Interview With Pwnie Express

Pwnie Express was founded in 2010 by Dave Porcello, who developed the original Pwn Plug to fulfill his own penetration testing needs while working as the IT Security Director at Vermont Mutual Insurance Group. Since its founding, Pwnie Express has become the world leader in remote security assessment, and the first company to empower organizations of all sizes with a full visibility and threat detection platform that discovers and alerts unknown or high-risk devices and their potential threats wherever they exist on the network.
Through its enterprise-class Pwn Pulse platform and its long-trusted Pwn Plug, Pwn Phone and Pwn Pad devices, Pwnie Express provides continuous visibility throughout the wired/wireless/RF spectrum, across all physical locations including remote sites and branch offices, detecting “known-bad”, unauthorized, vulnerable, and suspicious devices. Pwn Pulse enables central management from a single cloud dashboard for scalable, continuous intelligence across the enterprise, as well as remote and branch locations.
Backed by the powerful security research of Pwnie Labs and regular feedback from customers and community partners, Pwnie Express helps its customers reduce the attack surface created by the explosion of devices introduced by Bring Your Own Device (BYOD and the expansion of threat vectors brought on by the Internet of Things (IoT). It is headquartered in Boston, Massachusetts.

PenTest Mag: Can you speak to your experiences starting/developing a small company in a market as competitive as IT security?

Pwnie Express:
Pwnie Express CEO Paul Paget joined founder (and current CTO) Dave Porcello because they shared a vision for how remote penetration testing tools could be used in a much more substantial way. Dave created the first Pwn Plug, which has since become the industry standard for remote penetration testing around the world. The success of the Pwn Plug led to the bigger idea of distributed pentesting, which caused Dave to seek venture funding and a CEO to help build the business. With more than 30 years experience bringing information security products to market, Paget had built the first company to establish penetration testing as a product, and had experience with highly secure hosted security systems. For the past 15 years, he has specialized in leading early stage companies and bringing new, innovative security products to market.
In all cases, Paul sees the primary challenge – and opportunity – as this: find a way to connect the technology to the right people who will help you with the initial phases of the product’s lifecycle. Together you shape the product into something that can be successful in the marketplace. You HAVE to be able to connect your idea to the market and find a seam where you can enter. In Pwnie Express’ case, the team leveraged the original Pwn Plug to create automated pentesting on a distributed basis. As the market shifted toward BYOD, the marketplace presented a larger problem for Pwnie to solve: the lack of visibility into devices within an organization.

PenTest Mag: Your products make heavy use of open source projects, would it be safe to say that you wouldn’t have been able to bring them to market if you had to develop all of this software in house, or pay licensing fees to include them?

Pwnie Express:
No, we would not have been able to bring this rich of an offering to market without the use of open source technology. By leveraging the open source technology in the Pwn Pulse system we were able to make a collection of powerful products scalable, and at a price point that makes the solution readily available for customers. Ultimately, we have contributed to the further development of open source tools and shared them back with the community.

PenTest Mag: Could you tell us more about the Pwnie Express training, the skills and tools?

Pwnie Express:
Pwnie Express offers live training for users of the mobile line of products, i.e. Pwn Pad and Pwn Phone and for users of the fixed sensor line of products, i.e. Pwn Plug R3 and Pwn Pro. The training session for the mobile and fixed line of products provides new or infrequent users of the Pwn Pad and Pwn Phone, or Pwn Plug R3 and Pwn Pro respectively, with an introduction to the hardware, the Kali based Operating System, and product usage, configuration, updating, installation of additional software, remote access, and advanced functionality (such as NAC Bypass with the Pwn Plug R3). The training session for the "fixed" line of products provides new or infrequent users with an introduction to the hardware, the Pwnix operating system, and product usage. Including the subjects of the Pwnie UI, configuration, deployment, updating the device, installation of additional software, enabling remote access, enabling Stealth Mode and NAC Bypass (R3 only), hints & tips, troubleshooting, etc.
Both training classes are interactive, delivered online via WebEx and attendees are encouraged to ask questions of the instructor. Training sessions usually last three hours. Afterwards attendees are provided with a recording of the session for later reference.

PenTest Mag: In terms of the OSI (Open Source Interconnection) 7 layer model, at which layers do your products and solutions operate at?

Pwnie Express:
Out of the box, Pwn Pulse primarily operates at Layers 2 and 3 due to our focus on device discovery. If the advanced features -- such as a custom script to leverage Nmap’s Heartbleed checker-- are utilized, Pwn Pulse is able to operate at layers 2 through 7.

PenTest Mag: For branch offices are distributed servers an option? Or does each sensor communicate back to the Central Pwn Pulse system?

Pwnie Express:
Each sensor is essentially a server that communicates back to the central Pwn Pulse system. The beauty of the system is that it can be shipped to remote locations, plugged in by any employee, and it will start collecting date without any special configuration.

PenTest Mag: Is the communication between remote sensors and the central Pwn Pulse system encrypted? What protocols are used?

Pwnie Express:
The communication between the sensors and Pwn Pulse is encrypted. Specifically, we utilize an encrypted TLS tunnel to transmit Sensor data back to Pwn Pulse.

PenTest Mag: How is the Pwnie Express experience and intelligence translated down into the customer organization for those who do not specialize in Information Security; Risk Assessment and Security Planning?

Pwnie Express:
Our solution does not require IT to put agents on employee-owned devices, the threat detection and added visibility preserves privacy and ownership so that IT does not have to interfere with the employee’s personal devices. At the same time the Pwn Pulse provides the enterprise with the ability to identify devices that do not belong in the workplace. The ability to track and know which devices are employee-owned enables them to say “these devices belong.” Pwn Pulse also provides a “safety net” for IT where they can track and monitor all employee-owned devices on an ongoing basis. For example, an employee could bring in a device that helps them do their job more effectively, i.e a printer that connects to wifi. Employees may not realize that this printer in its default state provides a gateway into the network for an attacker. The Pwn Pulse would alert IT that the device has been added to the network and is a potential threat.

PenTest Mag: How is the pricing model structured?

Pwnie Express:
Pwnie Express offers a subscription service based on the number of sensors required. Pricing starts at ~$180 per month per sensor and includes access to the Pwn Pulse system.
Al la carte device prices are available at www.pwnieexpress,com or by contacting sales via phone at (855) 793-1337 or email [email protected].

PenTest Mag: Is there support for the hardware appliances, in terms of warranty; RMA; Support Care; etc?

Pwnie Express:
Pwnie Express provides free technical support via email/telephone/web for the first thirty days. After which users are encouraged to obtain Pwnie Care, which continues the availability of receiving support via email/telephone/web for a period of one year. All users of Pwnie Express products regardless of having a subscription to Pwnie Care are able to access on an online support forum and knowledgebase.
Pwnie Express provides a limited warranty for all commercial products, providing coverage against manufacturer defects, etc. For products not tied to Pwn Pulse, each device comes with a 30 warranty. You also have the option to add on Pwnie Care, which covers everything from hardware replacement to live support. With Pwn Pulse, hardware replacement, support, and training are included automatically.

>> QUESTIONS FROM PENTEST READERS <<

Please explain your company's latest developments in cellular threat detection sensors/capabilities. What are the potential legal challenges of these technologies?

Pwnie Express:
Recently it has come to our attention that the technology used to create fake cell towers has been more and more accessible to criminals. Due to that Pwnie Labs began researching how to combat this growing threat. By using off the shelf fcc certified 4g components in (mostly) the intended way, we were able to gain some useful metrics to detect these fake cell towers. While monitoring cell phone frequencies is against the law for anyone except law enforcement, by using fcc certified 4g hardware we have made great strides towards detecting and alerting when these "rogue cell towers" become active.

Do any of your sensors / software provide RFID reader detection?

Pwnie Express: Not specifically, however, there are many ways to detect threats like this. Most RFID readers have a range of 4 centimeters or less, while it may be interesting to attempt to detect them, it would be very difficult. That said, most illicitly installed RFID hardware is more akin to a credit card skimmer. A device which can read RFID cards are a long range (~10 ft) can be hidden near a legitimate reader and captures cards as the legitimate reader reads them. The vast majority of devices like this have either a wifi or bluetooth backhaul to offload the skimmed data, and we are able to detect such devices using these backhauls.

How does the bluetooth adapter in the Pwn Pad compare with Ubertooth?

Pwnie Express: Currently the across a range of our products we use a high power bluetooth dongle to actively scan and find discoverable bluetooth devices. Discoverable bluetooth devices are the most vulnerable because they can be so easily spotted, so this type of standard bluetooth scan can be a very valuable metric for getting some baseline visibility and security policies established. While the ubertooth is able to see more devices since it can passively sniff the air, the device is officially classed as "test equipment" and is not certified by the fcc. Due to the lack of certification of the ubertooth, we do not sell it at this time, however, we do include support for it across a range of products and it's as simple as plug and play to use the ubertooth instead of the standard bluetooth dongle we sell.

Are you working to add new platforms besides Nexus for phones and tablets?

Pwnie Express: Of course, these types of questions keep us up at night. Our Mobile Sensor Engineering team spends hours reviewing multiple android systems looking at which platforms best support our feature set. Most recently we did release the PwnPad3 based off a non-nexus tablet, Fortunately we were able to find hardware which better met our needs and released the PwnPad 3 with benchmarks that were more than twice as high as the PwnPad 2014 edition. We hope to continue to expand our device support, although it is very important to note that these are fairly heavy modifications to make things work as expected. Not only do we need to modify the base android load, we also have to modify the kernel to support the feature set we want (external wifi, bluetooth, etc) and install a full linux chroot with loads of pen-testing software. Picking the next platform is always a challenge, however, we are constantly improving the build system and looking for ways to improve our flexibility to use new hardware.

What are the differences between the community edition and the full version of the Pwnie products?

Pwnie Express: In a word, support. The community edition of the Pwnie Express products and the image we flash onto the devices we sell are actually identical at this time. The main difference is that community edition users don't get phone and email support. Obviously we are happy to take bug reports both via email and github, but priority always falls to paying customers who are conducting business with our products and how we can best support them. Additionally, only the paid users are permitted to activate their devices on our Pwn Pulse cloud service. The Pwn Pulse cloud service allows centralized management, reporting, updating, and even custom scheduled tasks to be pushed down to one, many, or all of a customer's devices. We are proud of our heritage in building a product from the open source tools people know and love, so we give back as much as we can, going as far as submitting patches and opening bug reports for packages we use so that the whole community benefits from our work and not just our customers.

Are you looking into Kali 2 as a base for your devices in the near future?

Pwnie Express: Yes, nothing to announce yet, but we expect to keep pace with Kali and announce Kali 2 when full tested and QA’d.

How do you manage software updates? (Does the Pwnie Express Updater manage debian packages, scripts, etc?)

Pwnie Express: The Pwnie Express Updater android app is a wrapper around the standard Pwnie Express updater, which in turn uses the standard debian packages etc. to keep up to date. Our repositories are a clone of the upstream repositories which are synced after successful automated regression tests to ensure that our customers always have a functional product and give us a warning on any incompatible change which may have happened upstream. In addition to the standard package upgrades, we also keep all of the software and scripts written by Pwnie Express up to date and ship it out in addition to the debian packages from upstream. Finally, on android, the PX Updater app wraps all of that in some automated checks to see if the user is on the current version of software and offer a download if not. This new app gives us the ability to not only keep our linux chroot up to date, it also allows us to upgrade android, the kernel, or everything at once when it is needed. We are super excited about the feature set of this new app, and look forward to using this widely in the future to keep users more up to date and roll out new and exciting features easily.

What would be the best way to get a demo of your products?

Pwnie Express: To get a sense of our fixed sensors, check out our YouTube page.
If you would like to get a demo of Pwn Pulse, contact us for a no obligation live demo here: https://www.pwnieexpress.com/pulse-demo/

November 6, 2018