Extracting data with USB HID

sd_adaptor

High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.

We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a micocontroller. [d3ad0ne]‘s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.

To extract data from a system, [ d3ad0ne] connects a Teensy microcontroller to the USB port. After opening up Notepad, [ d3ad0ne] mashes the Caps Lock key to force the Teensy to type out a script that can be made into an executable. This executable is a bare-bones application that can send any file back over the USB cable to the Teensy where it’s stored on an SD card. Short of filling the USB ports in a workstation with epoxy, there’s really no way to prevent secure files from leaking out of a computer.

Comments

  1. bWare says:

    If you are going to the trouble of providing someone with a keyboard and screen, you probably aren’t really trying to prevent them using the computer?

    • andar_b says:

      No but you may be trying to prevent them from taking classified data home to distribute. Many of these high security stations will be completely isolated the internet, as well as having no simple way to transfer files onto and off of them without dismantling the computer, which would require a key and a password in the bios.

      • d3ad0ne says:

        andar_b hit the nail on the head. Lots of “trusted” people have exclusive access to classified systems. DLP usually prevents them from burning CD’s or using external media. The network these machine are on are internal with no access to the internet. The sad thing is none of these protections will keep a user from plugging in a “keyboard”.

      • d3ad0ne says:

        andar_b hit the nail on the head. Lots of “trusted” people have exclusive access to classified systems. DLP usually prevents them from burning CD’s or using external media. The network these machine are on are internal with no access to the internet. The sad thing is none of these protections will keep a user from plugging in a “keyboard”.

  2. Michael says:

    And epoxy in the USB-port is no trouble to circumvent for HaD readers:-)

    • HC says:

      Any security measure that leaves the user alone with the computer can be broken, and usually broken quickly if the user knows about it in advance. I’m sure it wouldn’t be too difficult to rig up a SATA pass-through connector and board that would dump everything read or written to an external drive. I’d be willing to bet it already exists.

      • Ken says:

        It may already exist, but honestly, it would be expensive and difficult to rig to say the least.

        You are talking about intercepting 3Gb/s over only 2 differential pairs. I don’t think there is any way you are snooping that without custom Si.

        • fhunter says:

          Xilinx/Altera FPGA + proper phy chip, or, even better – two converters SATA->PATA and PATA->SATA (they are transparent), then hang your hardware on PATA bus to eavesdrop.

  3. truthspew says:

    Back when I worked for the company that shall not be named but is shopping itself around the VC’s right now in order to go private, well they decided to implement DLP.

    Except that it only affected Windows boxes. So if you had a little spare computer around you threw Ubuntu, Debian, or whatever together with sshd active.

    Then you could simply scp the documents from your windows box to you Unix box and mount your device on the Unix box and copy files to your hearts content.

    So I demonstrated this and they banned all Unix boxes on the desktop. But what they forgot was we had labs full of Unix boxes so you just scp’d to those and plugged your device into that and cp’d away.

  4. ejonesss says:

    “Many of these high security stations will be completely isolated the internet”

    just like mission impossible.

    remember the scene where the group lowered them self into a room that was secured by a thermal sensor that 1 degree change would set off the alarm and the slightest step on the floor would set off the alarm the drip from the sweating glass of soda caused the alarm to sound.

    actually a better way to prevent any usb attack would be to take a desoldering gun to all of the computers and remove the usb and other connectors from the motherboard that allow external access.

    and required connections would be soldered directly to the board like the mouse and keyboard.

  5. Brilliant, I was thinking about ways that you can get information out of a secured pc that is monitored.

    • Greenaum says:

      Was it on here I read about software, that modulates the red line of a vga connector to emit RF? Specifically, RF in the VHF range, encoded in such a way that a nearby digital TV / decoder box could pick up the signal, which rendered as a picture on the TV screen.

      Unless you’re using full TEMPEST or suchlike, a simple bit-of-wire aerial, an amplifier and a recorder of some sort, together with the right software, can always be used to suck stuff from a computer. You could even go the old-fashioned way, modulate data out of the sound card.

      It doesn’t have to be completely stupidly easy, but if someone wants to put a bit of effort in to extract your data, there’s probably nothing you can do about it, short of supervising them, And even then it’d have to be very close supervision.

  6. Steve0 says:

    The security blocking USB is usually more about preventing viruses and malware from getting onto the system (by a careless user plugging in an unauthorized and compromised device) rather than preventing a user from taking files off the system.

  7. markaeric says:

    It’s pretty pathetic how poorly many companies with sensitive information secure workstations. Lock the towers in a cage and be done with it.

  8. midnitesnake says:

    Also achieved with the Hak5 USB Rubber Ducky!

    Mentioned previously.

  9. lloyd says:

    Using epoxy?

    Does no one think to just disable USB or physically remove the USB ports?

  10. yeah says:

    Recently I finished up a contract I had with a very large, multibillion dollar corporation. I was working on some hardware projects and… blah blah blah..

    … They had all the systems set so no USB flash drives nor USB external hard drives would work (unless you were able to get through all the red tape). Funny thing was that they didn’t seem to realize that the SD card slots on the laptops show up as “card readers” and not “USB drives.”

    It sure is interesting getting in early and downloading operating systems from the web in a couple of minutes.

  11. Dave.. says:

    If they’re going far enough to block the use of flash drives, won’t they also block user-supplied executables?

    • jonam says:

      My company blocks downloading of executables and zip files as well as installing said files via the Windows installer. Internet is also heavily filtered so that you are restricted to such a small number of sites that it gets impossible to do work (e.g installing open-source software for data analysis, access to technical articles, standards and so on). On top of this, we are only given IE 6 as the approved web browser. A great initiative for improving office productivity.

      The only way I get my work done is to spend one day a week working from home and doing all the things I can’t do in the office and then bringing in the files to work the next day.

      • vic says:

        I used to work for a similar paranoid company, however we did not have Internet access at all. Believe it or not I was in charge of building a webapp for one of their sites, and was lucky enough to have shell access to a server connected to the Internet. I spent the first few days here writing a proxy in Perl so that I could actually do work. I didn’t stay long.

  12. Willrandship says:

    One of the cardinal rules of computer security: If a hacker has access to your hardware, it’s not your computer anymore.

    This goes along with rules such as: If a hacker has a login, it’s not your computer anymore.

    • Truth says:

      If anyone runs code on your computer be it the OS or any other software it is not yours computer it is the person who created/compiled the code. Every windows machine is owned by Microsoft and not thew person who bought the hardware. (google “Computer Online Forensic Evidence Extractor” AKA COFEE ).

  13. qwerty says:

    Easier way: just FSK a sinewave on the audio out, record with any portable recorder (cellphone mic in) and decode it using any software modem programs out there. It’s potentially much faster, a few lines of code and virtually unnoticeable.

    Also, if the workstation has a secondary unused video out, well, you get the idea.

  14. NThanks says:

    An excellent hack in every sense of the word!

  15. Willrandship says:

    Most effective way I can think of to prevent USB devices would be to have it deny all devices’ existence except for the stuff you will use.

    • d3ad0ne says:

      The only thing wrong with this theory is that the HID descriptor can be programmed to exactly match existing equipment. I would say the best work around for this is to have a DLP agent look for function calls to hid.dll for ‘set_feature’ and ‘get_feature’. Since this is that is technically the exploit. Remember this can be done with any HID device, keyboard, mouse, joystick, wii-remote etc.

  16. xorpunk says:

    thank god for GPO and modprobe which cover all operating systems..

    this is why you hire experienced people to do your security, no a graduate student or some cert idiot. Those and sandboxing to protect from remote code executions, along with connection encryption like ipsec and tls, are how you harden boxes, then only real talent who know RE and shellcode, can get in…

  17. xorpunk says:

    This works because these days hackers are graduate students and cert people. They don’t know about GPOs and modprobe… They read tutorials off google to harden boxes for their employers…

  18. BotherSaidMayans says:

    Looks like there will be a few red faces in a certain four letter agency today.

  19. jwrm22 says:

    Nice article! Think of the possibilities… About the possibility to use other protocols that aren’t locked. DVI is more useable then VGA because its already digital, also it got I2C lines… I don’t know about the security on those, at-least its bi-directional.

    I’ve seen PC’s around where that disabled the ‘right click’ on the mouse, everything else locked, no physical access (the screen was build in an aquarium), no programs installed beside Firefox, no way to change anything. But there wasn’t any secret data either…

    This uses a .vbs, would it be possible to load an application as “txt” and renaming the “txt” to .exe when the file is completed? Or are there data combinations that ascii could never produce? With some testing I can get putty to work as .txt, but after 1:1 copying it wouldn’t run. remaining as .txt is still a neat way to get exe in to a semi locked system. Digging a tunnel from inside out…

  20. sucotronic says:

    Wow, I have the same idea time ago, but reach the speed limitation of emulationg keyboard speed and no knowing what kind of host program dump in the notepad. This guy rocks!

  21. Whatnot says:

    If you are an entrepreneur: start making keyboards and mice that securely ID themselves (and communicate securely) and sell them to the various government. You’ll soon be millionaire.

  22. Koplin says:

    http://stackoverflow.com/questions/723449/retrieving-the-serial-number-of-a-usb-keyboard-under-windows

    http://www.silabs.com/Support%20Documents/TechnicalDocs/AN249.pdf

    You will see provisions for serial numbers, device ID’s and all sorts of ways to fingerprint devices. By using software one is able to monitor in real-time all usb attached in a network. One can look for changes, say calls to enumerate devices. Then upon additions, removal, or changes IE unplug keyboard plug in emulator that has same ID and even SN, you can easily identify what is going on. Especially when the secure network should not have any changes that are unapproved.In this case a change (new device detection/re-detection) would cause the network to sandbox the host. Yes turning off the host and placing this in place “could” work. The issue there is security like this isn’t commonly advertised in a network so you might find-out the first time you connect something. We use something like this in our office. I can tell you everyone that has an iphone, android or other “device” on the system, even just charging. Wireless keyboards vs wired, how many Microsoft or Logitech mice. Staff is not made aware of this intentionally.

    While its uncommon the tools to detect and do this exist. Physical access does usually mean compromised data/machine, but that is why proper security depends on a layered approach and proper threat assessment.

    • Whatnot says:

      Panicking when a keyboard is unplugged for a sec will only create chaos and potentially huge issues on a workplace. What if that station is doing something important? You think waiting 30 minutes to find who to call and getting them in and having them reset things will do it? I think not. It can work in some specialized setups, but I’d certainly not advise it on a large scale.

      And then there’s the bypass of simply turning off the power while switching the devices. And that too is simply not something you can disallow since it would prevent the common solution for computer issues. Plus with portable equipment it would also not work. And then there is the modern standby mode, where devices are also put in low power or uncoupled so you could not monitor, and of course when you log in as another user the system can also re-initialize so it would appear devices were unplugged.

  23. Nick P says:

    It’s interesting that the post notes that this has been done before, citing a hackaday post in 2012. Actually, it was done way before that in 2010. (back then) I found the following by typing bypassing DLP into Google. He’s still the 3rd search result. Good for him haha.

    http://thomascannon.net/projects/dlp-bypass/

    Enjoy!

    Nick P
    schneier.com

  24. g.a says:

    There is the rule in company I know: when you plug something to USB (even, replug keyboard) the box automagically block the access and the user is fired.

  25. SonicBroom says:

    My favorite way of getting round companies stupid USB limitations was uninstalling the driver from control panel, removing the device and then plugging it back in. worked… every… time.

    • Sam says:

      What if you have no rights to install USB devices on the machine at all? Would the exploit from the article or your own exploit work?

      • HAK3Ri5 says:

        Hopefully there’s still PS/2 port available on the machine. That one can be used to transfer data at very low rate using some “CapsLock/ScrollLock/NumLock based light signal communication protocol”.
        You can also hack your existing USB keyboard to leak the data bits using the same comms.
        Cheers!

  26. k4t434sis says:

    Reblogged this on kat5 . postfix.

  27. HAK3Ri5 says:

    Really nice concept! Njah, but the *.exe part is not quite attractive. It requires MS VB 6.0 ComCtl registered on the system to run :(
    You should try just a bit harder to make it more portable if you really want someone to be interested in your solution…
    Good luck!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s