– DARPA-Funded Hacker’s Tiny $50 Spy Computer Hides In Offices, Drops From Drones (Forbes, Jan. 27, 2012):
Even more embarrassing than a student discovering your GPS tracking device on his car, as the FBI found out last year, is having to ask him to give the expensive piece of equipment back.
So security researcher Brendan O’Connor is trying a different approach to spy hardware: building a sensor-equipped surveillance-capable computer that’s so cheap it can be sacrificed after one use, with off-the-shelf parts that anyone can buy and assemble for less than fifty dollars.
At the Shmoocon security conference Friday in Washington D.C., O’Connor plans to present the F-BOMB, or Falling or Ballistically-launched Object that Makes Backdoors. Built from just the hardware in a commercially-available PogoPlug mini-computer, a few tiny antennae, eight gigabytes of flash memory and some 3D-printed plastic casing, the F-BOMB serves as 3.5 by 4 by 1 inch spy computer. And O’Connor has designed the cheap gadgets to dropped from a drone, plugged inconspicuously into a wall socket, thrown over a barrier, or otherwise put into irretrievable positions to quietly collect data and send it back to the owner over any available Wifi network. With PogoPlugs currently on sale at Amazon for $25, O’Connor built his prototypes with gear that added up to just $46 each.
“If some target is surrounded by bad men with guns, you don’t want to have to retrieve this, but you also don’t want to have to pay four or five hundred dollars for every use,” says O’Connor. “The idea is that it’s as close to free as possible. So you can throw a bunch of these sensors at a target and get away with losing a couple nodes in the process.”
Homemade as it may look, the F-BOMB is more than a hacker hobby. O’Connor says his one-man security consultancy Malice Afterthought received a Defense Advanced Research Projects Agency contract earlier this month to develop the devices as part of the Cyber Fast Track program, which awards small sums to inventors.
Despite its name, O’Connor says the F-BOMB is designed to be a platform for all sorts of applications on its Linux operating system. Outfit it with temperature or humidity sensors, for instance, and it can be used for meteorological research or other innocent data-collecting. But install some Wifi-cracking software or add a $15 GPS module, and it can snoop on data networks or track a target’s location, O’Connor adds. As is often the case with these kinds of hacker projects, he says the devices are only intended for penetration testing–finding security flaws in clients’ networks in order to fix them–and wouldn’t comment on what DARPA might do with the technology.
That hasn’t stopped the 26-year old researcher from coming up with a few clever ways to deliver or hide the tiny spy computers. One version attaches to the Parrot Drone, an iPhone-controllable quadcopter, sucking power off the drone’s rechargeable battery and allowing the user to hover over a target, land it on a roof, or drop the F-BOMB from a hook attachment on the drone.
Another version fits inside a carbon monoxide detector, and can be plugged into a wall socket to hide in plain sight inside a target’s building. (As shown above) In use-cases where it’s not plugged in, the most basic version of the F-BOMB comes with a module of AA batteries that allow for a few hours of use, though O’Connor says he’s working on versions with more longevity.
“It can fit whatever use case you want,” he says. “Put it in a box of stale Triscuits in the office kitchen, and no one will touch it. Or hide it in a carbon monoxide detector and you can leave it there for months.”
O’Connor, who formerly worked for the DARPA-funded contractor SET and as a graduate student in John Hopkins’ sensor research lab, says he was inspired by a pair of talks at last summer’s hacker conference Defcon. One focused on systems for firing camera projectiles, while the other showed off the WASP, or Wireless Aerial Surveillance Platform, an adapted Air Force flying drone equipped with gear for cracking Wifi networks and snooping on cell phones.
While O’Connor says he admired both those projects, his own system is far cheaper. And just as important, he says, using off-the-shelf components means the computers can be left behind without its innards revealing who built it, as more custom-designed or expensive parts might.
“If you lose it, it’s not a big deal,” says O’Connor. “And if they take it apart, they don’t learn anything about you.”