BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] code for hacked USB drive (BadUSB) released on Github
- Subject: [Discuss] code for hacked USB drive (BadUSB) released on Github
- From: tmetro+blu at gmail.com (Tom Metro)
- Date: Mon, 06 Oct 2014 03:06:44 -0400
Tom Metro wrote: > Something like a USB Rubber Ducky could help implement this: > https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe > > A pass phrase can be stored on them, and it'll replay it with the press > of a button. > ... > With the discovery that you can hack the firmware in some USB Flash > drives, I wouldn't be surprised to eventually see instructions online > for how to turn a $5 USB drive into a emulated keyboard replay device.) Well that didn't take long to happen... http://mashable.com/2014/10/03/bad-usb/ BadUSB is a dangerous USB security flaw that allows attackers to turn a simple USB device into a keyboard, which can then be used to type malicious commands into the victim's computer. ... By hacking the code of the USB micro-controller of an "innocent" device, like a USB memory stick, you can turn it into something far more capable, such as a keyboard... Stick the device into a computer and it could execute commands or even a malicious program without the owner knowing. This is made worse by the fact that malware scanners cannot access the firmware running on USB devices, meaning they cannot fix the problem. ... The fact that BadUSB code is available on GitHub means that anyone with sufficient knowledge can hack a USB device in a similar way. But that also means good guys can take the code and repurpose it to create inexpensive dongles that type out high security pass phrases when hotplugged. (In the video embedded in the article, one of the researchers actually references the "Rubber Ducky" functionality.) So the next thing I expect we'll see is a gizmo built on an Arduino or Raspberry Pi that lets you plug in a USB drive and then exercises it to see if it exhibits any malicious behavior. If these drives look like an ordinary USB storage drive when first attached, I wonder what they are using as a trigger to have them switch into malicious keyboard mode? I don't think it can pose as both simultaneously. The switch might occur after a simple count down timer starting when it was powered up. So the tester gizmo just needs to wait it out. Maybe you'll "quarantine" your USB drives for 24 hours before attaching them to your real computer. At least until the hackers increase the delay, or figure out how to fingerprint the host they are attached to, and only go malicious if it's the desired target (like a machine running Windows). There's a good chance this sort of fingerprinting would be possible by looking at how the OS interrogates the USB controller. So your tester would need to have a custom USB driver that emulates Windows or OS X. One way to address this vulnerability is to modify the OS to put up a dialog any time a USB hotplug event is detected. "Found a new keyboard device, identifying itself as ... If you did not just plug in a keyboard, answer no. Use this device? Yes No" Of course the hackers could return an identification matching some very popular USB keyboard and hope to get lucky, or pester the user enough times so that they think their keyboard has a loose plug. -Tom -- Tom Metro The Perl Shop, Newton, MA, USA "Predictable On-demand Perl Consulting." http://www.theperlshop.com/
- Follow-Ups:
- [Discuss] code for hacked USB drive (BadUSB) released on Github
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] code for hacked USB drive (BadUSB) released on Github
- From: cra at WPI.EDU (Chuck Anderson)
- [Discuss] code for hacked USB drive (BadUSB) released on Github
- Prev by Date: [Discuss] Who makes the most reliable hard drives?
- Next by Date: [Discuss] Who makes the most reliable hard drives?
- Previous by thread: [Discuss] Who makes the most reliable hard drives?
- Next by thread: [Discuss] code for hacked USB drive (BadUSB) released on Github
- Index(es):