This Christmas, your company's getting an iPhone in a box

George Ou (yes, that George Ou!) has an interesting preview of David Maynor's (yes, that David Maynor!) presentation tomorrow at DEFCON 16.

The horny one doesn't know if David's ingenious idea was inspired by the dick in a box, but to riff on a theme:

1) Get a box
2) Put a hacked iPhone attached to an external battery and running reconnaissance or penetration (ahem) tools in the box
3) Mail the box to your girl some company
4) Penetrate (the Macalope said "ahem" already!) said company

And that's how you do it!

While many companies have their shipping and receiving done at separate locations because of more traditional kaboom-related threats, this is still pretty Mission: Impossible.

The usual jokers will probably take this as another sign of why iPhones shouldn't be allowed in the enterprise.

[GaryPatterson]

That's a joke, right?

I mean, a company gets an iPhone in a box that's physically hacked up and just puts it into use? No company I've ever worked for would allow that. Even the most stupid IT drone right out of mail-order-diploma-school would stop and think about that one.

It's some kind of crappy joke, right?

[ripragged]

Gracious, Mr. Lope. The level of seriousness of your article was immediately plain to me. Apparently the entry requirements of C|Net are somewhat less stringent than the requirements of your old blog.

Just to be clear, I think you should explain that the comparison is of a physically hacked iPhone to the male appendage of a desperate pervert. It seems like a reasonable comparison to me. In context to corporate IT, it seems entirely apropos.

Sit up straight. Eat your green beans.

[Sandro Abate]

What kind of imbecile would plug in any device, iPhone or no, that shows up unannounced and unexpected into the corporate network? That's right, George Ou.

[dmaynor]

The talk was actually inspired by the SNL skit.

Let me clear up a misconception. The box is never supposed to be opened, that why it is sent to a nonexistent person. The attack works fine since the box is suppose to stay in the companies shipping and receiving facaility that allows us to connect over the ATT network then use the wifi interface to collect data or launch attacks. In fact someone opening the box would pretty much ruin the attack since an iphone connected to a battery would look suspicious.

[chigaze]

This is actually an interesting attack and could probably be done with more devices than just an iPhone. The iPhone just makes it a juicier story.

The most frightening part is that a place would hold an unidentified package for 5 days. Homeland Security might have something to say about that.

[MATTAND]

@dmaynor:

Here's a less snarky version of what I tried to post at George Ou's site: It's seems that the major mechanism for this hack is counting on every mail department to utterly ignore the box.

Granted, most mail departments aren't exactly think tanks. However, given the 9/11-enhanced paranoia in today's world, doesn't it seem slightly implausible that most people are just going to ignore a delivery to a phantom employee?

Also, is it only the iPhone that can do this? As chigaze pointed out, the iPhone makes for more sensational headlines (and causes people like George Ou to have a four Kleenex box day.) If other phones can do this, are you going to list them as well?

[ripragged]

What if the iPhone was also contaminated with salmonella? Wait. Here's one. You could blow up a whole building with an iPhone and some carefully placed plastique. An iPhone could be programmed to make anonymous obscene phone calls to a transient hotel in Decatur, Ill.

Man. iPhones are scary.