Malicious attackers and penetration testers alike are drawn to the ease and convenience of small, disguise-able attacker-controlled devices that can be implanted physically in a target organization. When such devices are discovered in an organization, that organization may wish to perform a forensic analysis of the device in order to determine what systems it has compromised, what information has been gathered, and any information that can help identify the attacker. Also, attacker-implanted penetration testing software and hardware may also be the target of counter-attack. Malicious attackers may compromise penetration testers' devices in order to surreptitiously gather information across multiple targets and pentests. The very tools we rely on to test security may provide an attractive attack surface for third parties.
In this talk, procedures for forensic examination and zero-day vulnerabilities that lead to remote compromise of the Pwn Plug will be discussed and demonstrated as a case study. Possible attack scenarios will be discussed.