[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.
The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.
[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.
Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.
[Lou]’s entry for the Trinket EDC Contest is a great addition to the ubiquitous digital calipers found on workbenches and eBay resellers the world over. It translates the value displayed on the calipers to a USB HID interface for logging all those tricky measurements at the push of a button.
Most of the digital calipers you’ll find at Harbor Freight or on eBay are pretty much the same. There are two pads on the caliper’s PCB that give any microcontroller the ability to read what is being measured. It’s done with a 24-bit encoding scheme, where each bit is a nearly-BCD measurement in units of 1/1000 of an inch or 1/100 of a millimeter. After decoding the value, [Lou]’s trinket sends a few numbers to a computer over a USB HID interface.
Simply sending a measurement to a computer over USB wasn’t enough for [Lou]. He added three buttons to the project for typing multiple characters. The first button just sends Enter to the computer, the second sends a comma, and the third sends “/2 (Enter)”, exactly what you need to input the radius of something when measuring the diameter.
This was a project for the Trinket EDC Contest that ended a few hours ago. Nobody knows who the winner is, but there are some pretty cool prizes up for grabs including the new Rigol scope, a Fluke 179, and a soldering station.
Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.
We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.
The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.
The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.
With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.
Continue reading “Plug Into USB, Get a Reverse Shell”
Moving the cursor around your computer screen is an everyday occurrence that we humans do not give much of a second thought to. But what if you didn’t have to move your hands from the keyboard anymore? Sure there are keyboards with Track Point or even track pads not to far from the keys, which isn’t too bad. What if you could just slightly point your face in the desired direction the mouse would move? The [Sci-Spot] folks wondered that same question and came up with a DIY Head Mouse.
The concept is pretty darn simple; a web cam is mounted to the user’s head and points at the computer screen. Mounted on top of the screen is one IR LED. Our eyes can not see the IR light so it is not annoying or distracting. The camera, however, is filtered to only see IR by placing a couple of layers of camera film negative over the lens. Before you go complaining about strapping a camera to your noggin just think of building it into a hat, which we’ve seen used for adaptive technologies like this PS3 controller.
Custom software was written to move the mouse cursor; see the black window in the above dialog box? That represents the webcam’s field of view and the white spot is the IR LED. When the user’s head moves, the IR LED moves in relation to the camera’s field of view, in turn telling the computer to move the cursor a certain amount. There are a couple of options available like ‘magnification’ which changes how much the cursor moves with a given amount of head movement and ‘deadzone’ that ignores extremely small movements that can result from breathing.
There is no mention of how button clicks are recorded but we think a couple of buttons right below the space bar would be great. The control software is available for download on the Sci-Spot page for those who want to make their own.
Cheap keyboards never come with extra buttons, and for [Pengu MC] this was simply unacceptable. Rather than go out and buy a nice keyboard, a microcontroller was found in the parts drawer and put to work building this USB multimedia button human interface device that has the added bonus of looking like an old-school Walkman.
The functions that [Pengu MC] wants don’t require their own drivers. All of the buttons on this device are part of the USB standard for keyboards: reverse, forward, play/pause, and volume. This simplifies the software side quite a bit, but [Pengu MC] still wrote his own HID descriptors, tied all of the buttons to the microcontroller, and put it in a custom-printed enclosure.
If you’re looking to build your own similar device, the Arduino Leonardo, Micro, or Due have this functionality built in, since the USB controller is integrated on the chip with everything else. Some of the older Arduinos can be programmed to do the same thing as well! And, with any of these projects, you can emulate any keypress that is available, not just the multimedia buttons.
If you’re using an AVR microcontroller and you’d like to add USB to a project, there are a lot of options out there for you. Both LUFA and V-USB add some USB functionality to just about every AVR micro, but if you’d like a native serial port, your only options are to look towards the USB-compatible Atmel micros.
[Ray] looked at the options for adding a USB serial port and didn’t like what he saw; seemingly, this was an impossible task without a second, more capable microcontroller. Then he had an idea: if the goal is only to transfer data back and forth between a computer and a microcontroller, why not write an HID-class USB serial port?
[Ray] based his project on The V-USB library and created a new HID descriptor to transfer data between a micro and a computer. While it won’t work with a proper terminal such as Putty, [Ray] managed to whip up a serial monitor program in Processing that’s compatible with Windows, Linux and OS X.
In the video below, you can see [Ray] using an ATmega328p with a standard V-USB setup. He’s transferring analog values from a photoresistor as a proof of concept, but just about everything that would work with a normal serial port will work with [Ray]’s library.
Continue reading “Serial USB for Any AVR Microcontroller”
A month ago [Andreas] started playing Starcraft 2 again. As he was not comfortable with the default hotkeys on a normal keyboard, [Andreas] decided to build his own.
He started by salvaging keys from an old keyboard he had lying around, then 3D printed the case you see in the picture above to fit them. The keyboard electrical design is a simple matrix and it appears that he etched the PCB himself. To provide the required USB connectivity, the Atmega8U2 was chosen. It comes with a pre-programmed USB bootloader that [Andreas] chose to activate when the left key is pressed at the system startup. The HID class was implemented using the LUFA-USB Framework and the final product is definitely good looking.
All the files required to duplicate his design can be found here. You can also checkout another starcraft keyboard and an ergonomic keyboard that we previously featured.