The Pony Grows Up: Pwn Plug R3 Review
November 11, 2014
By Tom Nardi
Over two years ago, we did a review for the first generation Pwn Plug; a little ARM box that looked enough like a power adapter for a printer that it could reasonably be hidden in a wiring closet or office, all the while snooping on the local network and reporting back to a remote operator. It was, in a word, revolutionary.
Not that the idea itself was actually new. People in the security industry had been talking about this kind of thing for years, and of course, anyone who’s ever seen a spy movie can probably envision a device that operates in a similar manner. But it had never been practical to put into the field with the bulky x86 systems that ruled computing. Once Linux on ARM became mainstream though, it didn’t take the outside the box thinkers of Pwnie Express long to create a security appliance right out of a James Bond movie.
But technology changes rapidly. An ARM computer you plugged into the wall and ran Linux on that cost “only” a few hundred dollars was an incredible feat in 2012, indeed, it was enough to build a whole new industry on. Now we have Raspberry Pi’s running off of 9V batteries for $35 at Radio Shack.
Can a Pwn Plug in 2014 make the same kind of waves the original did in 2012? Or has the industry, and technology, past the concept by?
The Pwn Plug Line
For the uninitiated, the Pwn Plug line is advertised as the premiere turn-key penetration testing device on the market. With the ability to establish a reverse shell both in and out of band (I.E. through the host network, or over cellular), the Pwn Plugs are an extremely easy way to get a back door into whatever network they happen to be connected to. With their small size and unobtrusive physical appearance, the Pwn Plugs are ideal for covert deployments and performing remote penetration tests without having to physically travel to the target.
Once the Pwn Plug has dialed home, the operator has access not only to the dizzying array of open source security tools which the Pwn Plug includes, but can use the included development environment to compile, or even develop, new software right from within the target network.
None of these individual features are particularly revolutionary taken on their own, but combining them all into one ready to go appliance is. The Pwn Plug isn’t so much about breaking totally new ground as combining methods and technologies into a cohesive product that saves the user the trouble of putting it all together themselves.
The hardware is off the shelf, and the software is (mainly) open source. What you pay for isn’t the product itself, but the combined knowledge and support of the Pwnie Express team.
Ironically enough, for this latest version the Pwn Plug has switched back to the x86 platform that had hindered this sort of product for so long in the past. Instead of a comparatively anemic ARM device, the R3 is based on the Intel Next Unit of Computing (NUC). Sporting a 64 bit dual core 1.1 GHz CPU and 2 GB of RAM, the R3 could double as a small form factor desktop in a pinch.
While the performance boost is certainly welcome, arguably the biggest improvement of the R3 is the fact that it now features built-in wireless (WiFi and Bluetooth) hardware. The original Pwn Plug relied on external adapters for wireless support, which was…ungainly, to say the least. The R2 had built-in WiFi, but still required an external Bluetooth adapter. With the R3, both are now supported out of the box without having to plug anything in. Though some may take issue to the fact that the integrated wireless solution on the R3 precludes the use of external antennas, the reality is, most use cases will work fine with the built-in radios.
On the flip side, while the R3 finally integrates wireless, it loses the second Ethernet port that the R2 added. This is something of a step backwards as it means you’ll now need to use an external Ethernet adapter to perform certain tasks, just like on the original Pwn Plug. Realistically, most users are probably more interested in wireless anymore, so losing the dual Ethernet in favor of built-in wireless is unlikely to ruffle many feathers, but it was nice to have the option.
Hardware wise, there is no question that the R3 is easily the most powerful of the Pwn Plugs, and the internal wireless (lack of dual Ethernet notwithstanding) finally fixes one of the most glaring problems of its predecessors. Unfortunately there is one thing the R3 lacks which the earlier Plugs had in spades: the element of surprise.
Pulling the Plug
Without a doubt, one of the most revolutionary things about the original Pwn Plug was that it didn’t look anything like a traditional computer; it was a white box that plugged into the wall. It even came with stickers that made it look like a power adapter or an automatic air freshener. It was sort of the whole point, you could plug it into the wall and there was very little chance that anyone but the most astute would have thought something was out of the ordinary.
The R2 was not quite as stealthy as the original Plug, but thanks to its general shape and large external antenna, it could plausibly take on the appearance of an innocent wireless access point. It might have gotten more attention than the original Plug, but at least it wasn’t completely out of place.
But sadly the R3 doesn’t have either form of camouflage; it has the dubious honor of simultaneously looking in and out of place. On one hand, it doesn’t have the non-traditional shape of the original Plug, and on the other, it doesn’t look nearly as utilitarian as it should if it’s going with the R2’s plausible deniability defense.
With its sleek lines, front mounted USB port, and blinking LED activity light, the R3 looks more like a Roku than a penetration testing device. The thing’s even got HDMI (dual HDMI, at that).
Which makes the R3 sort of an odd addition to the Pwn Plug line. Is it still trying to be a covert device? Have Pwnie Express abandoned that line of logic in favor for simply delivering a turn-key penetration testing device? The documentation refers to the hardware as “portable” and “shippable”, but no longer calls the device a “drop-box” as in earlier Pwn Plug revisions.
Of course, it makes sense. The idea of attempting to hide an expensive piece of hardware in your target network was always a bit hokey. Certainly clever, but not terribly practical over the long term. But the idea of a small and portable IT penetration device with reverse shell capability isn’t only useful in the context of hiding it; you can just as easily ship it to a target and have them plug it into their network.
Remember, the use case for the Pwnie products is legitimate penetration testing, not breaking into networks illegally. Rather than having to send out an investigator every time a company or organization conducts a penetration test, they can simply ship a Pwn Plug to the target and have them hook it up to the network. The penetration test can then be done remotely, faster and cheaper than it could have been done otherwise.
Losing the pretext of the Pwn Plug being a covert hacking device is a bit of a let down on the surface, but realistically, it’s just a sign of Pwnie Express taking its products down a more mature and corporate-friendly direction. There are certain circles where a little box that looks like an air freshener just isn’t going to be taken seriously as a legitimate tool, and for those places, the R3 becomes a necessity.
On the software side, Pwnie Express has taken the world’s most popular security testing Linux distribution, Kali, and customized it to create Pwnix. Because it’s running on a Kali base, Pwnix includes essentially every worthwhile open source security tool in existence, and is constantly being revised with new tools and updates. Even if there’s a tool you want that isn’t included, thanks to Pwnix including a full fledged Linux environment and the R3 running on standard Intel x86 hardware, you can almost certainly install it without jumping through too many hoops.
Pwnix also includes a very slick web based user interface for configuring and updating the R3, as well as launching services and setting up reverse SSH shells.
The web UI is a very nice touch that really makes the Pwn Plug feel like a professional and cohesive product. It beats having to dive into the command line every time you want to clear some logs or change an IP address.
In general the software environment is quite good, but there are a few obvious areas of improvement.
For example, for all the polish that has been put into the web UI, it seems like it would be utilized a bit better. The web UI only lets you start a paltry 3 services, and you can’t even do something as simple as a WiFi site survey with it. Even consumer grade routers let you scan for other APs from within their UI’s anymore.
Of course, given the immense amount of services and functions that the user could potentially want to access on their R3, it would be unreasonable to assume there could be a UI front-end for each one of them. Still, there are a few key services and functions that Pwn Plug operators would almost certainly use which could get a proper UI treatment.
As it stands, the web UI is something you would only visit on occasion. This seems an aweful waste of potential, and hopefully something Pwnie will address with future software updates.
All in all, the Pwn Plug remains a remarkably complete turn-key penetration testing solution. The new hardware is not only more powerful than the previous versions of the hardware (as should be expected), but has an air of professionalism that its predecessors lacked. While it might not be the same type of “cowboy” style product the original Pwn Plug was, it certainly fills a niche and continues to push the Pwn Plug forward.
That said, it still isn’t perfect. While this version of the Pwn Plug still requires less external devices than the original to operate to its full potential, having to plug in external GSM or Ethernet adapters is rather awkward. As with the previous Pwn Plugs, the off the shelf hardware that Pwnie Express chooses to use is adequate, but not always ideal. Given their success, it would be nice to see Pwnie Express invest in more custom-made devices rather than relying on hardware that’s already commercially available. They’ve done it in the past with the Power Pwn, but seems reluctant to try again.
But in the end, outside of the little nagging issues, there’s really not much to dislike about the R3. Previous Pwnie products have had something of an unfinished feel, or perhaps to put it a different way; previous Pwnie devices gave the impression they were still being actively developed and experimented with, even after you purchased them. But with the R3, the hardware and software has really come together into a product that feels complete.
With the R3 you get the distinct impression that not only has the product itself reached a new level of maturity, but so has the company behind it.
The Pwn Plug R3 is available now, directly from Pwnie Express for $995, with optional extended warranty service and web-based training.