I was recently asked if AirDefense can detect a Pwnie Express.   The simple answer is yes, but there are caveats. Pwnie Express is the first to market drop box platform.  Basically it is a plug computer, a device that looks like a big white phone/electronics charger.  It even comes with decals to better disguise it. Here's the specs: 4.3 x 2.7 x 1.9 inches 2.3 watts idle, 7 watts max CPU 1.2GHz ARM cpu with 512M SDRAM, 512M flash HDD 1x Gig Ethernet, 1x USB 2.0, 1x serial console SDHC/SDIO card slot for disk/IO expansion Accepts 110-240v voltages (Adapters available) 3G/GSM models work with Verizon, AT&T, T-mobile, & GSM carriers in over 160 countries This is a pentesting tool meant to be "dropped" onsite.  It is plugged into a power outlet and ethernet jack.  It runs a pretty standard set of open source hacking tools and communicates back to the attacker via tunneled protocols over the victims network, cell phone connection or wireless.  The wireless is intended to be an attack tool only, but could also be configured to communicate to the attacker.  It also has the capability to circumvent 802.1x and NAC via some cool automation of pretty well known techniques. ADSP can detect the wireless attacks, however a very common scenario would be wired only configuration or wired with cellular communications.  In these configurations we could also detect the device via wired monitoring.  However when using the NAC/802.1x bypass mode, the device spoofs the authenticated client MAC/IP and we would not see it. These devices will likely be deployed in remote sites where they are less likely to be detected.  ADSP's wired monitoring is a great way to keep an eye what's getting plugged into those remote networks.  Additionally, most companies use some form of change control in their switched network.  Wired monitoring provides automated validation of those MAC level changes. Check out: tip://pwnieexpress.com/pwnplug.html Kent