USB HID Attacks

So, all the hackers are running around saying "hardware is the new software." Better than that, they are proving it to be true. I saw a post this summer about the "Rubber Ducky" attack the folks over at HAK5 are working on. If you aren't familiar with the rubber ducky stuff, check out episode 709. The potential for these attacks is amazing. Let's pause and think about HID.

HID stands for Human Interface Device, this is a fancy way of saying PC input devices. For the purposes of this discussion we are specifically referring to keyboards and mice. These days when you plug in a USB mouse or keyboard, what happens? It works! No authentication, no authorization, maybe minimal auditing in some environments. So what if that device you plugged in wasn't a keyboard or mouse but was simply reporting itself as one of those. For the 1337 folks reading this I get that you understand the potential, for the non-nerds that are reading I just inserted a device that is mimicking your keyboard. Now I am hearing the naysayers already: "We have autorun turned off." "We have least-user privileges.." etc.. Let me respond to that with: it doesn't matter. This is direct memory access, your user object is not relevant. Irongeek, Adrian Crenshaw, gave a great talk this year at Defcon. Check out his website, and this page specifically. He named his attack Programmable HID USB Keystroke Dongle: PHUKD. I apologize for the language but that name sums it up quite well. Here's an excerpt from Irongeek:

So, why would a pen-tester want one?

1. Likely types faster than you can, without errors. This is important when physical access time to the target system is limited. 
2. Works even if U3 autorun is turned off. 
3. Draws less attention than sitting down in front of the terminal would. The person turns their head for a minute, the pen-tester plugs in their programmable USB key stroke dongle, and the box is popped as Dave Kennedy likes to say.
5. The HID can also be set to go off on a timer when you know a target will be logged in, or by sensor when certain conditions are met. 
6. You could embed a hub and a flash drive in your package so that you have storage and the programmable USB HID all in one nice neat package.
7. Embed your device in a USB toy or peripheral (lots of spare room in a printer or dancing USB penguin) and give it to your target as a 'gift'. Packaging that looks like a normal thumb drive is also an option.
8. After your Trojan USB device is in place, program it to "wake up", mount onboard storage, run a program that fakes an error to cover what it is doing (fake BSOD for example), do its thing, then stop (leaving the target to think "it's just one of those things").

Awesome dude! Now you are asking, "how do I defend against this?" There are some ways to stop unrecognized devices from being activated but that's only devices that weren't previously installed. Lots of these offerings are also commercial tools which only work on Windows and are also not cheap. Speaking of Windows, don't go thinking you are safe if you use some other operating system. This style of attack will work on any platform that recognizes USB HID. This means every modern operating system is a potential victim.

I expect to see some defenses start popping up soon. Until then, you better start deciding how to defend against this and keep in mind that telling your employees "Don't use USB devices on your work computer" doesn't actually prevent them from doing it. You need that policy in place, but you must have a technical control backing it up and enforcing it. You also can't just go enforcing without the policy, so make sure you have both of them ready to deploy at the same time. If you are a Windows environment and you want some control, check these out:
Checkpoint Poinstec
Lumension Device Control

1 comment:

  1. Slade - nice note. Disturbing, but nice. And a graphic that would have wowed 'em over at the Discovery Channel during "Shark Week".

    Folks just waking up to the USB vector via Stuxnet would do well to get the info in your post into their heads as soon as possible.

    Cheers, Andy (Smart Grid Security Blog)