The new attack vector – HID

After attending Black Hat 2010/DEFCON 18, the world-famous hacking convention, I will make a prediction of a large number of attacks using USB devices being discovered for the next few years.

USB drives can be dangerous. If you store sensitive information on one and lose it, you should assume the information will be seen. Hint: encrypt the data.

It’s also a great way for penetration experts to break into a computer system. Leave a USB drive in the parking lot, and install some malware (e.g. using Switchblade)  that executes when the USB drive is plugged into the computer. Presto! And the malware is installed. This works because most computers are set up to automatically run the programs on a USB drive when one is plugged in. This is dangerous, and I suggest you disable this autorun feature. Even worse is the U3 USB drives, which can write into your computer’s registry, or into the filesystem, without asking.  How convenient, especially for the evil-doer. Then again, you can also have a program called “Install” and it’s amazing how many smart people will click this just to see what is on the USB stick.

This autorun “feature” also works on network mapped drives, which is how the Conficker virus spreads. The best solution is to completely disable autorun, which is a tip from US-CERT to prevent viruses from spreading.

Problem solved, right? Not really. I predict that there will be a lot of new attacks on computer systems from a new threat – the keyboard. Or rather, a keyboard-like device.  Or more accurately, a Human Interface Device.

Andrian Crenshaw, AKA IronGeek was given a Phantom Keystroker at Schmoocon 2010. This device acts looks like a USB stick, but acts as a keyboard. It randomly does annoying things like changing CAPSLOCK, moving the mouse, inserting garbage characters. In other words, it’s a great practical joke: it drives the victim crazy. Cool, but a hacker would like to be able to reprogram the device to do more  sinister things. While looking into the possibility, Adrian learned about the Teensy device, which is a low-cost ($18) Arduino-like device that does exactly that.  Adrian started exploring the possibilities with it to attack a computer and I learned about this on pauldotcom. Yes, you do need physical access to the device, but the Teensy is very small, and easy to hide.

Adrian was the first to look into this as far as I can tell. However, at  Black Hat 2010/DEFCON 18, I saw several  presentations all using the HID interface.  Clearly the time has come. The talks were

Unlike a U3 USB drive, a HID (or Human Interface Device) does not require any driver. The HID is typically  a keyboard, or a mouse. It could also be a joystick, a bar code scanner, a camera, a keypad, etc. For more information see the Apple docs and the HID usage Table (PDF). This means the device can  type whatever it wants. In other words, the device acts like an evil secret keyboard, and the operating system allows it to do so. How nice.

Here are some of the things you can do with this technology:

  • Make a device that once every 5 minutes, it moves the mouse one pixel to the left, and then move it one pixel to the right.  If someone expects their computer to lock the screen automatically, the program will prevent it from happening.
  • Run a batch or script file. And Microsoft, bless its heart, has added almost everything you need  to PowerShell, which is standard on newer operating systems. Launch a power shell and change the configuration of the computer. It is limited to 140 characters a second, and the user might see a window pop up. Either wait for them to be out of the room, or misdirect them (drop hot coffee i their lap).
  • Go to a remote website and download and install program.
  • Hook up a wireless interface to it, like Monta did. Wait for the person to be distracted, and press a button, and run a program.
  • Adrian hooked up a photodiode to his device. It waits until the lights turn off before it does anything. Evil likes the dark.

I predict that next year we will find out a lot about ways this technology can be used to compromise computers. There are several reasons for this:

  1. It’s cheap. The software is free, and as I said, the Teensy is $18.
  2. It’s small. Adrian put a device and a hub inside a transparent mouse. The device also had colored LEDs that would flash based on activity. A mouse with flashing LEDs – that’s a cool gift. It also attacked your computer. Many keyboards have built-in hubs. Put one of these inside a keyboard. There’s plenty of room.
  3. It can be reprogrammed to appear to be any device.  Most businesses allow users to swap keyboards and mice. You need some heavy duty paranoid software to detect unusual and unexpected HID devices, which usually means rigid military-like systems.
  4. Since it can pretend to be any device, it is an excellent way to attack device drivers. After all, drivers don’t expect devices to suddenly claim to move a million pixels to the left. But a Teensy device can create events that do this. Every keyboard and mouse driver is now a possible entry (vector) into a computer.
  5. HID events can be sent to the computer even when the screen is locked, and the computer will respond. Richard Rushing showed someone at Microsoft some examples, and they were surprised. Expect a patch for this.

In other words, those that care about security must be careful of what USB devices they plug into a computer. Those clever USB toys you see may really be an evil device.  And it’s hard for the computer to protect itself. We use HID-enabled devices all the time. We can’t just disable the: nothing would work.

Expect that many drivers for USB devices will be found to have security holes, because they never expect those devices to suddenly turn  evil. Already people are finding ways to use this technology. The PS3-Groove uses a Teensy to jailbreak a Playstation PS3.  The TI84 Calculator can also be used to jailbreak the PS3.

Adrian has a new paper on malicious USB devices.

I will update this site as I find out more.

Irongeek gave an update on pauldotcom.

This entry was posted in Hacking, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s