Using HID Tricks to Drop Malicious Files

[Nikhil] has been experimenting with human interface devices (HID) in relation to security. We’ve seen in the past how HID can be exploited using inexpensive equipment. [Nikhil] has built his own simple device to drop malicious files onto target computers using HID technology.

The system runs on a Teensy 3.0. The Teensy is like a very small version of Arduino that has built-in functionality for emulating human interface devices, such as keyboards. This means that you can trick a computer into believing the Teensy is a keyboard. The computer will treat it as such, and the Teensy can enter keystrokes into the computer as though it were a human typing them. You can see how this might be a security problem.

[Nikhil’s] device uses a very simple trick to install files on a target machine. It simply opens up Powershell and runs a one-liner command. Generally, this commend will create a file based on input received from a web site controlled by the attacker. The script might download a trojan virus, or it might create a shortcut on the user’s desktop which will run a malicious script. The device can also create hot keys that will run a specific script every time the user presses that key.

Protecting from this type off attack can be difficult. Your primary option would be to strictly control USB devices, but this can be difficult to manage, especially in large organizations. Web filtering would also help in this specific case, since the attack relies on downloading files from the web. Your best bet might be to train users to not plug in any old USB device they find lying around. Regardless of the methodology, it’s important to know that this stuff is out there in the wild.

Using RC Transmitters With Flight Simulators

It’s winter, and that means terrible weather and very few days where flying RC planes and helicopters is tolerable. [sjtrny] has been spending the season with RC flight simulators for some practice time. He had been using an old Xbox 360 controller, but that was really unsuitable for proper RC simulation – a much better solution would be to use his normal RC transmitter as a computer peripheral.

The usual way of using an RC transmitter with a computer is to buy a USB simulator adapter that emulates a USB game pad through a port on the transmitter. Buying one of these adapters would mean a week of waiting for shipping, so [sjtrny] did the logical thing and made his own.

Normally, a USB simulator adapter plugs in to a 3.5mm jack on the transmitter used for a ‘buddy box’, but [sjtrny] had an extra receiver sitting around. Since a receiver simply outputs signals to servos, this provides a vastly simpler interface for an Arduino to listen in on. After connecting the rudder, elevator, aileron, and throttle signals on the receiver to an Arduino, a simple bit of code and the UnoJoy library allows any Arduino and RC receiver to become a USB joystick.

[sjtrny] went through a second iteration of hardware for this project with a Teensy 3.1. This version has higher resolution on the joystick axes, and the layout of the code isn’t slightly terrible. It’s a great project for all the RC pilots out there that can’t get a break in the weather, and is also a great use for a spare receiver you might have sitting around.

BLDC Controller With The Teensy 3.1

[Will] is on the electric vehicle team at Duke, and this year they’re trying to finally beat a high school team. This year they’re going all out with a monocoque carbon fiber body, and since [Will] is on the electronics team, he’s trying his best by building a new brushless DC motor controller.

Last year, a rule change required the Duke team to build a custom controller, and this time around they’re refining their earlier controller by making it smaller and putting a more beginner-friendly microcontroller on board. Last years used an STM32, but this time around they’re using a Teensy 3.1. The driver itself is a TI DRV8301, a somewhat magical 3 phase 2A gate driver.

The most efficient strategy of driving a motor is to pulse the throttle a little bit and coast the rest of the time. It’s the strategy most of the other teams in the competition use, but this driver is over-engineered by a large margin. [Will] put up a video of the motor controller in action, you can check that out below.

Continue reading “BLDC Controller With The Teensy 3.1″

Breathe New Life Into Payphones with Asterisk

Payphones used to be found on just about every street corner. They were a convenience, now replaced by the ubiquitous mobile phone. These machines were the stomping grounds for many early computer hackers, and as a result hold a place in hacker history. If you’ve ever wanted to re-live the good ol’ days, [hharte’s] project might be for you.

[hharte] has been working to make these old payphones useful again with some custom hardware and software. The project intends to be an interface between a payphone and an Asterisk PBX system. On the hardware side, the controller board is capable of switching various high voltage signals required for coin-line signaling. The controller uses a Teensy microcontroller to detect the hook status as well as to control the relays. The current firmware features are very basic, but functional.

[hharte] also wrote a custom AGI script for Asterisk. This script allows Asterisk to detect the 1700hz and 2200hz tones transmitted when coins are placed into the machine. The script is also in an early stage, but it will prompt for money and then place the call once 25 cents has been deposited. All of the schematics and code can be found on the project’s github page.

[Thanks mies]

TRINKET EDC CONTEST DRAWING #5 RESULTS

The final random drawing for Hackaday’s Trinket Everyday Carry Contest was held tonight, and the winner is [flaming_goat] with Trinket Pocket IR Analyser/Transmitter!

ir2In addition to having an awesome username, [flaming_goat] loves IR protocols. Trinket Pocket IR Analyser/Transmitter is a standalone device to read, analyze and transmit Infrared (IR) signals. The IR portion of the project is handled by a Vishay TSOP38238 (PDF link) The 382 series is a 3 pin module. It comes in several variants, each tuned to a specific carrier frequency. The 38238 will decode IR signals at 38 kHz.

The demodulated IR signals are fed into the Pro Trinket, where they can be analyzed. Data is either sent through the serial terminal or displayed on the on-board 1.44″ TFT LCD. Source code for the whole project is up on [flaming_goat’s] GitHub repo.

[flaming_goat] will be receiving a Teensy 3.1 and an Audio+SD adapter from The Hackaday Store. If the Pro Trinket is a gateway drug, then Teensy 3.1 is the hardcore stuff. Powered by a Freescale Kinetis ARM Cortex M4 processor in a tiny package, the Teensy 3.1 packs quite a punch. You might think all that power would mean complex tools, but Teensy 3.1 is still easy to program using the Arduino IDE. The Audio+SD adapter board gives Teensy 3.1 the ability to create some pretty decent audio, thanks to the Teensy Audio Library.

This was the last weekly drawing for the Trinket Everyday Carry Contest, but there is still time to enter and win the big prizes! The deadline is January 3 at 12am PDT. That’s just about 3 days to enter – so procrastinators, get in the game!

Plug Into USB, Get a Reverse Shell

Computers blindly trust USB devices connected to them. There’s no pop-up to confirm a device was plugged in, and no validation of whether the device should be trusted. This lets you do some nefarious things with a simple USB microcontroller.

We’ve recently seen two examples of this: the USBdriveby and the Teensyterpreter. Both devices are based on the Teensy development board. When connected to a computer, they act as a Human Interface Device to emulate a keyboard and mouse.

The USBdriveby targets OS X. When connected, it changes the DNS server settings to a custom IP, to allow for DNS spoofing of the victim’s machine. This is possible without a password through the OS X System Preferences, but it requires emulating both keystrokes and clicks. AppleScript is used to position the window in a known location, then the buttons can be reliably clicked by code running on the Teensy. After modifying DNS, a reverse shell is opened using netcat. This allows for remote code execution on the machine.

The Teensyterpreter gives a reverse shell on Windows machines. It runs command prompt as administrator, then enters a one-liner to fire up the reverse shell using Powershell. The process happens in under a minute, and works on all Windows versions newer than XP.

With a $20 microcontroller board you can quickly fire up remote shells for… “support purposes”. We’d like to see the two projects merge into a single codebase that supports both operating systems. Bonus points if you can do it on our Trinket Pro. Video demos of both projects after the break.

Continue reading “Plug Into USB, Get a Reverse Shell”

USB On The Teensy 3 From The Ground Up

When implementing USB on a microcontroller, most people are going to reach for V-USB if they’re using an AVR, one of Microchip’s USB libraries if a PIC is involved, or any number of the USB libraries for various ARM processors. [Kevin] had a different idea. As a challenge to himself, he wrote a USB device driver for the Teensy 3.1 microcontroller board, getting as close to the bare metal as he could get.

Writing a USB device driver first required a literature review. There are a few peculiarities in the Freescale K20 family of microcontrollers – the one found in the Teensy 3.1 – that dictate the need for a specific memory layout, using several clocks, and handling all the USB descriptors. [Kevin] started with the clocks, every last one of which must be enabled. The clock is generated by the Multipurpose Clock Generator from a 16MHz crystal, PLL’ed to the frequencies the USB module needs, and sent out over the System Integration Module.

Following the flowcharts and sequences found in the Freescale reference guide told [Kevin] exactly what needed to be done with the startup sequence, and offered a few suggestions on what needed to be done to set up all the interrupts. [Kevin] spent an incredible amount of time documenting, programming, and smashing his head against the keyboard for this tutorial, but he does give everyone a great opportunity to learn from his struggles.

While [Kevin] has a mostly complete USB device driver, his work is far from done. That’s alright, because this project wasn’t meant to be a full-featured driver; it’s still missing real error handling, strings in the configuration, and a real VID/PID. That’s alright, it’s still a great exercise in building something from scratch, especially something that very few people have built successfully.

Oh, blatant Hackaday Store plug for the Teensy 3.1.