Power Pwn’s price tag is as dangerous as it’s black-hat uses

This rather normal-looking power strip hides a secret inside. It’s called the Power Pwn, and it conceals hardware which facilitates remote penetration testing of a network. It really is the ultimate in drop hardware as you can quickly swap it with existing power strip. Who’s going to question it?

It’s got almost all the bells and whistles. There’s dual Ethernet ports, Bluetooth with 1000′ range, and WiFi with a high gain antenna. The SoC inside comes with Debian 6 and all the exploit tools you might want pre-loaded. There’s even a 3G adapter, but it’s external and not pictured above. The thing is, for a pre-order price-tag of  $1,295 we think that 3G should have been internalized and come with a lifetime unlimited data plan! That could be a bit overboard… our heads are still spinning from the sticker shock.

This isn’t the first time we’ve seen hardware from this company. Their Pwn Plug was used in this project. We just didn’t catch the $595 price tag for that device until now.

[via Reddit via Zdnet]

Comments

  1. rfengr00 says:

    What’s the big deal about the price? It costs that of a medium range laptop.

    • charles says:

      The issue is that it’s guts are a SheevaPlug with bunches of peripherals and tons of free software.

      Essentially the less intuitive people on the internets think 1,300 is a bit much for less than a few hundred bucks in hardware.

      The real reason for the price is it is by Pwnie Express to be sold to the government. Essentially somebody that charges more for niche tools, selling to an entity that does not pay with its own money.

      Great profit margin in pentesting stuff.

  2. Bob D says:

    It is a pen test tool, and not a piece of mass-manufactured hobby kit. The price seems reasonable.

    Though I expect someone to post a Raspi hacked into a UPS case within a week that does 90% of what this does.

    • Corrosion says:

      Actually it is VERY over priced using a ton of open source freeware tools… The entire company has been stealing from the community since they opened shop.

      • Tim says:

        Part of the point of OSS is that it can be used by anyone in any way they like (usually so long as they distribute the source code and a copy of the license with it).

        To say that they’re stealing from a community which is giving stuff a way is ridiculous…

      • MS3FGX says:

        You are aware that using open source tools in a commercial product is not stealing…right?

    • M4CGYV3R says:

      I agree. People will shell out almost $2000 for an Optimus OLED keyboard without blinking, but to hack virtually any network in a near-undetectable way, $1200 is too much?

  3. jcran says:

    Hey, thanks for publishing! I’m the CTO at Pwnie Express and wanted to give a little background on what you’re getting for the $$.

    We’re not simply selling pentesting hardware. I’d encourage you to check out sites like AceHackware / Hak5 / etc or build your own if you’re interested in that!

    PX is building a supported platform for easy, in-depth penetration testing. We ship both OSS and commercial tools on the plug to give you an initial toolkit (which we’re expanding and building upon thanks to sales #’s).

    We also automate much of the process of taking your initial (physical) access and turn it into remote compromise. We’ll be automating more and more as we build upon our 1.1 feature set.

    Note that we provide a community image that allows you to buy a stock sheevaplug or nokia N900 and load it on. We definitely want to encourage this!

    And we’re finding lots of folks (.gov included) will just pay for it for the support and ease-of-use/deployment.

    Definitely appreciate the feedback, and hit us up on twitter or at info _at_ pwnieexpres _dot_ com if you want more details!

    Hope it helps explain!

    jcran

    • aliveoneee says:

      anyone else feel their marketing should happen on their site?

      • johnj says:

        I rather like seeing posts from company reps who have the balls to get on HaD and explain stuff to commenters.

      • csaz says:

        I didn’t see anything wrong with what he posted. He directly answered issues brought up in the article and comments. Now, if he had just jumped into the comments and said all this when the article was about building your own or something else entirely, then you would have a legitimate complaint about marketing. When your product is being castigated for its cost and its toolkit, he has every right to answer them.

  4. rallen says:

    The cost? Pft.. That’s nothing compared to the fee you could charge to actually do a pen test, or if you’re wearing a black hat, how much you could get for your collected data.

  5. fartface says:

    And with the right power strip UPS and a sheeva pro plug you can make the EXACT thing for $399.00

    Whoever is selling them is on drugs for their pricing, or they hope people that do Computer Security are actually faker n00bs that cant build this stuff.

    • kubik says:

      The price of any product on a free market is determined by the amount of money someone is willing to pay for it. If the thing is produced for less, you make profit. If the thing is produced for more, you’ll go bankrupt. Welcome to capitalism :)

  6. Rick says:
  7. matt says:

    For $1300 you think they could have used a case that didnt look like it was from the 1980s.

    • matt says:

      And when was the last time you saw a power strip with 2 USB ports?

      • Xyroze says:

        I’ve seen modern power strips of all shapes and sizes. Many of which now-a-days are equipped with two USB ports due to the fact 90% of mobile electronics use them to charge. Lots of phones now just come with a USB wall wart and expect you to use your data cable as your charging cable as well.

      • Toddbert says:

        When was the last time you looked under a desk at a power-strip? My point is that those kinds of things are essentially invisible to most people. And you could always face the USB ports at the wall.

  8. gout says:
  9. Corrosion says:

    @MS3FGX And you realize that depends on the license right?

    I release things open source, but you try to sell it and your ass is mine!

    Read the licenses and think before you speak

    • charles says:

      It comes with the standard Debian repository packages. That means it contains the source code. It is in full compliance.

      They ARE trying to sell it so I guess you now own a license for their collective asses. Does it come with derivative work rights? I would not touch that shit.

    • MS3FGX says:

      So which tools included with this device have licenses that prevent them from being sold in a commercial product?

      Surely you would not make the claim they are stealing from the community unless you had proof that they were distributing software which had a license specifically forbidding it.

  10. imajeenyus says:

    Hackaday, I love you, but when will you learn how to use the apostrophe correctly? The title should, of course, be “…as its black-hat uses.”

  11. Paul says:

    You are not paying for the 500 dollars of hardware or the free open source hardware. You are paying for the engineering to put it together and the investment in making a product.

  12. tzar says:

    This article makes me realise that if you add a custom software module to the thing I’m designing at the moment, you would have a lightweight $70 version of this.. Might be some happy black hats on kickstarter later this year :)

  13. Shady says:

    Why would anybody trust these people enough to do business with them? I’d have to assume their devices have the potential to contain “features” they don’t advertise and may not be in the buyers’ interests.

  14. bigbob says:

    Those whining about the price are clearly not professional engineers, or if they are they are so used to extensive cost reduction of designs that they can’t see the forest for the trees.

    The price tag does not reflect the price of the hardware, but that of the time and engineering that went into it. The market for this product does not want to commit its own engineering time/resources to something similar. This is a low volume niche product, and as such can demand the price they are asking.

    If you think you can make “the same thing” for less go for it. This is not just a raspberry pi and a power strip folks… Keep track of the hours you have working on it and see how much it costs taking that into account…

    • aliveoneee says:

      This is, of course, the capitalist’s perspective exclusively. Some of us still feel that it is unethical to charge someone more than the value of a thing simply because they will pay it.

      • aliveoneee says:

        and yes, that includes valuing your time at $150/hr because your an engineer while you value the time of your greengrocer or housekeeper at $8/hr

      • Rob says:

        The value comes from the cost of the time of the developers… they *are* charging for the value of the thing. Skill wasn’t aquired for free, so why should it be given away for free?

        As to the pay rate of an engineer, or a doctor, or a mechanic, or a physicist, etc… versus a lower-paying gob like a housekeeper or green grocer or some other lower-paying job, pay is largely a function of perceived worth. Any of those higher-wage jobs could do housekeeping or retail work if pressed to do so, but housekeepers or clerks couldn’t necessarily do the higher-paid work at the same pace and level of precision required… if they could, then they should be doing something more deserving of their latent skill set.

        I really don’t understand the entitlement inherent in your comment.

    • fartface says:

      “but that of the time and engineering that went into it. ”

      I can engineer it in 60 seconds, 5 minutes if I did not already know of the sheeva plug. So a $1000 markup of the hardware is warranted for 5 minutes of internet searching and 1 hour of tinkering on a bench?

      yes 1 hour, if you have a full tool kit on your bench you can take any of the APC UPS power strips or other brands and make this Exact device. Hell give me another 30 minutes and it will have a Wifi chipset that will actually go into promiscuous mode and just sit there and listen instead of the Atheros chipset that is on the sheevaplug in this that will NOT sit and sniff undetected.

      Add another 10 minutes and I can make that Ethernet passthrough act as a passthrough but silently sniff all the traffic that passes through it. No detection at all possible by equipment on the lan. Then the 3G modem inside sends all the data home out of band to further get around any detection on the network.

      Theirs I am certain does not do any of that. Or just take a stock sheeva plug and slap an HP sticker on it. and add a simple payload to act like a jetdirect. slap it on a printer in the office and configure it to the same IP address the printer was at. it could go years undetected.

      Yeah, none of us have any experience.

      • Butterfly23 says:

        And yet, I don’t see a link to the site where you are selling your version.

        Is it perhaps possible that you realize there are other costs involved in running a business that might necessitate charging more than your marginal cost of materials?

      • Rob says:

        Then step up! Start a business making and supporting this sort of device. Sounds like you’re a couple versions beyond the progress of the company in the article, so why not leverage that into some value for yourself. If it’s that easy for you, for heaven’s sake, go do it. It’s clear that government and non-government entities alike would be interested in this sort of product, and there aren’t that many players in the market… If I had the skill-set you claim to have, I’d be typing less and prototyping more!

      • bigbob says:

        So, in that time you can design everything into a safe enclosure, get all the required certifications of the product? Would this be something that would “just work out of the box” like this? You would be inundated with support requests because you didn’t take time to ensure that everything works without a hitch, not merely the features that you are interested in.

        You are truly showing your ignorance as to what it takes to commercialize a product.

  15. KG4MXV says:

    Now I know what to look for and snag it.

  16. jon says:

    This is a product for sale nationally to the general public. Its almost certain that they had to get a UL listing and perhaps even dick around with FCC compliance. This takes months and 10’s of $k.

    Sure, you can grab a Raspi and a pile of wires and whip one up cheap, but don’t kid yourself its een close to the same thing. Its the difference between using a feather and using a chicken.

  17. Neglecto says:

    yall are some cheap ass bitch’s

  18. I agree that they are obviously advertising, and i know for a fact that Debian 6 is under a Creative Commons license, but that license doesn’t cover Commercial use (sadly). the problem with the device being advertised here is that this site is for people who would rather do things themselves, especially when it comes to niche things like this,

  19. It is purely of my opinion, too many ads sneaking into HAD. Leave this stuff for engadget. I enjoy the DIY and Hacker aspect of this site, not the Look who is selling a comercial product. (sure I sell a few things, but they are all diy based pieces)

    • Toddbert says:

      I didn’t see it as advertising at all. I see it as showing a novel and cool product that could be re-created by the talented people who frequent this site. I see it as a challenge. There have been many products showcased here that have been copied from scratch, usually cheaper and with innovative new features. Look at all the 3D printers that users have built here.

  20. EB says:

    This looks like a good price for a low volume device. It is rugged and if includes a year of updates I think a good value. Aren’t government networks the most insecure?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,434 other followers