MalDuino is an Arduino-powered USB device which emulates a keyboard and has keystroke injection capabilities. It’s still in crowdfunding stage, but has already been fully backed, so we anticipate full production soon. In essence, it implements BadUSB attacks much like the widely known, having appeared on Mr. Robot, USB Rubber Ducky.
It’s like an advanced version of HID tricks to drop malicious files which we previously reported. Once plugged in, MalDuino acts as a keyboard, executing previous configured key sequences at very fast speeds. This is mostly used by IT security professionals to hack into local computers, just by plugging in the unsuspicious USB ‘Pen’.
[Seytonic], the maker of MalDuino, says its objective is it to be a cheaper, fully open source alternative with the big advantage that it can be programmed straight from the Arduino IDE. It’s based on ATmega32u4 like the Arduino Leonardo and will come in two flavors, Lite and Elite. The Lite is quite small and it will fit into almost any generic USB case. There is a single switch used to enable/disable the device for programming.
The Elite version is where it gets exciting. In addition to the MicroSD slot that will be used to store scripts, there is an onboard set of dip switches that can be used to select the script to run. Since the whole platform is open sourced and based on Arduino, the MicroSD slot and dip switches are entirely modular, nothing is hardcoded, you can use them for whatever you want. The most skilled wielders of BadUSB attacks have shown feats like setting up a fake wired network connection that allows all web traffic to be siphoned off to an outside server. This should be possible with the microcontroller used here although not native to the MalDuino’s default firmware.
For most users, typical feature hacks might include repurposing the dip switches to modify the settings for a particular script. Instead of storing just scripts on the MicroSD card you could store word lists on it for use in password cracking. It will be interesting to see what people will come up with and the scripts they create since there is a lot of space to tinker and enhanced it. That’s the greatness of open source.
Continue reading “MalDuino — Open Source BadUSB”
This morning I went to a fantastic talk called Hack All the Things. It was presented by GTVHacker. If you don’t recognize the name, this is the group that hacked the GoogleTV. They haven’t stopped hacking since that success, and this talk is all about 20+ devices that they’ve recently pwned and are making the info public (that link still had oath when I checked but should soon be public).
The attacks they presented come in three flavors: UART, eMMC, and command injection bugs. I’m going to add the break now, but I’ll give a rundown of most of the device exploits they showed off. I found all amusing, and often comical.
Continue reading “DEFCON 22: Hack All the Things”
We love all of the projects that are coming out for the 555 design contest, so we thought we would share a couple more that have caught our collective eye. Have a 555 project of your own? Be sure to share it with us, and keep an eye out for the contest submission dates. Read on for a few of our project picks.
Continue reading “More 555 Projects to Enjoy”
Whenever someone manages to expose vulnerabilities in everyday devices, we love to root for them. [Adrian] over at Irongeek has been inspired to exploit barcodes as a means to attack a POS database. Based on an idea from a Pauldotcom episode, he set out to make a rapid attack device, using an LED to spoof the signals that would be received by scanning a barcode. By exposing the POS to a set of generic database attacks, including XSS, SQL Injection, and other errors easily solved by input sanitation, he has created the first version of an automated system penetration device. In this case the hardware is simple, but the concept is impressive.
With the hardware explained and the source code provided, as well as a basic un-sanitized input cheat sheet, the would-be barcode hackers have a great place to start if they feel compelled to provide a revision two.
[Thanks Robert W.]
[_coreDump] was doing some database vulnerability testing using SQLmap to automate the process. To his dismay, the package was unable to test using the Simple Object Access Protocol. Faced with having to manually test all of the SOAP vulnerabilities he decided to work some Python magic and add support. His solution allows SQLmap 0.8 to parses XML data from the SOAP protocol by modifying three files from the package. He’s made the diff files available if you need this functionality for your own security testing.
[Kenneth Maxon] is a wizard who only does things one way, beautifully. While out of the average hacker’s production capabilities, his injection molding machine is amazing to behold. The machine has all features a commercial model would. It heats and cools the mold, produces over a ton of pressure to inject plastic with, and ejects parts automatically to name a few.
[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a nice overview of attacks up to this point and the optimizations they made to reduce the number of packets needed to approximately 25K. The only serious threat to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the machine they’re attacking and could potentially read back the response via an outbound connection to the internet.