Full Report
After publishing my blog post about running P4wnP1 on an LTE modem, where I explained how to install Linux and P4wnP1 on an actual LTE modem for sneaky USB attacks, and then trying and failing to do an internal presentation to show it off to folks, I realised that I had not completely documented the process. In fact, I had left it rather incomplete as it turned out! As I was intending to give a public demonstration of P4wnP1-LTE, I had some work to do.
Analysis Summary
# Tool/Technique: P4wnP1-LTE
## Overview
P4wnP1-LTE is a modification or extended use of the P4wnP1 framework installed onto an actual LTE modem device. Its purpose is to enable "sneaky USB attacks" by turning the typically benign LTE modem into a hardware attack platform capable of controlling the connected host computer via USB HID emulation.
## Technical Details
- Type: Attack Tool/Framework Extension
- Platform: Linux (running on an adapted LTE modem hardware), targeting Windows hosts for USB injection.
- Capabilities: Installing and running the P4wnP1 framework on an LTE modem; providing USB Human Interface Device (HID) keystroke injection; establishing remote access via WireGuard VPN over LTE; utilizing Raw HID channels for command and control.
- First Seen: The initial concept was documented prior to October 27, 2023, with updates detailed in the provided article.
## MITRE ATT&CK Mapping
This tool directly facilitates the Physical Access techniques in the Initial Access tactic, and utilizes Execution and Command and Control tactics.
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (Indirectly, if the modem/interface is considered an external resource, though more appropriate for HID)
- **T1566.003 - Phishing: USB Interest/Incentive** (The perceived utility of the USB device attracts connection, leading to payload execution)
- **TA0002 - Execution**
- **T1204.002 - User Execution: Malicious File** (If scripts or payloads are staged via the injected keystrokes)
- **TA0011 - Command and Control**
- **T1090 - Proxy** (Using WireGuard VPN over LTE to remote into the compromised system or the modem itself)
- **T1071.001 - Application Layer Protocol: Web Protocols** (Potential use for C2 if P4wnP1 web interface is used, though WireGuard is explicitly used here)
## Functionality
### Core Capabilities
- **LTE Modem Integration:** Successfully running a Linux environment, including SSH and WireGuard, on hardware typically used only for cellular connectivity.
- **Network Resiliency:** Debugging and fixing connectivity issues (LTE temperature throttling and SSH sessions dying) by manually controlling CPU cores (`chcpu -d 1,2,3`) and adjusting the Maximum Transmission Unit (MTU) on the LTE interface (resolved by setting MTU to 1024).
- **Remote Access:** Establishing a secure connection via **WireGuard VPN** to an internet-accessible host for SSH access to the modem.
- **USB Keystroke/Data Injection:** Using the P4wnP1 framework's core function to execute scripts/commands on the physically connected host via USB emulation.
### Advanced Features
- **Raw HID Covert Channel:** Implementation of a **CovertChannel** proxy (using Go and `socat`) to facilitate command execution over the Raw HID channel. This involves:
1. Running a Go server component.
2. Running `socat TCP-L:4444,fork,reuseaddr -` on the analyst machine to listen for a shell.
3. Launching a specific JS script (`covertchannel.js`) via P4wnP1's HIDScript interface, which connects back to the listening Go server.
- **Interface Management Integration:** Utilizing `systemd` service files to manage NetworkManager's view of other interfaces (`wlan0`), ensuring P4wnP1 has control or that NetworkManager ignores interfaces during operation.
## Indicators of Compromise
*None specifically detailed as IOCs for the utilized payloads, only diagnostic/debugging indicators for the environment setup.*
- File Hashes: N/A
- File Names: `p4wnp1_service`, `covertchannel.js`
- Registry Keys: N/A
- Network Indicators:
- WireGuard VPN traffic over the LTE interface.
- SSH sessions tunneling over the WireGuard VPN.
- TCP Port 4444 used by the `socat` listener for the CovertChannel.
- Behavioral Indicators: Thermal throttling observed on the modem hardware; SSH sessions disconnecting specifically when large amounts of terminal output are transferred over LTE.
## Associated Threat Actors
- This tool/technique appears to be developed and used by security researchers/red teamers (Self-identified author is Rogan Dawes from SensePost). No known criminal threat actors are associated in this context.
## Detection Methods
- **Signature-based detection:** Not detailed, but standard P4wnP1 payload signature detection would apply if the injected payload is known.
- **Behavioral detection:** Monitoring for extreme temperature fluctuations or unusual CPU core throttling commands (`chcpu`) on embedded network hardware. Detection of unusual MTU settings (e.g., setting interface MTU to 1024 or 1420 for typical LTE tunnels).
- **YARA rules if available:** Not detailed.
## Mitigation Strategies
- **Physical Security:** Limiting physical access to devices that could be compromised by USB interaction. Unattended systems should have USB ports disabled or protected.
- **Network Hardening:** Monitoring for unexpected WireGuard connections originating from network hardware that should only perform cellular communication.
- **System Hardening (Host):** Implementing strong policies against unknown USB devices presenting as HID devices, although operating systems are generally designed to trust HID input.
## Related Tools/Techniques
- **P4wnP1:** The base framework utilized for HID injection.
- **WireGuard:** Used for setting up the secure C2 tunnel over the potentially unreliable LTE connection.
- **CovertChannel:** Companion tooling used to establish command-and-control over the Raw HID channel.
- **Rubber Duck Debugging:** Mentioned as a successful self-debugging technique used by the author.
---