Universal Serial Abuse

It’s probable that most Hackaday readers are aware of their own computer security even if they are not specialists. You’ll have some idea of which ports your machines expose to the world, what services they run, and you’ll know of a heap of possible attack vectors even if you may not know about every last one.

So as part of that awareness, it’s likely you’ll be wary of strange USB devices. If someone drops a Flash drive in the parking lot the chances of one of you blithely plugging it into your laptop is not high at all. USB ports are trusted by your computer and its operating system, and to have access to one is to be given the keys to the kingdom.

Our subject today is a DEF CON talk courtesy of [Dominic White] and [Rogan Dawes] entitled “Universal Serial aBUSe“, and it details a USB attack in which they create an innocuous USB stick that emulates a keyboard and mouse which is shared across a WiFi network via a VNC server. This gives an attacker (who can gain momentary physical access to a USB port to install the device) a way into the machine that completely bypasses all network and other security measures.

Their hardware features an AVR and an ESP8266, the former for USB and HID work and the latter to do the heavy lifting and provide WiFi. They started with a Cactus Micro Rev2, but graduated to their own compatible board to make the device more suitable to pose as a USB stick. Both hardware and software files can be found on their GitHub repository, with the software being a fork of esp-link. They go into significant detail of their development and debugging process, and their write-up should be an interesting read for anyone.

Below the break you can find a video description of the attack. It’s not a shock to know that USB ports have such little defense, but it is a sobering moment to realize how far attacks like this one have come into the realm of what is possible.

USB security is something we’ve covered before here at Hackaday, with an earlier talk on the subject from Shmoocon and the DEF CON talk about BadUSB exploits using device microcontrollers. Our favorite solution though is the USB killer, a device that fries the ports of people who plug in those parking lot thumb drives.

26 thoughts on “Universal Serial Abuse

    1. But then they can identify you if/when they figure it out.

      Planting them on sidewalks is too hit or miss for something like this that’s not particularly cheap.

      Best is to wait for a tradeshow that’s in a hotel to show up in town, put a sticker on each stick with one of the exhibitor’s logos, and sneakily leave a small handful on a table in the public areas of the hotel.

      1. I don’t know. It’s such a pain in the butt to access the rear ports on my tower with my desk that it really might be quicker to just pull the tower a couple inches, reach back and undo the thumbscrews and go for the header pins, than to get it far enough out to reach the rear ports without anything unplugging. Don’t forget the whole USB A superposition joke: it’s notoriously hard to do by feel.

    1. I don’t know how many people grovel under their desks on a regular basis to look for extra devices plugged in. Visibility is more of an issue for laptops (especially those with USB ports only on the sides, not behind the screen), but you may find that there is an existing docking station, or USB hub plugged in on a regular basis, that you can plug into instead.

    2. You’d need software then, since normally a PC just ignores it’s serial ports. If you can get software to run on the machine, you already own it, so you don’t need any serial port connected hardware.

      However… it’s not a bad idea if you use the USB headers on the motherboard instead. Either an unusued one, which some motherboards will have, or if you were really sneaky, you could implement a USB hub on a PCB. Plug that into the USB header, and then run the USB port that was previously plugged there from the hub.

      That’s if you want it fairly invisible. The hub will still show up to the machine’s OS but a user wouldn’t usually look.

      Simpler option is just use a USB motherboard header, and leave it’s corresponding port on the case unplugged. User just notices a broken USB port. If it were my PC, I’d eventually open the case to check why it didn’t work, but most people wouldn’t.

      USB in general is kind of a gigantic security hole. The fact that the user has no way of knowing what the hardware he plugs in actually does. Any USB anything can have keyboard and mouse access. You can even install a USB graphics driver, so you can read the screen. That might need some setup on the PC though, and again the extra graphics port might be spotted. But most users are oblivious about that sort of thing.

  1. For those of us running an open source OS, an option to designate a USB port as untrusted might be nice. Plug an uncertain device in there, and run lsusb without risk of the attached device doing anything.

  2. There was a similar hack where the USB driver chip inside basically any old usb drive could be reprogrammed to carry out keyboard commands (I forgot the name, anyone remember?). There’s also USB rubber ducky which does something very similar.

      1. This adds the WiFi interface. My understanding of the Rubber Ducky is that you essentially have to have your payload all setup and configured before hand. This allows out of band remote interaction with the compromised system.

  3. I suspect that a modified mobile phone (perhaps only software/OS only changes) may also be able to do this. If this is possible a compromised phone could then compromise any Windows box it is plugged into.

  4. What we need is more than a USB charging condom, we need a USB USB identifier probe.
    A gadget which forwards pretty much the lsusb info and cross IDs the kernel modules that will load or use. Maybe even more logic as it does a passthrough service with monitoring for suspicious activities, a sudden new hub or USB device, perhaps unusual amperage draws.
    At this point I think it would be cool in to have a Gnome tray app to pop up new HID stuff and optionally require an OK before it becomes active, because being paranoid can be fun. Almost as much fun as rubber-ducking someone with a trojan horse fake USB flash drive that has a Digispark or something programmed with the Rubber Ducky scripted keyboard hacks.

  5. I understand but… isnt cheaper to install a portable remote desktop app like teamviewer or something on a pen drive and have it with autorun? You would only need a 10 line script to send remote app ID and PASS to wherever you want maybe pastebin or a website you own..

    Even better, would be to add 5 lines to that script to copy the program to pc hard drive, and you get unlimited access time to compromised machine as long as you dont get caught..

    1. Yeah, but then you are on the target’s network. This attack uses wifi in the USB device to connect back to a different network to avoid and network intrusion detection.

      Though you are still running commands on the target machine, so the target still has the opportunity to shut the whole thing down by not allowing commands to be run… disable powershell, or even report on a new process running that isn’t normal… or a whitelist of what can be run is a possibility that could shut this particular attack down.

      It’d be much more interesting if this was tied into a NSA style tempest attack (screen scraping with an SDR) so that the target itself only needed to be able to accept HID commands and the VNC server on the USB device presented a captured screen from the SDR… all the target sees is a HID device and keystrokes/mouse movements coming from that HID device…

      1. I like the idea of screen scraping using SDR a lot. I’m also looking at ways to extract video using a device, most likely it will have to have the video feed plugged in to it, though. i.e. more targeting an active attacker deploying the device, as opposed to unsuspecting victim plugging in a flash drive.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s