Pentesting with Programmable HID: Owned by a USB Keyboard

Most corporate (and government) IT experts know the danger of rogue USB drives. In 2008, one of the largest exploitations of the military was caused by a simple USB drive that was purposely infected with malware. Since then, turning off the “Autorun” feature has been a common mantra amongst security professionals to stop infected USB’s from running their automated payload. 

But, what if the system did not know that the device being plugged in was a USB flash drive? What if it thought it was a keyboard, or a mouse? What if it was in fact a keyboard, mouse or even an office toy? 

What if the device could run automated commands, like copying off all the data in certain directories, running an onboard malware program, or automatically taking you to a rogue site? What if the device could detect when you were sitting at the keyboard? When you turned on your office lights or even moved? 

Welcome to the world of Programmable HID (Human Interface Device) hacking. This new area of social engineering attacks is very deceiving and effective. Using a device that can be used as is, or inserted into a real keyboard, mouse or office toy, hackers are able to run a plethora of attacks against a machine. 

And because the system thinks it is a human interface device, anti-virus has little if no effect. Because it is programmable via the simple Arduino language (same technology used in robotics), the attack options are limited only by the imagination of the hacker. And as you will see, some of them have a pretty evil imagination. 

The video above is from Defcon 18. The exceptional presentation by Adrian Crenshaw (aka Irongeek) demonstrates his work with transforming the Teensy USB device into a pentesters dream. He shows the dangers and capabilities of USB HID hacking and how to defend against them. Adrian is extremely knowledgeable and his light, witty demeanor makes watching the video not only informative, but very enjoyable. 

Just don’t borrow a mouse from this guy!    

Advertisements

Latest Military Tech Review

The top military technology news from around the web:

How Air Force’s BATMAN can steal power from an enemy
The BATMAN ensemble includes a small, chest mounted computer that provides airmen with real time logistical and tactical data. Program officials said that they are also working on speech recognition technology to keep special operators’ hands-free during combat. Engineers are also working on a personal wireless communications network that will connect all of an airman’s equipment without the need for wires and cables.

Army May Issue iPhones to New Recruits
In an effort to reach a more gadget-savvy youth market and cut down on old-school dead tree manuals, the Army could begin issuing iPhones to new recruits as both an incentive (as if they need one in this economy) and to use during basic training and beyond as a learning tool.

On AF B-Day Are Pilots Soon to be Stamped ‘Obsolete?’
[The] specter of obsolescence is beginning to haunt some of the most tech-savvy men and women in America – Air Force pilots – as the service looks toward an unmanned air fleet capable of any and every kind of combat and support role, from close air support to cargo and refueling; a fleet “smart” enough to work together, even “swarming” to carry out tactical and strategic missions.

Kremlin bans sale of S-300 missile systems to Iran
The Kremlin has formally banned the sale of S-300 air defence missile systems to Iran three months after new UN sanctions.

Iranian Military Equipped with Anti-Stealth Technology
Iran’s military has become proficient in the technology to produce stealth-aircraft detection systems, Iranian deputy commander Brigadier General Mohammad Hassan Mansourian said. “With our present technology to produce radars with different ranges, we can definitely detect enemies’ stealth warplanes,” he said.

DARPA and Boeing to Develop Solar-Powered Aircraft
Boeing has been selected by the US Defense Advanced Research Projects Agency (DARPA) to develop and fly the SolarEagle unmanned aircraft for the Vulture II demonstration programme. Under the $89m contract, Boeing will develop a full-scale flight demonstrator, including maturation of the critical power system and structures technologies.

Tyrannos flying military car idea avoids road obstacles by flying
The design of a flying car is almost certainly the most conventional symbol of the future. Aerospace is the newest start up to revive those fantasies, and as you can see from the idea shot above, they’re aiming high. Called the Tyrannos, the latest flying car to come on our radar is a four-wheeler that has four small rotating wings to get it off the ground.

Researchers delve into secrets of fireflies, other glowing creatures for military uses
Someday, the secrets of fireflies or glowing sea plankton could save an American soldier in battle, a Navy SEAL on a dive or a military pilot landing after a mission.

NASA pursues horizontal launch systems
NASA is trying to use existing technologies in new ways to design an entirely novel launch technology. If it works, the new launch system would propel a space vehicle down a track or on a sled until it’s moving fast enough to launch and escape Earth’s atmosphere into space.

Snake Tanks, Forensic Cameras, Quick-Draw Goggles: Military Tech’s New Powers
At Police Magazine’s recent law enforcement expo, an army of exhibitors showed off the latest high-tech gadgets that’d satisfy the most elite SWAT teams, special forces–and even the bad guy from from Austin Powers.

Gathering Passwords with Web 2.0 Sites

I was watching a security seminar the other day and for about the third time this month, I heard the dangers of entering passwords with “Web 2.0” sites.

Here is the problem, in the olden days, when you entered a password into the password field, it was not sent until you clicked the send button.

Now, with the newer web applications, everything you type in the field is captured as you type it. This just makes hackers giddy.

When they make a fake site, say it is a bogus store, many people will put in a credit card number for the sale, then have second thoughts and back out of it. Well, it doesn’t matter, they have the number, as it was transferred as it was typed.

Another reason hackers love this live data transfer is with social engineering sites. How many passwords do you have? How many times have you entered a password for another site, realized what you did, deleted it and put in the right password for the site? Well, now the hackers have two of your passwords. Or more, depending on how many you type in while your brain is in melt down mode.

Be careful out there, cyber crime is big business now and they are doing everything they can to try to get information out of you.