Let’s Encrypt: Fast Track to Safer Internet?

The Electronic Frontier Foundation (EFF) has recently taken the wraps off of a bold new project, “Let’s Encrypt”, which aims to help administrators move their web servers over to HTTPS as quickly and as easily as possible. What today takes even an accomplished administrator the better part of an hour to configure could soon be reduced to a single automated command, to say nothing of the fact that the EFF intends to provide the encryption certificates for free.

But the technology is only half the battle; even when the logistical hurdles for deploying HTTPS have been removed, the industry and public need to understand the importance of blanket Internet encryption. HTTPS can’t simply be reserved for email and login forms, as even seemingly innocuous data transmitted in clear text can be disastrous from a security and privacy standpoint.

 

Clear Text Risk

HTTP was designed for a much simpler, and safer, Internet; everything the user’s browser sends and receives when viewing an HTTP website is sent in the clear. It’s trivial to capture, analyze, and even manipulate this data to all sorts of nefarious ends. While a user may think he is safe because his email or banking website is using SSL encryption, there is just as large a risk from the myriad of sites, services, and apps that are still communicating to the outside world in the clear.

Pwnie Express demonstrated this fact to staggering effect over the summer with the role they played in NPR’s “Project Eavesdrop”, where technology correspondent Steve Henn willingly allowed a Pwn Plug to be installed on his own network for the express purposes of monitoring his un-encrypted communication with the outside world. His emails and phone calls safe from monitoring, the goal of the experiment was to simulate just what kind of information could be collected with the type of passive monitoring the NSA performs.

The experiment clearly showed just how much information can be gleaned by simply watching a victim’s online activity. While it would certainly be faster to find out what a person is doing by directly reading their emails, it can often be just as effective to examine the lower hanging fruit that isn’t generally secured. By capturing and correlating search terms, file transfers, URLs, and all the other ephemera that make up a person’s day to day Internet usage, an attacker can piece together a very accurate image of what their target is up to, online and off.

The possibilities of active data manipulation are even more troubling. A sufficiently powerful device can modify the source code of the web pages that victims connect to in real-time. The content of web pages can be changed on the fly, allowing for censorship and spreading misinformation that would be essentially undetectable for the average user. Malicious code and scripts could also be invisibly inserted, leveraging browser vulnerabilities and turning what the user assumed to be a reliable website into an attack vector.

 

HTTPS Hurdles

With so many clear problems with using HTTP on the modern Internet, why are the majority of sites still running without encryption? As with many other problems in IT, it boils down to complexity and cost.

Properly deploying SSL on a web server currently involves an intimidating number of steps and arcane commands, many of which likely won’t be fully understood by the operator. This is a recipe for mistakes, and leads to misconfigured sites and frustration just as likely as it does to success.

If the complexity of the setup didn’t put them off, the cost surely will. Purchasing an SSL certificate from a known Certificate Authority (CA) can cost upwards of $100 for just a single site, putting it outside the means of many individuals or small IT departments.

It’s easy to see then how administrators of sites which aren’t traditionally encrypted (i.e. any site that doesn’t have user accounts) could see setting up SSL as a waste of time and money. Rather than suffer through the current process of encrypting their web server, many administrators will simply decide it isn’t worth their time unless they are forced to.

 

Let’s Encrypt

The EFF’s “Let’s Encrypt” aims to fix both of these problems simultaneously.

A client side tool, letsencrypt.py, automates the entire setup; the user simply needs to run the command and select the site they wish to encrypt from the menu. The tool can also be run without the user interface, for more advanced or bulk operations.

While the automated tool is nice, the big news here is that the EFF will be helping to issue these certificates to anyone who wants one, for free. These certificates will be provided by a new non-profit organization called the Internet Security Research Group, which the EFF has formed with the likes of Mozilla, Cisco, Akamai, and Identrust.

However, the project isn’t without its detractors. Some claim that leaving the complex process of properly configuring SSL up to an automated wizard is just as damaging as having users copy and paste commands from an online tutorial; in both cases, the user doesn’t really understand the process. With the source code for their software currently available on GitHub, and 6 to 8 months before launch, there is ample time for the industry to weigh in on the EFF’s software and method.

If it turns out as the EFF promises, “Lets Encrypt” could be the first step towards moving to the more secure Internet that the litany of recent security and privacy revelations have shown that we desperately need.

SINET 16 (Awards and Innovation)

We at Pwnie are beyond proud and excited to announce that we have been selected as one of this year’s SINET 16 Innovators. SINET, according to its site, selects these companies as the “best-of-class security companies that are addressing industry and government’s most pressing needs and requirements.”

SINET stands for “Security Innovation Network,” an incredible organization that promotes innovation, business development, and awareness of smaller companies. Their interest in smaller companies is fairly unique, but one that is more necessary in the security space than in many others. Though innovation is necessary in any industry, information security is reliant upon innovation to face new and increasingly sophisticated threats.

One of the most exciting things about InfoSec is that there is a constant push forward. In the words of SINET Chairman and Founder, “For those of us in the cybersecurity space this is an exciting but critical time.” It is certainly an intense time for cybersecurity: the U.S. Postal Office was breached, the State Department was targeted, and data breaches are becoming so common and so huge that Information is Beautiful was able to create this incredible infographic that clearly demonstrates that the breaches have gotten bigger… and more frequent.

Here at Pwnie the increasing urgency in the cybersecurity space has inspired us to move forward. Innovation has been one of the Pwnie Values since the beginning, and we are truly grateful to know that it has paid off.

Tor users’ IP addresses can be identified by exploiting routers

engadget

Tor users’ IP addresses can be identified by exploiting routers

November 18, 2014

By Mariella Moon

The fact that feds have seized Silk Road 2.0 and a bunch of other shady websites hiding behind Tor’s technology proves that the browser doesn’t provide the perfect cloak of anonymity. Now, a series of studies conducted between 2008 and 2014 gives us a clearer idea of just how vulnerable the browser is. The researchers involved claim to have de-anonymized the IP addresses of all Tor users in a lab setting — and over 81 percent of actual users in the wild. According to one of the papers published by Sambuddho Chakravarty, former researcher at Columbia University’s Network Security Lab, he and his colleagues managed to get through Tor’s defenses by exploiting the default traffic analysis software built into routers. In Cisco routers, for instance, it’s a program called Netflow.

(Original Article)

Pwnie Express Selected as a SINET 16 Innovator Remote Asset Discovery and Assessment Provider Lauded for Its Cutting-Edge Cybersecurity Defense Technology

BOSTON, Nov. 18, 2014 /PRNewswire/ – Pwnie Express, providing anywhere on-demand wired and wireless network security assessment, today announced that the Security Innovation Network (SINET) has named it a SINET 16 Innovator.

Pwnie Express was selected from a pool of 180 applicants worldwide by the SINET Showcase Steering Committee, which is made up of 60 security experts from government, academia and the private sector, for its ability to combat cybersecurity threats and vulnerabilities.

The SINET Showcase will feature Pwnie Express’s Pwn Pulse solution, which provides consolidated asset discovery, vulnerability scanning, and pentesting in a single unified offering. This delivers actionable risk information showing organizations where they are most vulnerable, allowing them to focus on high probability threats and threat vectors. The event will be held December 3-4 in Washington DC.

“We are honored by SINET’s recognition of our innovative solution whose integrated intelligence delivers continuous in-depth analysis to accurately identify attack paths, allowing organizations to level the playing field against the hackers,” said Paul Paget, Pwnie Express CEO. “Pwnie Express is the only solution to assess wired and wireless network security anywhere, on-demand. Leveraging the expertise of Pwnie Labs and using open source tools our SaaS solution allows organizations to easily protect themselves against attackers who are increasingly accessing confidential data and information through remote locations.”

The SINET Showcase provides a platform for the business of Cybersecurity to take place as emerging technology companies present their solutions and connect with a select audience of nearly 400 venture capitalists, investment bankers as well as industry and government buyers.

About SINET
SINET is a community builder and strategic advisor whose mission is to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats.  Its public-private partnership events are supported by the U.S. Department of Homeland Security, Science & Technology Directorate.

SINET also offers advisory services and a membership program that have helped build thousands of relationships and delivered value across a broad spectrum of the security community to include buyers, builders, researchers and investors.  For more information, visit www.security-innovation.org.  Connect with us on Twitter at @SINETconnection.  Follow the conversation about SINET 16 at #SINET16 and this year’s SINET Showcase at #SINETDC.

About Pwnie Express

Pwnie Express provides an end-to-end security assessment solution that delivers real-time wired and wireless asset discovery, continuous vulnerability scanning, pentesting, risk trending and alerting. It provides sensors for individual locations and an enterprise-class Pwn Pulse solution using its sensors combined with central management for scalable continuous intelligence across remote locations.

Thousands of organizations worldwide rely on its products to conduct drop-box pentesting and provide unprecedented insight into distributed network infrastructures. Pwn Pulse allows organizations to see all the things using open source tools and platforms. The products are backed by the expertise of Pwnie Express Labs. It is headquartered in Boston, Massachusetts.

Contact: Sara Kantor
Email
Phone: 617-267-1777

(Original Article)

A Computer Science Professor Found a Way To Identify Most ‘Anonymous’ Tor Users

International Business Times

A Computer Science Professor Found A Way To Identify Most ‘Anonymous’ Tor Users

November 18, 2014

By Dylan Love

Tor was supposed to be an anonymous means of browsing the Internet, but a study by computer science professor Sambuddho Chakravarty reveals that 81 percent of those using Tor can be de-anonymized by exploiting a technology in Cisco routers called Netflow. The ploy reveals a user’s originating IP address, which is analogous to identifying someone’s home address even if he or she uses a P.O. box.

By facilitating anonymity online, Tor enables people around the world to communicate securely and get around firewalls that might block certain sites in their countries. It’s also the technology that facilitated the notorious Silk Road (and subsequent iterations), seeing people trade bitcoins for assorted black market paraphernalia through the mail. The nonprofit project enables freedom of the press around the world and, for at least a time, presented a means to mail-order drugs.

The Tor browser works by way of decentralization. Your Web traffic doesn’t come directly to you, but instead arrives by way of a number of relays. Each relay makes it increasingly difficult to identify the traffic’s ultimate destination, shielding you from being associated with it. The trade-off is one of speed for purported anonymity, but this Netflow exploit is only the latest among a few incidents that seem to be punching holes in the browser’s popular conception as a bulletproof security fiend.

(Original Article)

Pwn Plug R2 vs. R3 – Head to Head

The recently released Pwn Plug R3 is a departure from its predecessors in a number of ways, but perhaps none as pronounced as the move away from the low-power ARM architecture. Rather than stick to ARM, which is primarily used in smartphones and tablets, Pwnie Express has embraced the latest Intel Next Unit of Computing (NUC) architecture to bring desktop-like performance to the Pwn Plug line for the first time.

But what does that mean, in practical terms? Just how much faster is the new R3 compared to its most recent predecessor, the R2?

File I/O Performance

All of the Pwn Plugs use flash storage of some type, in the case of the R2 it’s a micro SD card, and on the R3 an Intel 525 Series SSD. The R3 obviously will have the advantage here, given that micro SD cards are designed to be nothing more than cheap mass storage, but by how much?

To get a very rough idea of sequential performance we can simply write a large file to the drive with the common Unix tool “dd”, which will report its write speed upon completion. The following command will write a 512 MB file filled with zeros, and report how fast it performed the operation:

 

time dd if=/dev/zero of=test bs=8k count=62500

 

The results of even this simple test are staggering:

HeadtoHead

The R2’s SD card can only manage a write speed of just over 12 megabytes per second, while the Intel SSD clocks in at an incredible 519 megabytes per second. There’s simply no contest, the R3’s storage technology is a generational leap above the R2.

Computational Performance

The R2 is powered by an Marvell Armada-370 processor clocked at 1.2 GHz, while the R3 has an Intel Celeron at 1.1 GHz. The casual observer may look at these numbers and think both processors would be around the same in terms of performance, since they are operating at the same clock speed. But with vastly different CPU architectures like this, clock speed is completely meaningless when it comes to performance.

To get a better idea of how these processors actually stack up, we can use a simple tool called “sysbench”, which is available in both the R2 and R3’s online package repositories. This tool will calculate prime numbers up to a user-defined value, putting continuous computational stress on the processor. The command to calculate 5000 prime numbers looks like this:

 

sysbench –test=cpu –cpu-max-prime=5000 run

 

The results, once again, are completely one-sided:

5000Primes

The R3 is able to calculate 5000 prime numbers over 10 times faster than the R2, showing the stark contrast between the computational capabilities of the ARM chip versus its similarly-clocked Intel counterpart.

Practical Benchmark

It’s surely clear that the R3 is a vastly more powerful machine than the R2, but some may make the case that the day-to-day usage of both devices are comparable enough that the raw power of each respective Plug is irrelevant.

To address that, let’s take a look at a valid real-world example. The infamous password cracker “John the Ripper” represents a practical demonstration of both raw computational power, and rapid file operations. It just so happens that John the Ripper even includes a built-in benchmarking facility for various encryption types which can be accessed like so:

 

john –test

 

The benchmark shows how many hashes per second John could perform against given encryption schemes on a particular piece of hardware. A higher number is better, as that means you can try more passwords in less time.

FreeBSD

OpenBSD

Verdict

In truth, there’s hardly even a competition here. The R2 is completely outclassed by its successor. Both the simplistic benchmarks and the practical John test prove the same fact: the Pwn Plug R3 is a quantum leap forward in raw power, which directly equates to better performance in the field.

 

Job description: Infosec Ranger at Pwnie Express

Help Net Security

Job description: Infosec Ranger at Pwnie Express

November 14, 2014

By Mirko Zorz

 

When I learned that well-known hacker and conference speaker Jayson Street decided to join the Pwnie Express team, I knew this was the perfect time for an interview.


You’ve been highly independent, traveling the world on assignments for several years. What made you settle down to work for Pwnie Express?The main thing that drew me to working with Pwnie Express was the team and their commitment to being part of the broader community. From the very beginning Pwnie Express’s founder Dave and his crew were always part of the community. They don’t just sponsor community conferences – they also give out their PWN devices for free. No matter how much they grow I know they will never forget their roots! 

On a side note, a funny behind the scenes story on my introduction to the team: I was first approached by Dave at DerbyCon this year. He introduced me to Paul the CEO of Pwnie Express and we had a great conversation. Though later that night I met Paul again but this time I was in a bright yellow Minion onesie. Upon seeing him I sheepishly said to him, “So rethinking the idea of having me working with your team?” His response was to laugh and say, “Oh no, this confirms it – you’re a perfect fit.”

 

(Original Article)

Compliance 101

Here at Pwnie we have recently become very interested in compliance, and there is a lot to be interested in – compliance is important, often complicated, and vital to enterprises across the world.

Our friends over at IT Governance wrote a recent blog on the highlights of PCI DSS 3.0, and as they rightly point out, one of the most important parts of the new guidelines is its stress on security as a shared responsibility. No one person or part of the organization is fully responsible for security – while a CISO may have purview over the matter, he has no control over what each and every employee does and it is each employee’s choice to comply (or not) with the mandates. This is one of the reasons that Pwnie Express helps with compliance mandates – with full visibility into all of your wired and wireless assets, determining whether or not your employees are being compliant becomes a much easier job.

However, many of the experts we have spoken to have pointed out that there are even simpler things that can help you begin to both be compliant and secure.

  • Properly segment your network
  • Know what’s out there
  • Educate your employees

 

To hear more, register for our free webinar on Thursday, November 13th at 1pm EST

The Pony Grows Up: Pwn Plug R3 Review

The PowerBase

The Pony Grows Up: Pwn Plug R3 Review

November 11, 2014

By Tom Nardi

Over two years ago, we did a review for the first generation Pwn Plug; a little ARM box that looked enough like a power adapter for a printer that it could reasonably be hidden in a wiring closet or office, all the while snooping on the local network and reporting back to a remote operator. It was, in a word, revolutionary.

Not that the idea itself was actually new. People in the security industry had been talking about this kind of thing for years, and of course, anyone who’s ever seen a spy movie can probably envision a device that operates in a similar manner. But it had never been practical to put into the field with the bulky x86 systems that ruled computing. Once Linux on ARM became mainstream though, it didn’t take the outside the box thinkers of Pwnie Express long to create a security appliance right out of a James Bond movie.

But technology changes rapidly. An ARM computer you plugged into the wall and ran Linux on that cost “only” a few hundred dollars was an incredible feat in 2012, indeed, it was enough to build a whole new industry on. Now we have Raspberry Pi’s running off of 9V batteries for $35 at Radio Shack.

Can a Pwn Plug in 2014 make the same kind of waves the original did in 2012? Or has the industry, and technology, past the concept by?

The Pwn Plug Line

For the uninitiated, the Pwn Plug line is advertised as the premiere turn-key penetration testing device on the market. With the ability to establish a reverse shell both in and out of band (I.E. through the host network, or over cellular), the Pwn Plugs are an extremely easy way to get a back door into whatever network they happen to be connected to. With their small size and unobtrusive physical appearance, the Pwn Plugs are ideal for covert deployments and performing remote penetration tests without having to physically travel to the target.

Once the Pwn Plug has dialed home, the operator has access not only to the dizzying array of open source security tools which the Pwn Plug includes, but can use the included development environment to compile, or even develop, new software right from within the target network.

None of these individual features are particularly revolutionary taken on their own, but combining them all into one ready to go appliance is. The Pwn Plug isn’t so much about breaking totally new ground as combining methods and technologies into a cohesive product that saves the user the trouble of putting it all together themselves.

The hardware is off the shelf, and the software is (mainly) open source. What you pay for isn’t the product itself, but the combined knowledge and support of the Pwnie Express team.

Hardware

Ironically enough, for this latest version the Pwn Plug has switched back to the x86 platform that had hindered this sort of product for so long in the past. Instead of a comparatively anemic ARM device, the R3 is based on the Intel Next Unit of Computing (NUC). Sporting a 64 bit dual core 1.1 GHz CPU and 2 GB of RAM, the R3 could double as a small form factor desktop in a pinch.

While the performance boost is certainly welcome, arguably the biggest improvement of the R3 is the fact that it now features built-in wireless (WiFi and Bluetooth) hardware. The original Pwn Plug relied on external adapters for wireless support, which was…ungainly, to say the least. The R2 had built-in WiFi, but still required an external Bluetooth adapter. With the R3, both are now supported out of the box without having to plug anything in. Though some may take issue to the fact that the integrated wireless solution on the R3 precludes the use of external antennas, the reality is, most use cases will work fine with the built-in radios.

On the flip side, while the R3 finally integrates wireless, it loses the second Ethernet port that the R2 added. This is something of a step backwards as it means you’ll now need to use an external Ethernet adapter to perform certain tasks, just like on the original Pwn Plug. Realistically, most users are probably more interested in wireless anymore, so losing the dual Ethernet in favor of built-in wireless is unlikely to ruffle many feathers, but it was nice to have the option.

r3_rear

Hardware wise, there is no question that the R3 is easily the most powerful of the Pwn Plugs, and the internal wireless (lack of dual Ethernet notwithstanding) finally fixes one of the most glaring problems of its predecessors. Unfortunately there is one thing the R3 lacks which the earlier Plugs had in spades: the element of surprise.

Pulling the Plug

Without a doubt, one of the most revolutionary things about the original Pwn Plug was that it didn’t look anything like a traditional computer; it was a white box that plugged into the wall. It even came with stickers that made it look like a power adapter or an automatic air freshener. It was sort of the whole point, you could plug it into the wall and there was very little chance that anyone but the most astute would have thought something was out of the ordinary.

The R2 was not quite as stealthy as the original Plug, but thanks to its general shape and large external antenna, it could plausibly take on the appearance of an innocent wireless access point. It might have gotten more attention than the original Plug, but at least it wasn’t completely out of place.

But sadly the R3 doesn’t have either form of camouflage; it has the dubious honor of simultaneously looking in and out of place. On one hand, it doesn’t have the non-traditional shape of the original Plug, and on the other, it doesn’t look nearly as utilitarian as it should if it’s going with the R2’s plausible deniability defense.

With its sleek lines, front mounted USB port, and blinking LED activity light, the R3 looks more like a Roku than a penetration testing device. The thing’s even got HDMI (dual HDMI, at that).

roku

Which makes the R3 sort of an odd addition to the Pwn Plug line. Is it still trying to be a covert device? Have Pwnie Express abandoned that line of logic in favor for simply delivering a turn-key penetration testing device? The documentation refers to the hardware as “portable” and “shippable”, but no longer calls the device a “drop-box” as in earlier Pwn Plug revisions.

Of course, it makes sense. The idea of attempting to hide an expensive piece of hardware in your target network was always a bit hokey. Certainly clever, but not terribly practical over the long term. But the idea of a small and portable IT penetration device with reverse shell capability isn’t only useful in the context of hiding it; you can just as easily ship it to a target and have them plug it into their network.

Remember, the use case for the Pwnie products is legitimate penetration testing, not breaking into networks illegally. Rather than having to send out an investigator every time a company or organization conducts a penetration test, they can simply ship a Pwn Plug to the target and have them hook it up to the network. The penetration test can then be done remotely, faster and cheaper than it could have been done otherwise.

Losing the pretext of the Pwn Plug being a covert hacking device is a bit of a let down on the surface, but realistically, it’s just a sign of Pwnie Express taking its products down a more mature and corporate-friendly direction. There are certain circles where a little box that looks like an air freshener just isn’t going to be taken seriously as a legitimate tool, and for those places, the R3 becomes a necessity.

Pwnix

On the software side, Pwnie Express has taken the world’s most popular security testing Linux distribution, Kali, and customized it to create Pwnix. Because it’s running on a Kali base, Pwnix includes essentially every worthwhile open source security tool in existence, and is constantly being revised with new tools and updates. Even if there’s a tool you want that isn’t included, thanks to Pwnix including a full fledged Linux environment and the R3 running on standard Intel x86 hardware, you can almost certainly install it without jumping through too many hoops.

Pwnix also includes a very slick web based user interface for configuring and updating the R3, as well as launching services and setting up reverse SSH shells.

pwnix_ui

The web UI is a very nice touch that really makes the Pwn Plug feel like a professional and cohesive product. It beats having to dive into the command line every time you want to clear some logs or change an IP address.

Missed Opportunities

In general the software environment is quite good, but there are a few obvious areas of improvement.

For example, for all the polish that has been put into the web UI, it seems like it would be utilized a bit better. The web UI only lets you start a paltry 3 services, and you can’t even do something as simple as a WiFi site survey with it. Even consumer grade routers let you scan for other APs from within their UI’s anymore.

pwnix_services

Of course, given the immense amount of services and functions that the user could potentially want to access on their R3, it would be unreasonable to assume there could be a UI front-end for each one of them. Still, there are a few key services and functions that Pwn Plug operators would almost certainly use which could get a proper UI treatment.

As it stands, the web UI is something you would only visit on occasion. This seems an aweful waste of potential, and hopefully something Pwnie will address with future software updates.

Conclusion

All in all, the Pwn Plug remains a remarkably complete turn-key penetration testing solution. The new hardware is not only more powerful than the previous versions of the hardware (as should be expected), but has an air of professionalism that its predecessors lacked. While it might not be the same type of “cowboy” style product the original Pwn Plug was, it certainly fills a niche and continues to push the Pwn Plug forward.

That said, it still isn’t perfect. While this version of the Pwn Plug still requires less external devices than the original to operate to its full potential, having to plug in external GSM or Ethernet adapters is rather awkward. As with the previous Pwn Plugs, the off the shelf hardware that Pwnie Express chooses to use is adequate, but not always ideal. Given their success, it would be nice to see Pwnie Express invest in more custom-made devices rather than relying on hardware that’s already commercially available. They’ve done it in the past with the Power Pwn, but seems reluctant to try again.

But in the end, outside of the little nagging issues, there’s really not much to dislike about the R3. Previous Pwnie products have had something of an unfinished feel, or perhaps to put it a different way; previous Pwnie devices gave the impression they were still being actively developed and experimented with, even after you purchased them. But with the R3, the hardware and software has really come together into a product that feels complete.

With the R3 you get the distinct impression that not only has the product itself reached a new level of maturity, but so has the company behind it.

The Pwn Plug R3 is available now, directly from Pwnie Express for $995, with optional extended warranty service and web-based training.

(Original Article)

Mobile SDR with Pwnie Mobile Devices

In the context of pentesting, “wireless” is generally taken to mean WiFi, and possibly Bluetooth. That’s not because those are the only two wireless technologies deployed in the wild, but because these are the primary types of wireless communications that testers can get access to. The economies of scale push the cost of high-end WiFi and Bluetooth radios down to the point that even amateur pentesters can afford them, but traditionally, the same has not been true for other forms of wireless.

But a chance discovery a few years ago revealed that cheap USB TV tuners based on the Realtek RTL2832U chipset could be tuned into frequencies well outside of their advertised capability. With just a bit of driver modification, the hacking community got their hands on a highly capable software defined radio (SDR) that could be purchased for as low as $10 from some vendors.

With SDR, instead of having expensive radio equipment to receive and decode each specific wireless technology, one radio can be tuned into an arbitrary frequency, and software can do the decoding. This opens up a huge swath of the radio spectrum; everything from pager transmissions to satellite transmissions can be received with inexpensive hardware and open source software.

Even better, with powerful mobile devices like the Pwn Pad and Pwn Phone, it’s now possible to take SDR on the go. Penetration testing no longer has to be limited to WiFi and Bluetooth, but can include things such as two-way radio communications and pager messages.

Supported Hardware

TV tuners based on the RTL2832U chipset are fairly common, and a number of online retailers stock them specifically for SDR use. Searching eBay or Amazon for “RTL-SDR” will bring up plenty of hardware choices.

The RTL-SDR project website maintains a basic compatibility list of devices known to work, though it’s by no means exhaustive. A somewhat more detailed compatibility list, maintained by the community, is available on Reddit.

Software

Currently, the best SDR software available for Android is “SDR Touch”, developed by Martin Marinov. SDR Touch will work out of the box on both the Pwn Phone and Pwn Pad, all you need is the included USB On-The-Go (OTG) cable and a supported RTL device.

After your hardware is connected, open up SDR Touch and tap the On/Off button at the top right of the screen. That will show the following message, confirming you want to let SDR Touch communicate with the hardware. Selecting the checkbox will prevent you from seeing this dialog every time you start the app.

SDR1

Operation

SDR Touch is a full featured software defined radio, allowing you to tune the radio to whatever frequency you wish, visualize received signals with a “waterfall” spectrum analyzer, and even decode a number of protocols automatically.

Dragging the spectrum analyzer in the center allows you to adjust the frequency you’re currently listening to, and pinching will let you zoom in to make fine adjustments. Signals which are stronger than the background noise (which is to say, something that’s likely to be an interesting transmission) will show up as large spikes in the upper region of the display and colored tracks on the bottom of the display.

In the following image, the radio is tuned to 462.583 MHz, listening in on a transmission from a standard handheld walkie talkie.

SDR2

While SDR Touch is running you’ll be hearing live audio as it’s received from the radio hardware. When tuned to a transmission such as this, you’ll be able to hear whatever the users are saying as if you had your own walkie talkie. You can even press the “Record” button on the bottom right of the screen to save the audio.

Scratching the Surface

With the appropriate hardware and working knowledge of SDR Touch under your belt, a whole new world is opened up. Searching around the spectrum with an eye out for strong signals can uncover some very surprising things.

For example, in many areas pager networks are still operating in the 900 MHz band. Pager broadcasts by their nature tend to be very strong, and will be easy to identify by both the bright wide track they will leave on the waterfall, and their distinctive sound (not unlike an old analog modem). Connecting the Pwn Pad or Phone’s headphone jack to a computer’s audio input will allow using advanced software to process digital signals such as these, and can allow recovering the plaintext content of pager messages.

One simply can’t overstate just how much new territory is opened up by mastering SDR techniques. As we become increasingly reliant on wireless technology, having the tools and knowledge to discover and interpret wireless signals will become indispensable for the pentester.