Power Pwn’s Price Tag Is As Dangerous As It’s Black-hat Uses

This rather normal-looking power strip hides a secret inside. It’s called the Power Pwn, and it conceals hardware which facilitates remote penetration testing of a network. It really is the ultimate in drop hardware as you can quickly swap it with existing power strip. Who’s going to question it?

It’s got almost all the bells and whistles. There’s dual Ethernet ports, Bluetooth with 1000′ range, and WiFi with a high gain antenna. The SoC inside comes with Debian 6 and all the exploit tools you might want pre-loaded. There’s even a 3G adapter, but it’s external and not pictured above. The thing is, for a pre-order price-tag of  $1,295 we think that 3G should have been internalized and come with a lifetime unlimited data plan! That could be a bit overboard… our heads are still spinning from the sticker shock.

This isn’t the first time we’ve seen hardware from this company. Their Pwn Plug was used in this project. We just didn’t catch the $595 price tag for that device until now.

[via Reddit via Zdnet]

45 thoughts on “Power Pwn’s Price Tag Is As Dangerous As It’s Black-hat Uses

    1. The issue is that it’s guts are a SheevaPlug with bunches of peripherals and tons of free software.

      Essentially the less intuitive people on the internets think 1,300 is a bit much for less than a few hundred bucks in hardware.

      The real reason for the price is it is by Pwnie Express to be sold to the government. Essentially somebody that charges more for niche tools, selling to an entity that does not pay with its own money.

      Great profit margin in pentesting stuff.

  1. It is a pen test tool, and not a piece of mass-manufactured hobby kit. The price seems reasonable.

    Though I expect someone to post a Raspi hacked into a UPS case within a week that does 90% of what this does.

      1. Part of the point of OSS is that it can be used by anyone in any way they like (usually so long as they distribute the source code and a copy of the license with it).

        To say that they’re stealing from a community which is giving stuff a way is ridiculous…

    1. I agree. People will shell out almost $2000 for an Optimus OLED keyboard without blinking, but to hack virtually any network in a near-undetectable way, $1200 is too much?

  2. Hey, thanks for publishing! I’m the CTO at Pwnie Express and wanted to give a little background on what you’re getting for the $$.

    We’re not simply selling pentesting hardware. I’d encourage you to check out sites like AceHackware / Hak5 / etc or build your own if you’re interested in that!

    PX is building a supported platform for easy, in-depth penetration testing. We ship both OSS and commercial tools on the plug to give you an initial toolkit (which we’re expanding and building upon thanks to sales #’s).

    We also automate much of the process of taking your initial (physical) access and turn it into remote compromise. We’ll be automating more and more as we build upon our 1.1 feature set.

    Note that we provide a community image that allows you to buy a stock sheevaplug or nokia N900 and load it on. We definitely want to encourage this!

    And we’re finding lots of folks (.gov included) will just pay for it for the support and ease-of-use/deployment.

    Definitely appreciate the feedback, and hit us up on twitter or at info _at_ pwnieexpres _dot_ com if you want more details!

    Hope it helps explain!

    jcran

      1. I didn’t see anything wrong with what he posted. He directly answered issues brought up in the article and comments. Now, if he had just jumped into the comments and said all this when the article was about building your own or something else entirely, then you would have a legitimate complaint about marketing. When your product is being castigated for its cost and its toolkit, he has every right to answer them.

  3. The cost? Pft.. That’s nothing compared to the fee you could charge to actually do a pen test, or if you’re wearing a black hat, how much you could get for your collected data.

  4. And with the right power strip UPS and a sheeva pro plug you can make the EXACT thing for $399.00

    Whoever is selling them is on drugs for their pricing, or they hope people that do Computer Security are actually faker n00bs that cant build this stuff.

    1. The price of any product on a free market is determined by the amount of money someone is willing to pay for it. If the thing is produced for less, you make profit. If the thing is produced for more, you’ll go bankrupt. Welcome to capitalism :)

      1. I’ve seen modern power strips of all shapes and sizes. Many of which now-a-days are equipped with two USB ports due to the fact 90% of mobile electronics use them to charge. Lots of phones now just come with a USB wall wart and expect you to use your data cable as your charging cable as well.

      2. When was the last time you looked under a desk at a power-strip? My point is that those kinds of things are essentially invisible to most people. And you could always face the USB ports at the wall.

  5. @MS3FGX And you realize that depends on the license right?

    I release things open source, but you try to sell it and your ass is mine!

    Read the licenses and think before you speak

    1. It comes with the standard Debian repository packages. That means it contains the source code. It is in full compliance.

      They ARE trying to sell it so I guess you now own a license for their collective asses. Does it come with derivative work rights? I would not touch that shit.

    2. So which tools included with this device have licenses that prevent them from being sold in a commercial product?

      Surely you would not make the claim they are stealing from the community unless you had proof that they were distributing software which had a license specifically forbidding it.

  6. You are not paying for the 500 dollars of hardware or the free open source hardware. You are paying for the engineering to put it together and the investment in making a product.

  7. This article makes me realise that if you add a custom software module to the thing I’m designing at the moment, you would have a lightweight $70 version of this.. Might be some happy black hats on kickstarter later this year :)

  8. Why would anybody trust these people enough to do business with them? I’d have to assume their devices have the potential to contain “features” they don’t advertise and may not be in the buyers’ interests.

  9. Those whining about the price are clearly not professional engineers, or if they are they are so used to extensive cost reduction of designs that they can’t see the forest for the trees.

    The price tag does not reflect the price of the hardware, but that of the time and engineering that went into it. The market for this product does not want to commit its own engineering time/resources to something similar. This is a low volume niche product, and as such can demand the price they are asking.

    If you think you can make “the same thing” for less go for it. This is not just a raspberry pi and a power strip folks… Keep track of the hours you have working on it and see how much it costs taking that into account…

      1. The value comes from the cost of the time of the developers… they *are* charging for the value of the thing. Skill wasn’t aquired for free, so why should it be given away for free?

        As to the pay rate of an engineer, or a doctor, or a mechanic, or a physicist, etc… versus a lower-paying gob like a housekeeper or green grocer or some other lower-paying job, pay is largely a function of perceived worth. Any of those higher-wage jobs could do housekeeping or retail work if pressed to do so, but housekeepers or clerks couldn’t necessarily do the higher-paid work at the same pace and level of precision required… if they could, then they should be doing something more deserving of their latent skill set.

        I really don’t understand the entitlement inherent in your comment.

    1. “but that of the time and engineering that went into it. ”

      I can engineer it in 60 seconds, 5 minutes if I did not already know of the sheeva plug. So a $1000 markup of the hardware is warranted for 5 minutes of internet searching and 1 hour of tinkering on a bench?

      yes 1 hour, if you have a full tool kit on your bench you can take any of the APC UPS power strips or other brands and make this Exact device. Hell give me another 30 minutes and it will have a Wifi chipset that will actually go into promiscuous mode and just sit there and listen instead of the Atheros chipset that is on the sheevaplug in this that will NOT sit and sniff undetected.

      Add another 10 minutes and I can make that Ethernet passthrough act as a passthrough but silently sniff all the traffic that passes through it. No detection at all possible by equipment on the lan. Then the 3G modem inside sends all the data home out of band to further get around any detection on the network.

      Theirs I am certain does not do any of that. Or just take a stock sheeva plug and slap an HP sticker on it. and add a simple payload to act like a jetdirect. slap it on a printer in the office and configure it to the same IP address the printer was at. it could go years undetected.

      Yeah, none of us have any experience.

      1. And yet, I don’t see a link to the site where you are selling your version.

        Is it perhaps possible that you realize there are other costs involved in running a business that might necessitate charging more than your marginal cost of materials?

      2. Then step up! Start a business making and supporting this sort of device. Sounds like you’re a couple versions beyond the progress of the company in the article, so why not leverage that into some value for yourself. If it’s that easy for you, for heaven’s sake, go do it. It’s clear that government and non-government entities alike would be interested in this sort of product, and there aren’t that many players in the market… If I had the skill-set you claim to have, I’d be typing less and prototyping more!

      3. So, in that time you can design everything into a safe enclosure, get all the required certifications of the product? Would this be something that would “just work out of the box” like this? You would be inundated with support requests because you didn’t take time to ensure that everything works without a hitch, not merely the features that you are interested in.

        You are truly showing your ignorance as to what it takes to commercialize a product.

  10. This is a product for sale nationally to the general public. Its almost certain that they had to get a UL listing and perhaps even dick around with FCC compliance. This takes months and 10’s of $k.

    Sure, you can grab a Raspi and a pile of wires and whip one up cheap, but don’t kid yourself its een close to the same thing. Its the difference between using a feather and using a chicken.

  11. I agree that they are obviously advertising, and i know for a fact that Debian 6 is under a Creative Commons license, but that license doesn’t cover Commercial use (sadly). the problem with the device being advertised here is that this site is for people who would rather do things themselves, especially when it comes to niche things like this,

  12. It is purely of my opinion, too many ads sneaking into HAD. Leave this stuff for engadget. I enjoy the DIY and Hacker aspect of this site, not the Look who is selling a comercial product. (sure I sell a few things, but they are all diy based pieces)

    1. I didn’t see it as advertising at all. I see it as showing a novel and cool product that could be re-created by the talented people who frequent this site. I see it as a challenge. There have been many products showcased here that have been copied from scratch, usually cheaper and with innovative new features. Look at all the 3D printers that users have built here.

  13. This looks like a good price for a low volume device. It is rugged and if includes a year of updates I think a good value. Aren’t government networks the most insecure?

Leave a Reply to XyrozeCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.