Weaponizing Apple's iPod Touch

Security expert converts popular music/movie player and browsing device into a penetration testing, hacking tool

It fits behind a coffee machine, inside a desk drawer, or in your pocket, and it doesn't arouse suspicion if you walk into a bank or office tapping away on it -- and that's why a security expert has turned an iPod Touch into a full-blown hacking tool.

Thomas Wilhelm, associate professor of information system security at Colorado Technical University, showed attendees at last week's Defcon17 conference in Las Vegas how Apple's seemingly benign iPod Touch can be converted into a portable and stealthy penetration testing or attack tool. He outfitted the iPhone cousin with the popular Metasploit software for exploiting vulnerabilities, as well as password-cracking and Web app hacking applications he was able to easily download onto the device.

"Because of its size and ability to connect back to a more robust attack platform, the iPod Touch can go anywhere and get us [penetration testers] into areas where we couldn't before," Wilhelm says. "If I walked into a bank with a laptop, people would be suspicious. If I were to walk in with something like an iPhone, people would accept it. I could hack for hours in a bank or coffee shop, and no one would [suspect]," he says.

But like any security tool, this handy and stealthy iPod Touch hacking tool cuts both ways. "I know [the iPod Touch] has been abused, and I know it will be," he says. "But network administrators need to know what the potential threats are."

It's not the first handheld hacking tool. Immunity sells the Silica handheld, a PDA look-alike that's really a mini, hardware-based version of Immunity's Canvaas pen-testing tool. And Errata Security last year showed how it sometimes ships iPhones running security tools to its clients' sites to remotely conduct elements of a penetration test, such as TCP dump and Nmap. The idea of overnighting an iPhone-based pen-testing tool came mostly out of necessity for Robert Graham, CEO of Errata, and David Maynor, CTO, as a way to efficiently conduct packet sniffing without traveling out of state.

So why the iPod Touch instead of the iPhone? Wilhelm says it's cheaper up-front and doesn't come with the phone's monthly subscription fees. And it lets the penetration tester or hacker control which network the device connects to, which is not really possible with the iPhone. "The iPhone is attractive because it includes a camera...and can be used to record voice," he says. "But for me, the iPod Touch makes more sense from a cost perspective and network-control perspective."

The iPhone Touch can also perform ARP spoofing and force nodes to use it as a gateway. "The coolest thing with the iPod Touch is that it can tell every computer in the network that it's the gateway, and that when you talk to Google, you have to go through it," Wilhelm says. "Then it captures all of the packets that go across the network."

Wilhelm says the Unix-compatible iPod Touch didn't require much configuration to become a hacking tool, either. Once he "jail broke" it, he was able to easily install pen-test apps from Cydia. "There was very little I had to do to configure it," he says.

The tool can do most of what a laptop-based pen-test tool can do, he says, although at about only one-tenth of the computing power. The other drawback is when you plant the iPod Touch on-site, you have to find some way to provide it a power source. So Wilhelm designed his own camouflaged power setup with parts he purchased at Home Depot. It's basically an electric box with an empty faceplate affixed to a wall to hide the iPod, which is plugged into the wall outlet.

Another trade-off is it only works with a wireless connection. You have to jump onto a WiFi connection either legitimately or via MAC spoofing: "Once you're on there, you do information-gathering and find out what servers are on the network, do port scans, banner grabbing, and identify potential vulnerabilities, and try to exploit them with Metasploit," Wilhelm says.

And with the device hidden on-site, you can set up a backdoor and remotely connect to the iPod Touch to perform additional attacks. "Anything you can do in a real pen-test, you can do on this thing," Wilhelm says. "Other people have demonstrated some of this functionality before. I wanted to present to the world how robust the iPod Touch is as an attack platform, and some of the social engineering vectors that can be used to actually conduct a pen test."

Wilhelm says that as mainstream portable electronic devices get smaller and more powerful, they could become even more useful -- as well as potentially dangerous if abused.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio