Pentesting with Programmable HID: Owned by a USB Keyboard
Most corporate (and government) IT experts know the danger of rogue USB drives. In 2008, one of the largest exploitations of the military was caused by a simple USB drive that was purposely infected with malware. Since then, turning off the “Autorun” feature has been a common mantra amongst security professionals to stop infected USB’s from running their automated payload.
But, what if the system did not know that the device being plugged in was a USB flash drive? What if it thought it was a keyboard, or a mouse? What if it was in fact a keyboard, mouse or even an office toy?
What if the device could run automated commands, like copying off all the data in certain directories, running an onboard malware program, or automatically taking you to a rogue site? What if the device could detect when you were sitting at the keyboard? When you turned on your office lights or even moved?
Welcome to the world of Programmable HID (Human Interface Device) hacking. This new area of social engineering attacks is very deceiving and effective. Using a device that can be used as is, or inserted into a real keyboard, mouse or office toy, hackers are able to run a plethora of attacks against a machine.
And because the system thinks it is a human interface device, anti-virus has little if no effect. Because it is programmable via the simple Arduino language (same technology used in robotics), the attack options are limited only by the imagination of the hacker. And as you will see, some of them have a pretty evil imagination.
The video above is from Defcon 18. The exceptional presentation by Adrian Crenshaw (aka Irongeek) demonstrates his work with transforming the Teensy USB device into a pentesters dream. He shows the dangers and capabilities of USB HID hacking and how to defend against them. Adrian is extremely knowledgeable and his light, witty demeanor makes watching the video not only informative, but very enjoyable.
Just don’t borrow a mouse from this guy!
~ by D. Dieterle on September 23, 2010.