Hidden Palm Pilot Wardialing Platform: Part One

While combing through "ye olde box of ancient tech artifacts" I found a Sony Clié Palm Pilot (PEG-N610C circa 2001/2002?). I powered it up to find it still worked like a charm. What to do with this wonderful little piece of tech?

How about a war dialing platform stuffed into a gutted APC battery backup that can be hidden in just about any office anywhere for around $20 USD? Sure. OK!

In part one of this Back to the Hack we will discuss the basic idea for this cheap hidden war dialing platform, its uses, and the goals for the build. In part two we will look at the deployment of this wonderfully ancient little device and what it can be used to discover.

Read more after the jump


Why a wardialer?
Who uses dial-up anymore? Why do we even need a war dialer? Good question, glad you asked. The rumors of telephonic modem connections being dead are greatly exaggerated. Many credit card processing systems still use POTS lines for communication. Alarm systems, multi-function printers (fax, scan, and on-board storage for scanning), Out-of-Band Access to devices, DVRs, and a whole host of other platforms have telephone modem connections. These telephone connections may be used to pivot onto a network via other attached network connections once "dialed in". Often these connections are completely forgotten about. They exist because they always have. Sometimes they were turned on and connected by default when a vendor came onsite to do the original equipment install.

What's the best part about these systems for attackers? They are rarely if ever patched. You show me a small or medium sized business that patched their leased multi-function printer within six months of a patch release (if ever) and I will show you a saber tooth tiger in a kilt making mango smoothies. It just doesn't happen unless something is broken.

Why a Palm Pilot?

Let's look at some of the pros and cons:

Pros

1. Cheap - You can pick up a Palm III or V for next to nothing. $10 USD or less on eBay
2. Disposable - See 1.
3. Self-Contained - Processing, battery, interface all ready to go. 
4. Available modems for next to nothing that are also battery powered. Again, see eBay.

Could you do this with a Raspberry Pi? Absolutely. However, the Pi modem module, Pi, SD Card, etc, etc. will cost way more than the Palm Pilot. If you are just looking to war dial a old Palm Pilot may be the perfect solution.

Cons

1. Old software - Availability of software will be somewhat difficult.
2. Power - Many have a low power capacity meaning long term use will need an available power source.

The Build

The Palm

As previously stated I found a perfectly good Sony Clié Palm Pilot - PEG-N610C in a old box. The Palm was running Palm OS v4. Adding software is very easy on this model as a key differentiator for Sony branded Palm Pilots was a memory stick slot. I didn't even need to load software onto my PC to get new software onto the device. Load software to memory stick, shove in Palm Pilot, done loading software. More on the software later. 

The Modem

What about adding a modem? By a shear stroke of luck I checked eBay and someone had a brand new, never been opened modem for my Clié. My cost was $15 USD. When I received the modem in the mail it felt like opening a time capsule preserved in shrink wrap taking me twelve years into the past. <ConanOBrienVerbratoVoice>IN THE YEAAAAAR TWO-THOUSAND. IN THE YEAR TWO-THOUSSSSSSSAND!</ConanOBrienVerbratoVoice>

I connected the modem to the Clié and it recognized without an issue. 

If you are using a Palm III or V modems can be found on eBay for just a few dollars.

Now we need to look at software.

War Dialing

Joe "Kingpin" Grand still has a link to the old l0pht Heavy Industries war dialing software for Palm online at Grand Idea Studio. The software, TBA, was developed for just this purpose and has all the basic features you would expect from a war dialer: Dialer configuration, scheduled start, dial masking, and output files. If you were looking closely you may have noticed the software was already loaded in the first picture of this post. I downloaded the software to a memory stick and loaded it to my Palm Pilot without issue. Using another Palm device you may need to use the HotSync functions.

Hiding in Plain Sight

I have a APC BE350R battery backup with a battery that is ready to die. This battery backup will be perfect for hiding the Palm Pilot. There are three things that make this device perfect for the task at hand: 

1. After the battery and board are removed the inside can be stuffed with malicious (Read: Legitimate Penetration Testing) tools. 

2. They are ubiquitous in offices. Placed under a desk or behind a cabinet people would never notice the device. Especially when gutted and turned into a power strip with all the close by computer gear plugged into it.

3. It has a telephone pass-through to protect DSL modems. Wiring our war dialer inline with the existing phone system will be all too easy.

When the batteries on these die they are often trashed/recycled/etc. Getting a "dead" one should be a trivial task. Search eBay for "APC 350 no battery". Listings for under $5.00 USD are common.

The Goals

This project has a clear set of goals:

1. Palm Pilot will be wired into the APC device to continually draw power.
2. Modem will be wired into the DSL protection ports to create a seamless pass through.
3. Modem will be protected from DSL and other digital lines via filter.
4. War dialing routine will be on a schedule (after business hours).
5. Results will be captured to a text file on the Palm Pilot.
6. Palm will be configured to email the war dialing results out via a free dial-up service. 
7. Battery backup should be made to look familiar (Worn, fake asset tags, possibly dusty)
8. Tamper resistant screw - Placing a tamper resistant screw in the battery bay will discourage curious people.
9. Device should be cheap - Something that makes this platform appealing is the ability to write it off if "discovered". 
10. BONUS - Automatic Download of a new dialer configuration based on the previously uploaded results. 

Part Two will focus on the build, prep, deployment, and testing findings of the hidden in plain sight war dialing platform.