The USB Rubber Ducky burst onto the scene a few years ago, and invented a new attack vector – keystroke injection. The malicious USB device presents itself as a keyboard to the target system, blurting out keystrokes at up to 1000 words per minute. The device is typically used to open a phishing site or otherwise enter commands to exfiltrate data from the victim. Now things have stepped up a notch, with ESPloitV2 – a WiFi-enabled take on the same concept.
Running on the Cactus WHID platform, the device is so named for the ESP12 WiFi microcontroller it employs, along with an Atmega 32u4 for USB HID device emulation. By virtue of its wireless connection, no longer does the aspiring hacker have to rely on pre-cooked routines. Various exploits can be stored in the ESP12’s spacious 4 megabytes of flash, and there’s even the potential to live type your attack if you’re feeling bold.
It goes to show that the trust we implicitly place in foreign USB devices is potentially our future downfall. BadUSB is another great example, and the USB Wrapper is a great way to get a charge if you’re stuck using an untrusted port.
He dont need the Atmega32U4. He can use the ESP8266 stand alone with https://github.com/cnlohr/espusb
Very cool!
Would the espusb implementation be slower than the Atmega32U4, as it’s software vs. hardware?
Bit banged USB isn’t very reliable, so it’s better to use something that has a real USB transceiver.
But you could a different controller, that has both WiFi and USB, like the RTL8195AM.
Yeah, I’ve been looking at the RTL8195AM, if I was doing this from scratch, I’d probably use that.
Or else the nRF52840 …
I assure you espusb is reliable. Having the quality clock makes things better, too.
Yeah, that is the approach that _MG_ is using with his USB cables!
See https://twitter.com/_MG_/status/1094389042685259776
Now this series of tweets is well worth a post, from the rapid prototyping, solder mask, etc perspective, not just the evil haxor : https://twitter.com/_MG_/status/1081710274548133888
Keep your eyes peeled!
Big props to Luca Bongiorni, who was the guy who convinced April Brother to make the Cactus WHID, after using the Cactus Micro v2 for prototyping.
Will also mention USaBUSe, which uses very similar hardware, which featured on Hackaday in 2016:
https://hackaday.com/2016/08/17/universal-serial-abuse/
If it’s not disguised as a legit device then you really aren’t putting in enough effort into being a criminal. :P
How about this; embedding the exploit within a USB charging cable?
https://www.bleepingcomputer.com/news/security/new-offensive-usb-cable-allows-remote-attacks-over-wifi/
There’s a virtually infinite number of ways to hide spy hardware in ordinary looking things.
https://www.youtube.com/watch?v=87OI-P-kRr0
Qubes OS does not blindly trust USB devices.
The readme on their GitHub says:
WARNING! This information is being provided for educational purposes only, it is illegal to use a VID/PID that you do not own.
I don’t mean to pick on these developers in particular but this is a common misconception that bugs me because of what it implies:
While it would certainly make your device non-USB-compliant (which would make use of the official USB logo unauthorized) the USB Vendor ID namespace (as well as Ethernet OUIs and PCIe Vendor IDs) is not protected by statute in any jouristiction I’ve ever heard of. It is a sad testament to things like the DMCA that our culture as a whole tends to assume that private for-profit corporations and their standards committees decisions are automatically elevated to the status of law. (Usually they have to pay lobbyists to buy that elevation on a case by case basis).
The guy is just careful and doesn’t want to get his butt sued. In my country for example only lawyers are allowed to give legal advice. So in the disclaimer I’d rather write that I simply don’t know and advise against it for safety. People just love to call things illegal when they truly “don’t know”.
Is this any different from the boards that they have been offering on Aliexpress for a while?
https://www.aliexpress.com/item/Beetle-Virtual-Keyboard-Badusb-Development-Board-ATMEGA32U4-WIFI-ESP8266-ESP-12E-TF-Micro-SD-Card-Storage/32839570915.html
This has a SD card slot too
One problem I have with all these boards is how to you plug it in the first time? :-) ie before you program it, or even after you do (it mught be fooling you) you have plugged something into your pc that might take it over…
You have to put it in a programming mode, instructions here: https://github.com/puckk/CJMCU-3212
Been there, done that – but with a nRF24L01+ and an ATTiny84 :) This looks a little bit on the expensive side…
ESPxxxx WiFi-modules are very cheap and well the atmegas and attinys don’t differ much in price so I don’t see much of a difference from your build. However it must have been a fun project to design and solder :)
Unfortunate timing for MG, with his post blowing up twitter only a few days ago https://twitter.com/_MG_/status/1094389042685259776
Stay tuned. ;)
I actually did this a while ago with an esp8266 and a teensy.
I just programmed the esp to spit out whatever I typed into it over uart, and the teensy to type whatever it received. Worked pretty well for controlling my PC from my bed with no additional software.
How about some instructions on using this thing? I bought one, great price, came with absolutely NO instructions at all. I use LINUX here. ANY help would be appreciated…