Trojans, viruses, malware are everywhere. They find new ways to enter our sacred computers some way or the other. Talking about scenarios where hacker had physical access, traditionally, lame Autorun based USBs could install unwanted programs on your PCs the moment they are plugged, but those are easy to get rid of: Switch off autoplay. What if a USB uses a cross-platform native profile to inject malicious programs into computers? — It becomes unstoppable.
One such device was demoed at this year’s Shmoocon, it’s called “Phantom Keystroker”. It’s a simple USB dongle form factor device, which when plugged to a computer uses USB HID class to identify itself as a Human interface mouse and keyboard from a legit manufacturer and start execution of instructions, which would perhaps annoy the user by flashing LEDs on keyboards, and make the mouse behave as drunkard.
Hak5 team has extrapolated the idea with USB HID device to allow executing terminal commands quickly, without drawing as much attention from the user who sits in front of it. The user just turns his head for couple of seconds and the hacker plugs in their programmable USB key stroke dongle, Boom! All sorts of command could be run.
Why this behavior is Not considered “Bad” by Current Anti-viruses
When we plug-in such USB HID device, it acts just like any other USB peripheral. It could identify itself as aLogitech HID keyboard, or a HID compliant Mouse. The moment it identifies itself, your computer assumes its you who is typing/clicking and has no idea about “these devices” being automated.
Daren and Snubs from Hak5 had been working on such a project they call as “USB Rubber Ducky” with a soft duck attached at the Dongle.
How this can be done?
It could start with a cool Arduino hack, but implementing a USB HID with the standard Arduino is a bit of a pain (atleast for me). The alternative way (read as “Better”) is to use Teensy, which lets you program in C, or the easier Arduino development environment, and already supported USB HID out of the box! With the price tag of $18, its ultra-affordable for enthusiasts and nightmare for potential victims.
When teensy is interfaced with a flash card, it could store multiple programs, which can then be dynamically loaded instead of reflashing the device everytime when you need to perform a different task. Also, one can store a large number of files/scripts that let you do more.
Watch the Video, from Hak5: (video automatically starts from 12:xx, where main talk starts)
The possiblities are endless. You can create a CRON Job or schedule events to happen in a later time. e.g. running a script at a time in the future when it downloads and install a keylogger or perhaps damage/steal local files. Or it could be an instantaneous Auto-job that copies all executables from the USB flash for running on the local computer.
What other Bad things are Possible:
- Automate Brute-force Admin passwords on Windows server (Windows 2003 server doesn’t lockout when passwords are entered from keyboard, in our case USB HID device)
- Brute-force BIOS passwords
- Fake a BSOD and do anything in the background. Before User reboots PC (i.e. couple of seconds) damage is probably done.
- Add a user to the box or the domain.( this is nasty)
- Run a program that sets up a permanent back door.
- Copy files to flash card
- Go to a website they have a cookie for, and do some sort of transaction.
Possibilities are endless, use your wild imagination.
How about Good things?
Apart from being an un-avoidable bad element, it can be a great pen-tester’s device and even an automation device. It could:
- Automate Pen-testing tasks
- Perform certain tasks much faster than you can type, and that too without typos.
- Schedule tasks
There is one disadvantage, though its not big. The first time you plugin the device, it takes few seconds (5-20s) to identify HID device and load the drivers. Though this is fully automated by all operating systems, this delay varies from OS to OS.
You can contribute
Obviously, there can be other good reasons why this project should go futher. If you’ve some brilliant ideas and happen to be a strong C, Arduino programmer, you can contribute to this project by filling a form at hak5 to register to receive a Free USB Rubber Ducky dev kit. Devkits will be delivered via via snail-mail around the world.