Recently the technical team had a discussion about subversive attack vectors that could be utilised by social engineering attacks to provide a long term remote connection to a network whilst remaining undetected.
After a spark of inspiration and half an evening later the following device was made as a proof of concept.
We took an ordinary desk VoIP phone and opened it up (voiding warranties is so heart warming).
Plain desk phone
As you can see there is a lot of spare room inside a modern phone, hiding a device in one of these is going to be easy.
Open phone
In order for this device to work undetected we needed a way to connect the device to the target’s network and also a way to power the device, thankfully both solutions are already present. Power was provided by hacking a micro USB cable end off and soldering directly to the power board of the phone which coincidently was running 5 volts, exactly what we needed to run the Raspberry Pi.
Ideally we would have taken the time to cross solder the RJ45 connector, however as this was a proof of concept, an additional RJ45 socket was soldered into place.
Added RJ45
RJ45 port in place
Power attached
Powered up the device now acts as both a VOIP phone and powers up the Raspberry Pi, the POC device uses two network cables but in the real world the Pi would be attached to the same singular network point.
Powerd Ph0wn
Finally we moved the speaker and attached a USB webcam to provide simple voice/video as well as a wireless adapter.
USB webcam
Put back together it is impossible to see that inside is a perfect remotely accessible device plugged directly onto the target’s network.
Completed Ph0wn POC