deployed ... however, most people deploying security devices never get past the configuration GUI, leaving their defenses susceptible to attack. Mah: While there are measures and security protocols that are considered "adequate" against various wireless attacks, the weakness here is that administrators often do not go past the basic options available on the GUI. When it comes to wireless networks though, administrators need be intimately aware of the weaknesses and considerations of the various configuration options in order to put up a robust defense.

Thomas Wilhelm is an associate professor at Colorado Technical University, teaching at both the graduate and undergraduate levels. Wilhelm is also employed at a Fortune 20 company, performing penetration testing and risk assessments, and has spent over 15 years in the Information Systems field.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

8 comments
Neon Samurai
Neon Samurai

- Use WPA minimum and WPA2 preferably, if WEP is your only option, replace the hardware or live without wireless networking. At less than five minutes to break, it's no better than OPN. - Set a non-descriptive broadcast SSID. There is no benefit to a non-broadcast (cloaked) SSID. Wireless scanners will display hidden SSID and it'll only serve invite other SSID to overpopulate your channel. Set a 9 or greater character passphrase capitals/alpha/number/symbols. Consider MAC filtering. It's not a securing advantage but it does reduce the network noise your router tries to process. For s business, there are higher standards like a secondary authentication through a Radius server and certificate rather than passphrase first layer authentication. WEP or lower is absolutely out. For the testing hardware, Nokia's N810 is a very nice bit of kit which can do promiscuous monitoring mode. The next Maemo release hopefully also does packet injection.

BoxersRule
BoxersRule

Yawn... Pretty easy to thwart attacks even without a VPN connection. If a network gets hacked with the Touch, well, they deserve it and the person who set up the wireless network really should go back to flippin' burgers.

The 'G-Man.'
The 'G-Man.'

My Windows Mobile 3 phone (as it was then) could have done this years ago so and was about the same size with the same capacity. This is not news.

Neon Samurai
Neon Samurai

It could do wifi monitor mode and packet injection while running kismet, aircrack suite, tcpdump, dsniff suite. Granted, basic detection isn't news. My Palm T5 with the SDIO nic did great broadcast and hidden AP detection though it lacked the monitoring and testing tools to go beyond a basic war-walk.

paulmah
paulmah

Howdy, I would say that many things are possible with the right hardware/software and skill. I decided to do this article more due to the fact that wireless networks is a lot more common now, and while many security-conscious (and military) installation checks for camera-phones or PDAs, I don't think the iPod Touch is on any list yet. Still, now I'm tempting to break out my Windows Mobile and do something with it... :)

Neon Samurai
Neon Samurai

The debian fork on the N810 was a big selling feature for me with the hardware features being the first that could be considered an upgrade from the Palm T5. (There is also a proprietary auditing device available out there. The company takes an N810 and puts there own industrial app on it but I haven't the $10 grand or so to get one just for hobby work) It would be interesting to see if all the functions can be duplicated on a Window Mobile device including what additional functions are available. An interesting sidenote; news today is that the iPhone does not actually delete email. The user hits delete. The user empties the waste basket. The email is still stored on the device and easily available for reading. http://www.maximumpc.com/article/news/mpc_psa_your_iphone_isnt_actually_deleting_emails_you_tell_it

Neon Samurai
Neon Samurai

I suspect less so for weak WEP as it wasn't fully broken until recently. Good to hear that apps where available though. I had a lot of fun with the Palm apps available at that time and a whole world of fun now with a *nix back ended PDA. Metasploit if fun though it wouldn't have the processor power for a Nessus pre-scan to import int msf.