Following up on the success of its Pwn Plug, a plug-computer-based network penetration tool, Pwnie Express has recently announced a power-strip-based successor: Power Pwn. Both products (and another that lives inside an N900 smartphone) are examples of the increasing capabilities of small, innocuous-looking packages—ones that can gather an enormous amount of sensitive data. But, Power Pwn is interesting for another reason: its development was partially funded by the US government.

For those not up on "leetspeak" (an alternative "language" used by the cracking/hacking and other subcultures), "pwn" may need some explanation. It is essentially a misspelling of "own" and in the cracking community is used to mean compromising or controlling a computer system of some kind. So, "pwning" a system is often the goal of attackers. The term is used widely in security circles as well, such as the Pwnie Awards that are given out at the Black Hat security conference.

So, while Pwnie Express's products are described as penetration testing (pentesting) tools, their names and capabilities make it obvious that they are quite suitable for more offensive tasks as well. Power Pwn is designed to look like (and act like) an eight-outlet power strip or surge protector, with "convenient" Ethernet ports, as well as a USB connector. Even when plugged into the network, it could easily be overlooked behind a desk or in a crowded server room.

But the device has no need to be connected to the network to be useful. It contains high-gain antennas for both Bluetooth and 802.11b/g/n, along with an external 3G/GSM network adaptor. Beyond that, it has a 1.2 GHz ARM processor with 512M of RAM and a 16G flash disk. It runs Debian 6 ("Squeeze") and comes with an impressive array of security and penetration tools.

It's clear that Pwnie Express has done more than just load a bunch of tools on top of the hardware and Debian, though. The device will call home via SSH either over the wired connection or 3G/GSM. There is also the ability to send shell commands to the device via SMS text messages. It can tunnel through firewalls and intrusion prevention systems (IPS). And so on. It could clearly be of use to those of any hat shade—white, gray, or black.

Those interested in the device will have to wait a while, though, as it is currently only available via pre-order (at a hefty $1295), with expected delivery at the end of September. Most of the same features can be found in the Pwn Plug that is available now (though not inexpensively: $795). That device looks like a cross between a wall-wart power supply and a plug-in air freshener—also easily overlooked.

Power Pwn was developed using money from the US Defense Advanced Research Projects Agency's (DARPA) new Cyber Fast Track (CFT) program:

It's tempting to speculate about the uses that the US government might have for a tool like Power Pwn. It's a bit hard to imagine that other, more secretive organizations, such as the National Security Agency (NSA), don't have similar—stealthier—devices already in hand, though. So, DARPA's thinking is likely along the lines of what Pwnie Express CEO Dave Porcello told Wired: "taking the tools that the hackers are using and putting them in the hands of the people that need to defend against the hackers"

Over time, of course, these kinds of devices are only going to get smaller and more stealthy. There are some limits, though, particularly in terms of power and wired networking connections—at least today. But it is clear that attackers are going to have better and better tools over time. In a somewhat different context (remote scanning), Bruce Schneier recently observed:

Keeping network intrusion devices from gathering sensitive data—or causing mayhem—is only going to get more difficult over time. Devices like Power Pwn and Pwn Plug are just the beginning. Widespread strong encryption, which will likely need to be deployed on wired networks as well, can help. But that just makes guarding the keys that much more important, of course. It's an arms race.