
Tiny USB business card - jaybol
http://hackaday.com/2010/10/29/tiny-usb-business-card/
======
follower
If you're interested in some of the security implications of this there were a
few related talks from DEFCON18:

* [https://www.defcon.org/html/links/dc-archives/dc-18-archive....](https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Crenshaw)

* [https://www.defcon.org/html/links/dc-archives/dc-18-archive....](https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Elkins)

* [https://www.defcon.org/html/links/dc-archives/dc-18-archive....](https://www.defcon.org/html/links/dc-archives/dc-18-archive.html#Honeywell)

The upshot is that anything with a USB connector can be any device it wants to
be--you have to trust any hardware you plug into your machine.

~~~
trotsky
That something like this is a security threat is without question - in
addition to the defcon presentations, a variety designed to attack has been
featured on the popular usb interface site users projects list for some time.
Odds are the technique has already owned at least a few folks.

I'm sure the creator of the card is a fine guy, and the short time it'd be
inserted along with him standing right there and your active attention means
it's practically pretty safe.

The party line in security is that once an attacker has physical access to the
computer compromise is so trivial mitigating any specific attack is a waste of
time. That's certainly true right now: firewire, PCI-E and hard drive removal
are much more dangerous. But it's more of a philosophy than a logical truth -
security is really just the practice of raising the bar enough to counter the
level of threat. The fact that critical computers aren't connected to the
internet or any network at all doesn't stop OS vendors from spending countless
hours fixing exploits.

Someday a bus design like this will seem hopelessly niave and be long gone
just like telnet and analog cell phones. Virtually all attacks right now
involve holes with well defined solutions - think 802.1x, DNSSEC, http and
smart cards. But adoption is usually glacial and universal adoption would only
lead to new holes being exploited.

The potential for USB attacks goes far beyond a simple HID controller. Any
serious attacker would disguise or hide a device in a way that would make it
easy to include a few more chips and a much more sophisticated design. Include
a benign real device that matches whatever function the user expects - flash
drive, mouse, etc. Wait some time before attaching the keyboard service
suspicion - at the same time connect a serial class as well allowing a
reliable command channel after just "typing" a two or three line script. Send
over a better native command program, maybe wait until the user idles, mount
storage or replace existing flash blocks with privesc exploits, rootkits, etc.
A modern, well administered system may be difficult to exploit directly as a
user. Crash or reboot the OS, possibly including a crash dump or hybrid sleep
first for later access to kernel data. Once the usb bus resets, provide a
variety of usb storage types for the BIOS to find - one will usually preempt
the main hdd with a linux image that would show an OS appropriate boot
animation perhaps with a filesystem check to explain any delay. At this point
it could grab the BIOS image and repack it with a ROM root kit and reflash it
or replace ethernet, video or dvd firmware to provide pre-boot or even pre-
BIOS control. Attack the boot loader, kernel files or anything else needed to
remove code signing requirements or install new certificates, integrity
checks, install a good rootkit, etc. Disable the usb storage, pass control to
the real boot loader and once full control is confirmed wipe the bad bits of
NAND and microcontroller flash, blow an efuse to disable any naughty hardware
and you're done.

While that is all highly speculative and sounds complex, it's 100% possible
and would be a small amount of work compared to what goes into modern root
kits and bot code.

Such an attack is probably not something a common user would ever face though
high value targets are often subjected to at least as much effort. All bets
are off if someone designed an easy to use version, produced a significant run
of them and packaged them nicely. Rootkits have gone from rare and amateur to
polished and plug and play and widely used rather quickly.

This spring I was shown a keyboard that included a hardware keylogger with
flash, usb serial interface, a tiny microphone and a cmos clock. The chips
were on a board identical in size and location of the one normally installed.
It was flipped upside down, screw heads stripped clean and glued in, with a
number of large industrial staples attaching it to the plastic below. When
disassembled the components were found to be covered with thick epoxy. At some
point during the initial investigation a trace to a small battery was broken
and a SIM was destroyed. The bootstrap passed some code through the smart card
and a majority of the controller and secondary flash were encrypted.

As interesting as the design was, even many dead simple gadgets require more
technical expertise to create. I was told that the design was very similar to
a popular commercially available keylogger minus the smart card and mic. You
can find them for $100 or less many spots on the web.

The most striking fact is that the victim purchased the keyboard themselves
from a well known US web store as an OEM keyboard. It was delivered to his
door by UPS, it was the style ordered, shrink wrapped, and included another
item that was legit. Suspicion arose because the keyboard quality was low and
appeared counterfeit. When connected, it displayed a device name that included
some unicode and some garbage at the end that included some simple shell code.

The user didn't know why he'd been targeted and lacked any typical high risk
factors or usual motivations for attack. The source was never identified, no
similar kit was found in the retailer's stock. The item had sat in the users
wish list at the retailer for several months before being ordered. The victim
reported a sophisticated attack occurring nine months prior, no evidence was
found of an existing intrusion. Law enforcement suspected it had been included
accidentally before leaving china and likely is produced on the same line as
benign versions.

------
pornel
This made me realize that USB keys are not only dangerous because of Windows
auto-run.

They could also emulate USB HUB with keyboard/mouse to send input required to
run exploit off the drive and click through all UAC warnings.

~~~
sorbus
Happily, that can't spread via malware - and would be visible to the user,
though a long delay could possibly avoid that (is there any way for a device
connected via usb to figure out when the computer is idle?). But yes, when you
plug something in to your computer, you are explicitly saying that you trust
that it is what it claims to be, before even thinking about what nasty things
it may be holding in its memory. Or whether it may be wired to short out the
usb port, or the computer it's attached to.

~~~
pavel_lishin
Well, waiting 30 minutes after the last keypress could help.

------
klochner
I would take a pass on adding his information -

    
    
       Stuxnet was first detected in June by a security firm   
       based in Belarus, but may have been circulating since 
       2009.
    
       Unlike most viruses, the worm targets systems that are 
       traditionally not connected to the internet for security 
       reasons.
    
       Instead it infects Windows machines via USB keys -
       commonly used to move files around - infected with 
       malware.

~~~
SpacemanSpiff
Except in this case the "business card" emulates a USB HID keyboard. No
autorun, no file storage. Although the HID device could send some malicious
keystrokes I suppose.

~~~
klochner
You don't know what it does until you plug it in.

~~~
gvb
You don't necessarily know what it did even _after_ you plugged it in.

What You Saw Is (not necessary) What You Got.

~~~
borski
This is actually an incredibly important point. The Trojan Horse worked for a
reason. Many seemingly beneficial pieces of code also do some very malicious
things: one of the best ways to hide is in plain sight.

------
wzdd
First off, I think this is super cool. It's a novel and interesting take on a
very boring but necessary concept, and he's taken the time to get the design
looking nice as well -- he could easily have just soldered an attiny to a USB
connector, and that wouldn't have had the same charm.

Secondly, it seems the security implications are very slightly more severe
than one might think. The card only activates when you press caps lock three
times. This means it must be able to receive key presses, as well as to send
them. From my understanding of his description, keyboard HID devices which
support the boot protocol profile also receive notification of key presses
([http://frank.circleofcurrent.com/cache/usbbusinesscard_detai...](http://frank.circleofcurrent.com/cache/usbbusinesscard_details.htm)
and search 'boot protocol'). So in theory this could record everything you
typed, as well as do destructive things to your computer. And of course
storage is not an issue as it's likely that the host is connected to the
Internet.

It seems borderline paranoid to think like this w.r.t. someone's business
card, though.

~~~
mikeknoop
According to a comment on the parent article, all USB keyboards receive the
standard 3 lock keys so they can toggle state (think LED lights): Caps Lock,
Num Lock, Scroll Lock

If true, this is why the author chose to use Caps Lock over a different key. I
can't claim whether that is true or not but it puts a damper on the USB
keyboard security concerns.

~~~
zbanks
You are correct.

There are a few other small triggers that the keyboard can also potentially
receive, but those 3 are the most common.

HID in general can be set up to receive more data, but there aren't any
"normal" devices with built-in drivers that utilize a lot of bi-directional
data transfer. (I've been looking to create a "driverless" "serial port" using
HID communication, tx is easy (keyboard type), but rx is hard (bitbanging
using the 3 LEDs? eh....)

~~~
follower
> I've been looking to create a "driverless" "serial port" using HID
> communication

When you say "driverless" do you want it to act as an actual serial port or
just provide bi-directional data transfer for a userland program?

I think there's a standard V-USB example that provides driver-less bi-
directional data transfer via reports.

I adapted the example to work with the Arduino and a Python script. Some
details are in the entry dated 22 October 2009 here:
<http://code.rancidbacon.com/ProjectLogArduinoUSB> The code is online as the
UsbStream example available in the download from here:
<http://code.google.com/p/vusb-for-arduino/downloads/list>

------
jacquesm
The actual page:

<http://www.frank-zhao.com/card/>

------
wtracy
Anybody know how much these things cost once you order them in bulk?

Apparently you can get those business-card CDs for under a buck each if you
order over a thousand. More sane quantities will probably run you $3/each.

------
RiderOfGiraffes
In case anyone is interested, here's essentially the same idea from months
ago:

<http://news.ycombinator.com/item?id=1435640>

There was significant discussion from an even earlier submission:
<http://news.ycombinator.com/item?id=1377651>

It was also submitted again, but with no discussion:
<http://news.ycombinator.com/item?id=1383888>

------
joezydeco
This is a slightly older card with a lot more interesting stuff on it than a
text file:

<http://t4f.org/en/projects/business-card>

