Teddy-Net the Wifi Teddy Trojan


Whatever it is, I fear Greeks even when they bring gifts.
(Spoken by Laocoon in Virgil's 'Aeneid' as, Quidquid id est, timeo Danaos et dona ferentes.)


'However cute it is, I fear Geeks even when they bring gifts' - RenderMan, 2005


I will start by giving credit where credit is due. Part of the original idea for Teddy-Net was gleefully taken from the Teddy Borg project created by some very bored MIT students. Thiers was a network switch built into a Bear, I just ran the idea further. I am not trying to steal thier work or anything, I just extended it to wireless networks


Teddy-Net began life as a joke.

I saw the Teddy Borg project a while ago and, like most everyone, thought it was pretty cool. It stuck in the back of my mind where most of my insane ideas come from. Also in the same pile was memories of Hub-Zilla, the Firewire hub - Godzilla wannabe

A while later, my best friend and partner-in-crime, 0ktipus announced he and his wife were having a daughter. Over the next few months the usual jokes about how I'd be teaching his daughter all the evil tricks I know and using her to do my evil bidding went around. One in particularly stuck in my mind: 'I can just see Render giving our daughter a teddy bear with antennas and having her carry it into an office'.

Be careful what you say around me, I'm crazy enough to do it!

Boxing day, 2004 provided a >$20 Belkin 54G Wireless AP/Router that I had no idea what to do with. Over the holidays, the joke about a 'teddy bear with antennas' kept being brought up. With Shmoocon 2005 around the corner and most of the materials already at hand, I figured it would be a good addition to my Shmoocon presentation, not to mention a way of stopping the jokes.

It was also a fun way of showing that you have to be vigilant with your network security and be aware of what gets plugged into your network. That cute bear in the little girls arms could have a devious purpose. A physical trojan horse in every sense concealing a rogue wireless access point.

I picked up a suitably sized teddy bear at a thrift store for $3, making sure there was a seam down the middle of his back. My mother was kind enough to install a zipper down the back seam so I could open and close him as needed (I was traveling by Air to shmoocon, I figured having electronics secreted in a teddy bear was a sure fire way to the rubber glove treatment by customs, so removal of the electronics was nessecary).

The AP was removed and stripped down to bare essentials. The antennas attached to the main board with tiny hirose connectors. They are very delicate, but the fact the antennas were on wires allowed me to locate them wherever I wanted in the bear.

I sliced the power cable for the ap about 7 inches from the end and used a stock rat-shack headphone jack type connector to pass the power into the bear Matrix-style through a jack mounted in the back of his neck.

The AP was wrapped in a static bag with holes in the appropriate places for cables, and with a bit of shoving, inserted it into the bear

Antennas were slid into the stuffing in his head at either side of his face, roughly below each ear, and connected to the board.

Shmoocon did not give me enough time to mount proper connections for network in the bear. Upon my return I took a page from Teddy Borg and used a standard walljack to make a pigtail to route network to the bears exterior, once again, Matrix style through the back of the neck, beside the power jack.

Teddy-Net made his debut at Shmoocon in Washigton DC. My talk was on the last day and he was secret, so we decided to see if anyone would figure out this 'trojan horse'. Grey_frequency, my traveling companion for the trip, carried Teddy-Net around with her everywhere (an odd thing indeed at a hacker conference), even dressing him up a bit.

Whenever we could, we would quietly plug him in and he would be broadcasting 'TEDDY-NET' as an SSID. In the whole weekend, no-one figured out his true purpose was to be a trojan horse for a rogue AP.

Teddy-Net was the toast of the con after his debut and people knew what he was. It was a blast to see everyone wanting a peek under his zipper.

I was often asked about having him Battery powered, and it's definatly a possibility. The power requirements for the Belkin AP are quite high, so I'd probobly use a normal AP with less power requirements (like a Linksys WAP54G). I've battery powered a WRT54G off 4 'AA' batteries, so I know it's possible, but outside the scope for a proof-of-concept. Besides, I like the matrix-style power jack.

The other thing I was asked about was heat. With the AP surrounded by stuffing, Teddy-Net does get warm, but he's no fire hazard. It just makes the bear that much more cuddly

I could have run lines for the switch ports on the router into his paws, but I was more curious about his Wi-fi concealing abilites

The lesson learned here is to be aware of what is plugged into your network and regularly audit your network. In a conference of 400 hackers, broadcasting an SSID of 'Teddy-Net', no-one suspected his true purpose. Goes to show how simple and effective a trojan horse can be.

Update:
Finally was able to get some pics of the Bear with the little lady who he was intended for:


Return to Main