Extracting Data With USB HID

sd_adaptor

High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.

We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a micocontroller. [d3ad0ne]’s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.

To extract data from a system, [ d3ad0ne] connects a Teensy microcontroller to the USB port. After opening up Notepad, [ d3ad0ne] mashes the Caps Lock key to force the Teensy to type out a script that can be made into an executable. This executable is a bare-bones application that can send any file back over the USB cable to the Teensy where it’s stored on an SD card. Short of filling the USB ports in a workstation with epoxy, there’s really no way to prevent secure files from leaking out of a computer.

59 thoughts on “Extracting Data With USB HID

    1. No but you may be trying to prevent them from taking classified data home to distribute. Many of these high security stations will be completely isolated the internet, as well as having no simple way to transfer files onto and off of them without dismantling the computer, which would require a key and a password in the bios.

      1. andar_b hit the nail on the head. Lots of “trusted” people have exclusive access to classified systems. DLP usually prevents them from burning CD’s or using external media. The network these machine are on are internal with no access to the internet. The sad thing is none of these protections will keep a user from plugging in a “keyboard”.

      2. andar_b hit the nail on the head. Lots of “trusted” people have exclusive access to classified systems. DLP usually prevents them from burning CD’s or using external media. The network these machine are on are internal with no access to the internet. The sad thing is none of these protections will keep a user from plugging in a “keyboard”.

    1. Any security measure that leaves the user alone with the computer can be broken, and usually broken quickly if the user knows about it in advance. I’m sure it wouldn’t be too difficult to rig up a SATA pass-through connector and board that would dump everything read or written to an external drive. I’d be willing to bet it already exists.

      1. It may already exist, but honestly, it would be expensive and difficult to rig to say the least.

        You are talking about intercepting 3Gb/s over only 2 differential pairs. I don’t think there is any way you are snooping that without custom Si.

  1. Back when I worked for the company that shall not be named but is shopping itself around the VC’s right now in order to go private, well they decided to implement DLP.

    Except that it only affected Windows boxes. So if you had a little spare computer around you threw Ubuntu, Debian, or whatever together with sshd active.

    Then you could simply scp the documents from your windows box to you Unix box and mount your device on the Unix box and copy files to your hearts content.

    So I demonstrated this and they banned all Unix boxes on the desktop. But what they forgot was we had labs full of Unix boxes so you just scp’d to those and plugged your device into that and cp’d away.

  2. “Many of these high security stations will be completely isolated the internet”

    just like mission impossible.

    remember the scene where the group lowered them self into a room that was secured by a thermal sensor that 1 degree change would set off the alarm and the slightest step on the floor would set off the alarm the drip from the sweating glass of soda caused the alarm to sound.

    actually a better way to prevent any usb attack would be to take a desoldering gun to all of the computers and remove the usb and other connectors from the motherboard that allow external access.

    and required connections would be soldered directly to the board like the mouse and keyboard.

    1. “and required connections would be soldered directly to the board like the mouse and keyboard.”
      If there is USB keyboard or USB mouse in your hand, then you have working USB.

    1. Was it on here I read about software, that modulates the red line of a vga connector to emit RF? Specifically, RF in the VHF range, encoded in such a way that a nearby digital TV / decoder box could pick up the signal, which rendered as a picture on the TV screen.

      Unless you’re using full TEMPEST or suchlike, a simple bit-of-wire aerial, an amplifier and a recorder of some sort, together with the right software, can always be used to suck stuff from a computer. You could even go the old-fashioned way, modulate data out of the sound card.

      It doesn’t have to be completely stupidly easy, but if someone wants to put a bit of effort in to extract your data, there’s probably nothing you can do about it, short of supervising them, And even then it’d have to be very close supervision.

  3. The security blocking USB is usually more about preventing viruses and malware from getting onto the system (by a careless user plugging in an unauthorized and compromised device) rather than preventing a user from taking files off the system.

        1. As I suspected, the rubber ducky does allow you to transfer files from the USB to the PC, it doesn’t allow you to transfer files from the PC to the USB without mounting an actual SD card the system.

    1. This was actually my mates job. They bought over 500 pcs for a hospital network, and it was cheaper to buy stock with USB, and fill with glue, than it was to have the USB removed / custom build!

  4. Recently I finished up a contract I had with a very large, multibillion dollar corporation. I was working on some hardware projects and… blah blah blah..

    … They had all the systems set so no USB flash drives nor USB external hard drives would work (unless you were able to get through all the red tape). Funny thing was that they didn’t seem to realize that the SD card slots on the laptops show up as “card readers” and not “USB drives.”

    It sure is interesting getting in early and downloading operating systems from the web in a couple of minutes.

    1. My company blocks downloading of executables and zip files as well as installing said files via the Windows installer. Internet is also heavily filtered so that you are restricted to such a small number of sites that it gets impossible to do work (e.g installing open-source software for data analysis, access to technical articles, standards and so on). On top of this, we are only given IE 6 as the approved web browser. A great initiative for improving office productivity.

      The only way I get my work done is to spend one day a week working from home and doing all the things I can’t do in the office and then bringing in the files to work the next day.

      1. I used to work for a similar paranoid company, however we did not have Internet access at all. Believe it or not I was in charge of building a webapp for one of their sites, and was lucky enough to have shell access to a server connected to the Internet. I spent the first few days here writing a proxy in Perl so that I could actually do work. I didn’t stay long.

  5. One of the cardinal rules of computer security: If a hacker has access to your hardware, it’s not your computer anymore.

    This goes along with rules such as: If a hacker has a login, it’s not your computer anymore.

    1. If anyone runs code on your computer be it the OS or any other software it is not yours computer it is the person who created/compiled the code. Every windows machine is owned by Microsoft and not thew person who bought the hardware. (google “Computer Online Forensic Evidence Extractor” AKA COFEE ).

  6. Easier way: just FSK a sinewave on the audio out, record with any portable recorder (cellphone mic in) and decode it using any software modem programs out there. It’s potentially much faster, a few lines of code and virtually unnoticeable.

    Also, if the workstation has a secondary unused video out, well, you get the idea.

    1. The only thing wrong with this theory is that the HID descriptor can be programmed to exactly match existing equipment. I would say the best work around for this is to have a DLP agent look for function calls to hid.dll for ‘set_feature’ and ‘get_feature’. Since this is that is technically the exploit. Remember this can be done with any HID device, keyboard, mouse, joystick, wii-remote etc.

  7. thank god for GPO and modprobe which cover all operating systems..

    this is why you hire experienced people to do your security, no a graduate student or some cert idiot. Those and sandboxing to protect from remote code executions, along with connection encryption like ipsec and tls, are how you harden boxes, then only real talent who know RE and shellcode, can get in…

  8. This works because these days hackers are graduate students and cert people. They don’t know about GPOs and modprobe… They read tutorials off google to harden boxes for their employers…

  9. Nice article! Think of the possibilities… About the possibility to use other protocols that aren’t locked. DVI is more useable then VGA because its already digital, also it got I2C lines… I don’t know about the security on those, at-least its bi-directional.

    I’ve seen PC’s around where that disabled the ‘right click’ on the mouse, everything else locked, no physical access (the screen was build in an aquarium), no programs installed beside Firefox, no way to change anything. But there wasn’t any secret data either…

    This uses a .vbs, would it be possible to load an application as “txt” and renaming the “txt” to .exe when the file is completed? Or are there data combinations that ascii could never produce? With some testing I can get putty to work as .txt, but after 1:1 copying it wouldn’t run. remaining as .txt is still a neat way to get exe in to a semi locked system. Digging a tunnel from inside out…

  10. If you are an entrepreneur: start making keyboards and mice that securely ID themselves (and communicate securely) and sell them to the various government. You’ll soon be millionaire.

  11. http://stackoverflow.com/questions/723449/retrieving-the-serial-number-of-a-usb-keyboard-under-windows

    http://www.silabs.com/Support%20Documents/TechnicalDocs/AN249.pdf

    You will see provisions for serial numbers, device ID’s and all sorts of ways to fingerprint devices. By using software one is able to monitor in real-time all usb attached in a network. One can look for changes, say calls to enumerate devices. Then upon additions, removal, or changes IE unplug keyboard plug in emulator that has same ID and even SN, you can easily identify what is going on. Especially when the secure network should not have any changes that are unapproved.In this case a change (new device detection/re-detection) would cause the network to sandbox the host. Yes turning off the host and placing this in place “could” work. The issue there is security like this isn’t commonly advertised in a network so you might find-out the first time you connect something. We use something like this in our office. I can tell you everyone that has an iphone, android or other “device” on the system, even just charging. Wireless keyboards vs wired, how many Microsoft or Logitech mice. Staff is not made aware of this intentionally.

    While its uncommon the tools to detect and do this exist. Physical access does usually mean compromised data/machine, but that is why proper security depends on a layered approach and proper threat assessment.

    1. Panicking when a keyboard is unplugged for a sec will only create chaos and potentially huge issues on a workplace. What if that station is doing something important? You think waiting 30 minutes to find who to call and getting them in and having them reset things will do it? I think not. It can work in some specialized setups, but I’d certainly not advise it on a large scale.

      And then there’s the bypass of simply turning off the power while switching the devices. And that too is simply not something you can disallow since it would prevent the common solution for computer issues. Plus with portable equipment it would also not work. And then there is the modern standby mode, where devices are also put in low power or uncoupled so you could not monitor, and of course when you log in as another user the system can also re-initialize so it would appear devices were unplugged.

  12. My favorite way of getting round companies stupid USB limitations was uninstalling the driver from control panel, removing the device and then plugging it back in. worked… every… time.

      1. Hopefully there’s still PS/2 port available on the machine. That one can be used to transfer data at very low rate using some “CapsLock/ScrollLock/NumLock based light signal communication protocol”.
        You can also hack your existing USB keyboard to leak the data bits using the same comms.
        Cheers!

  13. Really nice concept! Njah, but the *.exe part is not quite attractive. It requires MS VB 6.0 ComCtl registered on the system to run :(
    You should try just a bit harder to make it more portable if you really want someone to be interested in your solution…
    Good luck!

  14. I’ve searched a lot to find a place to download the initial d3ad0ne work (exfil.zip which contains exfil.vbs and exfil.hex).

    The d3ad0ne website looks down and some Internet forums mention that d3ad0ne passed away during 2013.

    Would anyone have a copy of the file to share it in order to reuse work done so far and progress on this project?

    Thanks

Leave a Reply to fhunterCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.