Many businesses will insist that guests leave smartphones and bags at the gate. However, the black platform shoes have compartments suitable for carrying penetration testing and sniffing kits.
Developed with the help of a 3D printer, the "Wu Ying Shoes," meaning "shadowless" from folk hero Wong Fei Hung's shadowless kick, act as a means to "distract the target with my upper body and they don't see the real danger on my feet," according to the Chinese hacker.
Each shoe has a drawer which can be slid out without the shoes being taken off. These compartments can contain various payloads, such as malicious flash drives and a penetration testing drop box.
The hacker commented:
"Installing OpenWRT on the TL-MR10U is just like upgrading the firmware on any router. It's two links and a button -- nothing to it. There's a lot of different software you can run once you have OpenWRT flashed.In the other shoe, the hacker included a USB keystroke recorder, retractable ethernet cable, and a basic lock pick.
This router may-or-may-not be running a custom version of Wispi for the TP-Link TL-MR10U because if it was it would probably be illegal in China so maybe it's not. But if it was I could run Jasager/Karma which lets you can fake being a friendly/known Wi-Fi access point and set up a fake login page to capture passwords, among other cool tricks. Wispi also has a few other handy utilities."
Before this project is dismissed as a potential attention-seeking episode, she does have a point to make. Social engineering is a sure-fire way to gain entry into a secure building -- whether through uniforms, an official manner or by acting the casual, unshaven IT hound.
I remember one scenario in which a business owner challenged a security professional to steal credentials on a server. After discovering entry across the Web was difficult, the security professional simply acted as the resident IT man, walked into the office belonging to his challenger, and sauntered out with it.
While this tactic is often successful, this doesn't mean you can easily smuggle your kit in with you, and discovery may arouse suspicions.
Therefore, despite the way the project has been displayed, the use of clothing as a means to attack companies is an interesting and novel way to approach the challenge. Networks which trade zero-day vulnerabilities between groups, stolen data sales across the Dark Web and high-profile attacks are becoming commonplace -- and as some businesses begin to take security more seriously from the ground up, we should expect physical access tactics to also evolve in sophistication.
For the enterprise, this means that investment and training should not focus exclusively on Internet-based threats, but gatekeepers who control access to buildings must also be trained in how to detect suspicious activities, social engineering and perhaps even clothing which doesn't fit the mould.
The shoe designs can be downloaded under an open-source license here.
No comments:
Post a Comment