A Malicious WiFi Backdoor In A Keyboard’s Clothing

The USB Rubber Ducky burst onto the scene a few years ago, and invented a new attack vector – keystroke injection. The malicious USB device presents itself as a keyboard to the target system, blurting out keystrokes at up to 1000 words per minute. The device is typically used to open a phishing site or otherwise enter commands to exfiltrate data from the victim. Now things have stepped up a notch, with ESPloitV2 – a WiFi-enabled take on the same concept.

Running on the Cactus WHID platform, the device is so named for the ESP12 WiFi microcontroller it employs, along with an Atmega 32u4 for USB HID device emulation. By virtue of its wireless connection, no longer does the aspiring hacker have to rely on pre-cooked routines. Various exploits can be stored in the ESP12’s spacious 4 megabytes of flash, and there’s even the potential to live type your attack if you’re feeling bold.

It goes to show that the trust we implicitly place in foreign USB devices is potentially our future downfall. BadUSB is another great example, and the USB Wrapper is a great way to get a charge if you’re stuck using an untrusted port.

 

23 thoughts on “A Malicious WiFi Backdoor In A Keyboard’s Clothing

    1. Bit banged USB isn’t very reliable, so it’s better to use something that has a real USB transceiver.
      But you could a different controller, that has both WiFi and USB, like the RTL8195AM.

  1. The readme on their GitHub says:

    WARNING! This information is being provided for educational purposes only, it is illegal to use a VID/PID that you do not own.

    I don’t mean to pick on these developers in particular but this is a common misconception that bugs me because of what it implies:
    While it would certainly make your device non-USB-compliant (which would make use of the official USB logo unauthorized) the USB Vendor ID namespace (as well as Ethernet OUIs and PCIe Vendor IDs) is not protected by statute in any jouristiction I’ve ever heard of. It is a sad testament to things like the DMCA that our culture as a whole tends to assume that private for-profit corporations and their standards committees decisions are automatically elevated to the status of law. (Usually they have to pay lobbyists to buy that elevation on a case by case basis).

    1. The guy is just careful and doesn’t want to get his butt sued. In my country for example only lawyers are allowed to give legal advice. So in the disclaimer I’d rather write that I simply don’t know and advise against it for safety. People just love to call things illegal when they truly “don’t know”.

    1. One problem I have with all these boards is how to you plug it in the first time? :-) ie before you program it, or even after you do (it mught be fooling you) you have plugged something into your pc that might take it over…

    1. ESPxxxx WiFi-modules are very cheap and well the atmegas and attinys don’t differ much in price so I don’t see much of a difference from your build. However it must have been a fun project to design and solder :)

  2. I actually did this a while ago with an esp8266 and a teensy.
    I just programmed the esp to spit out whatever I typed into it over uart, and the teensy to type whatever it received. Worked pretty well for controlling my PC from my bed with no additional software.

Leave a Reply to Marc Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.