Google recently made some videos to highlight cybersecurity. The video below is episode three, and it tells an interesting story about the first crash test dummy. However, the really interesting part is the story about a USB plasma globe built to hack into computers. One of the people who built that globe tells the story of its insides in a recent blog post that has a bit more technical detail.
The attack in question was in 2012, when people were starting to get the idea that inserting random USB drives into their computers wasn’t a great idea. However, what harm could there be in a cute little plasma globe that just draws power from the port?
Well, as we know, it could be plenty dangerous. The globe in question was off-the-shelf, but had a ATMega32U4 chip in the bottom part of the cable. the LUFA USB library provided keyboard device emulation. The idea is the globe would bide its time and then type a dangerous payload.
Keyboards are especially insidious because the operating system usually just accepts their presence quietly. You don’t get prompted to allow the keyboard or install drivers. Unless, they found, you are using a Mac. But don’t get too impressed by the Mac security. The only reason it shows a dialog is it is trying to figure out the layout of an unknown keyboard.
The solution was simple. As long as you are hacking, you might as well rip off an Apple USB ID so the operating system knows what kind of keyboard it is supposed to be. Problem solved. You can see the plasma globe in question around 8:30 in the video.
It is an interesting story and not the first time we’ve seen a Trojan horse approach to steal secrets. Of course, you can make a truly destructive USB device, but we don’t suggest it.
This is one of those times when I realize there are people who live in a completely different world than I do.
Why would I ever plug something like this into my computer?
I’m not talking about the security implications. I mean, under ANY circumstances.
This goes for a LOT of USB devices actually.
‘This technically works’ is not the same as ‘This is a good way to do this.’
Even if you somehow think USB is a good way to get power to something (uugh), that doesn’t mean you should plug it into a PC.
A USB powered Soldering Iron shouldn’t be a viable attack vector because you shouldn’t be powering it from a PC to begin with…
Or at least plug unknown devices into a sacrificial (powered) hub AND monitor it(s enumeration and subdevices) with https://www.uwe-sieber.de/usbtreeview_e.html or the life updating linux equivalent (does lsusb have a monitoring mode?).
“This is one of those times when I realize there are people who live in a completely different world than I do.”
I thought you were going to comment on why the video spent ten minutes, with crash-dummy analogy, explaining what a red team was.
Seriously, though: very good choice of analogy. It’s not a very good fit — creating test rigs and instrumentation is _not_ the same as trying to get credentials — but it’s great b/c it’s close enough to fool the normies into forgetting about “hackers” for a while. And the Corgi pendant — they focus a lot on making that team member non-threatening.
No doubt there’s probably a way to make USB devices enumerate as a keyboard on a computer without them showing up in the list of attached devices.
That in theory shouldn’t be possible, but that will be down to how the operating system handles them – even two entirely identical USB devices should be distinct to the OS and reported as such to the user as they are not also plugged into the same port.
However at least as I understand it a USB HID protocol allows for infinite device stacking in effect – a USB “joystick” can ALSO act as a USB keyboard, mouse – any HID device at all, it just needs a HID descriptor containing all the entries to describe to the OS how to understand it. At that point the device reported and its potential functionality may not be reported correctly to the user, especially not from the more general overviews – it is one USB device still, and can function entirely normally as the Mouse it appears to be, just with the added side ‘benefit’ of typing into your computer as soon as the mouse is idle long enough…
I don’t think the USB systems generally even have any means of preventing something changing what it reports as – so when first connected it might just report exactly as it claims to be on the box as a normal nothing else USB mouse, then drop the “oh by the way I’m a keyboard, now please load this malware” on the fly and most likely silently to the user…
The multi-device-descriptor allows for some sneaky tricks. e.g. your “evil mouse” has the descriptors for a mouse, a keyboard, and a second mouse. That way, you do not see a ‘phantom keyboard’ when checking what devices are attached, but instead see that your keyboard and mouse have duplicated entries. Which can very much result in a chase down the completely wrong rabbit-hole of “why the OS is enumerating these devices twice?” in the event anyone even notices the extra devices at all.
Sure. Find out the model keyboard in use at the target site, modify one, and do a swap.
I actually defend my computer with keyboard debouncing in software (I occasionally have a problem with keys double pressing when they shouldn’t). This means that if a BadUSB payload types the same character twice in a row, the OS just ignores the second “keypress” and that can really screw up such an attempt – there is no feedback from the computer so it can’t tell that this has happened and keeps going with an attempt that is going to fail.
But the holy grail is to never plug usb-powered devices into a computer unless they have a legitimate use case for the data lines and you trust them (a good multiport usb charger held under my desk by a 3d printed bracket is used for charging all manner of my devices)
Remember, when this actually happened, 10 years ago, EVERYTHING was USB connectable and manufacturers could not wait to push out the latest USB connected trash that we didn’t need but were fascinated with the fact that it could be plugged in to our USB ports. SO remember that when watching the video. We really would never do this now, but back then? A Joe or Jane Blow probably would.
And yes, crash test dummies? Nothing to do with Red Team work.
The best example of this form of social engineering (back when Windoze used to moronicly obey autorun.inf instructions) was a mahogany bowl filled with USB flash sticks surreptitiously dropped off in the reception area of a building (ideally just before the lunchtime crowd leaves the building). With the corporate logo embossed on every stick along with a slightly ironic marketing phrase like “This is your golden ticket.”.
Creating and inserting a keyboard device after a time delay to execute commands is a giant evolutionary advancement, but the core it is still a 2500+ year old trojan horse attack. Who could ever say no to a lovely horse ( https://www.youtube.com/watch?v=jzYzVMcgWhg ).
Or the ever-classic – and extremely effective – floppy disc, CD, or thumbdrive with a hand-written “PAYROLL [Current year]” label dropped in the building’s car park.
In the case of a floppy or CD the mechanism to read the media is part of the computer. In the USB drive the computer never sees the media. It sees a microprocessor that can interact in any way it is programmed to. It can say it’s a 4Terabyte drive. It can say there are no files. It can say it’s a disk drive and then switch to saying it’s a mouse and keyboard. It can get the current date and time from the OS as a file is written to it. It might have a real time clock. Except for the Microsoft self-running file stupidity, neither a floppy disk or CD can do any of that. Oh, and when the time comes, a USB stick could be built to use the USB power supply to charge some caps and feed back a 5000V pulse to destroy a lot of your computer – that’s a real thing.
USB condom.
Don’t know about you, but I would never trut anything capable of several thousand volts to go in my USB port. People plugging this in not only had no idea of cubersecurity, but also no idea of the horrors than even momentary exposure to the very periphery of a high voltage can do to 5V electronics. I see the attraction of USB as a universal 5V connector for things like this, but when a device wants power rather than (being supposed to) want data it should be put in a USB wall wart (>2A potentially), not a PC’s port (shouldn’t expect >500mA).
I’m disappointed. I thought maybe it was going to use it’s RF stage to transmit data. At a high enough frequency, you shouldn’t be able to notice the plasma visually modulating with every keystroke.
I have one of those little USB powered plasma spheres and at least it is a neat looking visual display. I don’t know it it has the malicious payload in the USB connector. It never occurred to me to plug nit into a computer, but instead I attached it to a USB power wall wart. I’m guessing that quality control is probably kind of sketchy at the $6 price point. I believe I would not let the plasma globe’s USB cable anywhere near my computer’s ports out of concern for RF energy leaking back and scrambling my PC’s brains, never mind the possibility of malware embedded in the cable.
If you MUST plug a USB gadget which isn’t supposed to have input/output capabilities to your PC, at least use a cable with no data lines.
Same goes for charging your phone with a public USB port (Like in the train or a park bench)