Engineer SexyCyborg lives in Shenzhen, China, and recently became of a fan of the really good show Mr. Robot. The series is a far more realistic depiction of hacking than the typical show, from the relatively non-theatrical methods of using tor exit node exploits to catch a child pornographer, to the reliance on social engineering methods like dropping a flash drive in an office parking lot, knowing someone might bring it inside and try to snoop on it with their work computer.
SexyCyborg took inspiration from that, realizing that many hacking tools are small and simple, and social engineering goes a long way. See that picture of her above? Would a security guard think she’s trying to break into the company’s network? Where would she hide the gear, anyway?
Oh. There. In the platform heels she designed and 3D-printed from PLA plastic, which supports her weight and weighs about the same as regular shoes. She explains:
So I got to thinking, if I had to do penetration testing on a corporate facility, how would I do it? Social engineering for one; I’m a natural honeypot. I think there’s a reasonable chance that a guy might invite me back to their office after a few drinks in the neighborhood? But a handbag would be suspicious and leaving cell phones at the gate would be standard practice in any reasonably secure facility. My typical clothing does not leave room to hide anything, but that’s all the more reason they would not be suspicious of me.
She calls them Wu Ying Shoes (meaning “shadowless”) after local folk hero Wong Fei-hung, who would distract opponents with upper body movements then take them out with his feet (a “shadowless kick”). That’s definitely a fitting name.
Each shoe contains a hidden drawer that can be removed without taking the shoes off. This is what’s inside:
One shoe holds a pen testing drop box, which is a wireless router (with a built-in battery) running OpenWRT. It can be left running while the shoe is being worn to engage in wi-fi sniffing, war-walking, and more. Or it can be plugged into an open network jack for remote access later on. She coyly jokes about what else this could be used for without admitting anything illegal:
This router may-or-may-not be running a custom version of Wispi for the TP-Link TL-MR10U because if it was it would probably be illegal in China so maybe its not. But if it was I could run Jasager/Karma which lets you can fake being a friendly/known wifi access point and setup a fake login page to capture passwords, among other cool tricks.
The other shoe holds a keylogger with built-in memory (it plugs into the back of a computer and saves every keystroke made by the user), a retractable cable for the OpenWRT router, a shim (to open padlocks), and a lock pick set.