Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.
198 Comments
Tomi Engdahl says:
Malduino Elite – First Impressions
http://hackaday.com/2017/05/31/malduino-elite/
A while back, I wrote an article about Malduino, an Arduino-based, open-source BadUSB device. I found the project interesting so I signed up for an Elite version and sure enough, the friendly postman dropped it off in my mail box last Friday, which means I got to play around with it over the weekend. For those who missed the article, Malduino is USB device which is able to emulate a keyboard and inject keystrokes, among other things. When in a proper casing, it will just look like a USB flash drive. It’s like those things you see in the movies where a guy plugs in a device and it auto hacks the computer. It ships in two versions, Lite and Elite, both based on the ATmega32U4.
The Lite version is really small, besides the USB connector it only contains a switch, which allows the user to choose between running and programming mode, and a LED, which indicates when the script has finished running.
MalDuino — Open Source BadUSB
http://hackaday.com/2017/01/24/malduino-open-source-badusb/
Tomi Engdahl says:
How to use Linux’s built-in USB attack protection
Worried over malicious USB sticks? Linux has you covered with USBGuard.
http://www.zdnet.com/article/how-to-use-linuxs-built-in-usb-attack-protection/
There are USB sticks that will destroy your computer, USB sticks loaded with spyware, and even official enterprise USB sticks infected with malware. Last, but never least, when it comes to stealing data from a computer, you can’t beat a USB stick. There are devices like the USG USB stick firewall, which can protect you, or if you’re a Linux user, you can always stop attackers armed with USB sticks with USBGuard.
In the real world, Linux-based USB distributions such live-boot Tails makes this easy. USBGuard can stop any such attack.
USBGuard, as current stable Linux kernel maintainer Greg Kroah-Hartman recently pointed out, has been around for over a decade. For some reason, this user-space tool, which provides access control to USB devices, is not well known. It should be. It’s a great addition to anyone needing to protect a Linux desktop or server.
This software framework is designed expressly to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. It enables you to lock-down all USB devices from user space.
UBSGuard is not installed by default, to the best of my knowledge, on any major Linux distribution. But you can install USBGuard on any Linux using the source code. It’s also available packaged up for easy deployment for Red Hat Linux family distributions in the Extra Packages for Enterprise Linux (EPEL) repository and in the Ubuntu universe repositories since the release of Ubuntu 16.10.
Once in place, you control USBGuard by the settings in its usbguard-daemon.conf file: The USBGuard daemon configuration file. When set up, the USBGuard daemon scans each USB device or hub as it’s inserted into the system. The daemon then scans the existing rules sequentially, and when a matching rule is found, it either authorizes (allows), de-authorizes (blocks), or removes (rejects) the device.
Tomi Engdahl says:
E-cigarettes can be used to hack computers
https://www.techworm.net/2017/06/e-cigarettes-can-used-hack-computers.html
To explain this, security researcher Ross Bevington showcased a presentation at BSides London that revealed how an e-cigarette could be used to attack a computer either by interfering with its network traffic or by deceiving the computer to make it believe that it was a keyboard.
Many e-cigarettes can be charged over USB
“PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.
Another hacker and security expert, who goes by the name FourOctets on Twitter, published a proof-of-concept video demonstrating his work, wherein he plugs an e-cigarette into a computer’s USB port. The computer lights up as it normally does when an e-cigarette starts charging. However, after a few seconds, a message pops up on the computer screen.
Tomi Engdahl says:
Injecting Code Into Mouse Firmware Should Be Your Next Hack
http://hackaday.com/2017/07/29/injecting-code-into-mouse-firmware-should-be-your-next-hack/
Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.
The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?
The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards.
Perhaps the biggest leap in this project is that the firmware wasn’t read-protected.
The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.
http://usbrubberducky.com/?_escaped_fragment_=index.md#!index.md
Tomi Engdahl says:
Infosec eggheads rig USB desk lamp to leak passwords via Bluetooth
Malicious gadgets can snoop on keypresses, other data, through ports, it is claimed
https://www.theregister.co.uk/2017/08/11/leaky_usb_research/
Malicious USB gadgets can secretly spy on data flowing in and out of devices plugged into adjacent USB ports, security researchers in Australia have warned.
For example, keypresses from a USB keyboard could be read by a specially modified thumb drive placed in the next-door port. The spy stick can pick up electrical signals leaking from one port to another; analyzing this leakage opens the door to keylogging attacks in this case.
It means miscreants can potentially read off sensitive info from a computer if they are able to get a booby-trapped thumb drive or some other evil gadget into a victim’s machine. It’s not a particularly practical or terrifying scenario, but interesting nonetheless – and definitely something to be aware of if you plug your devices into public charging points at, say, airports.
“Electricity flows like water along pipes – and it can leak out. In our project, we showed that voltage fluctuations of the USB port’s data lines can be monitored from the adjacent ports on the USB hub,” said Dr Yuval Yarom, research associate with the University of Adelaide’s School of Computer Science, on Thursday.
Tomi Engdahl says:
USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/su
The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path.
We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines.
Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf
Tomi Engdahl says:
USB connections exposed as ‘leaky’ and vulnerable
http://theleadsouthaustralia.com.au/industries/education/usb-connections-exposed-as-leaky-and-vulnerable/
TESTS on USB connections have shown they are highly susceptible to information “leakage”, making them less secure than previously thought.
He said USB-connected devices were the most common interface used globally to connect external devices to computers and included keyboards, cardswipers and fingerprint readers, which often sent sensitive information.
“But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen,” Dr Yarom said.
Dr Yarom said this “channel-to-channel crosstalk leakage” was analogous with water leaking from pipes.
“Electricity flows like water along pipes – and it can leak out,” he says. “In our project, we showed that voltage fluctuations of the USB port’s data lines could be monitored from the adjacent ports on the USB hub.”
The team used a modified cheap novelty plug-in lamp with a USB connector to “read” every keystroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.
Dr Yarom said other research had shown that 75 per cent of USB sticks dropped on the ground were picked up and plugged into a computer. But they could have been tampered with to send a message via Bluetooth or SMS to a computer anywhere in the world.
He said Bluetooth was a more secure way of transferring information.
Tomi Engdahl says:
Power/Performance Bits: Aug. 22
USB data leakage; choosing the right battery; rechargeable zinc-air batteries.
https://semiengineering.com/powerperformance-bits-aug-22/
Researchers from the University of Adelaide found that USB connections are vulnerable to information leakage. In testing more than 50 different computers and external USB hubs, they found that over 90% of them leaked information to an external USB device.
“USB-connected devices include keyboards, cardswipers and fingerprint readers which often send sensitive information to the computer,” said Yuval Yarom, Research Associate with the University of Adelaide’s School of Computer Science.
The team used a modified cheap novelty plug-in lamp with a USB connector to read every key stroke from the adjacent keyboard USB interface. The data was sent via Bluetooth to another computer.
“It has been thought that because that information is only sent along the direct communication path to the computer, it is protected from potentially compromised devices,” said Yarom. “But our research showed that if a malicious device or one that’s been tampered with is plugged into adjacent ports on the same external or internal USB hub, this sensitive information can be captured. That means keystrokes showing passwords or other private information can be easily stolen.”
While those aware of security risks are wary of plugging in an unknown USB device, Yarom said other research has shown that if USB sticks are dropped on the ground, 75% of them are picked up and plugged into a computer.
“The main take-home message is that people should not connect anything to USB unless they can fully trust it,” said Yarom.
Tomi Engdahl says:
USB Snooping Made Easy:
Crosstalk Leakage Attacks on USB Hubs
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-su.pdf
Tomi Engdahl says:
Many Vulnerabilities Found in Linux USB Subsystem
http://www.securityweek.com/many-vulnerabilities-found-linux-usb-subsystem
A Google researcher has found a significant number of vulnerabilities in the Linux kernel USB subsystem using the Syzkaller fuzzer.
The fuzzing tool developed by Google helped Andrey Konovalov find tens of bugs, including 22 security flaws that have been assigned CVE identifiers. In an advisory published this week, the expert detailed 14 of the vulnerabilities he discovered.
The vulnerabilities have been described as use-after-free, general protection fault, out-of-bounds read, and NULL pointer dereference issues that can be exploited to cause a denial-of-service (DoS) condition. The expert said some of the flaws might have a different impact as well, which typically means they could allow arbitrary code execution.
Konovalov pointed out that an attacker needs to have physical access to the targeted system and connect a malicious USB device in order to exploit the vulnerabilities. Others suggested that an attacker who has remote access to a machine may be able to update the firmware on connected USB drives to plant exploits for these flaws and create malicious devices.
Fixes for many of the vulnerabilities found by Konovalov are included in Linux kernel versions 4.13.4 and later, but many of the issues remain unpatched.
Tomi Engdahl says:
Many Vulnerabilities Found in Linux USB Subsystem
http://www.securityweek.com/many-vulnerabilities-found-linux-usb-subsystem
http://www.openwall.com/lists/oss-security/2017/11/06/8
Tomi Engdahl says:
http://www.etn.fi/index.php/13-news/7133-linuxista-loeytyi-kymmeniae-usb-reikiae
Tomi Engdahl says:
Experts can hack most CPUs since 2008 over USB by triggering Intel Management Engine flaw
http://securityaffairs.co/wordpress/65327/hacking/intel-management-engine-flaw-hack.html
Intel’s management engine – in most Positive Technologies plans to demonstrate at the next Black Hat conference how to hack over USB into Intel Management Engine of most CPUs since 2008.
Experts from Positive Technologies that in September announced to have devised a technique a to attack the Intel Management Engine, now provided more details about it and plan to demonstrate the God-mode hack in December 2017.
Tomi Engdahl says:
Don’t worry about those 40 Linux USB security holes. That’s not a typo
https://www.theregister.co.uk/2017/11/07/linux_usb_security_bugs/
Move along. Nothing to see here. By the way, try this flash drive in your laptop, ta
The Linux kernel USB subsystem has more holes than a donut shop. On Monday, Google security researcher Andrey Konovalov disclosed 14 Linux USB flaws found using syzkaller, a kernel fuzzing tool developed by another Google software engineer, Dmitry Vyukov.
That’s just the tip of the iceberg. In an email to The Register, Konovalov said he asked for CVEs for another seven vulnerabilities on Tuesday, and noted there are something like 40 that have not been fixed or triaged.
Konovalov downplayed the risk posed by the flaws, based on the fact that physical access is a prerequisite to an attack. In other words, to exploit these vulnerabilities and potentially hijack a machine or infect it with spyware, you have to be be able to actually insert a malicious USB gadget into a Linux-powered system.
Still, there are plenty of these ports around
Tomi Engdahl says:
Apple Patches USB Code Execution Flaw in macOS
http://www.securityweek.com/apple-patches-usb-code-execution-flaw-macos
One of the vulnerabilities addressed by Apple in its latest set of security patches for macOS is an arbitrary code execution flaw, which could be exploited via malicious USB devices.
Discovered by Trend Micro security researchers and reported to Apple in April this year, the issue resides in fsck_msdos, a system tool designed to check for and fix errors in devices formatted with the FAT filesystem.
The security researchers discovered that because the tool is automatically invoked by macOS when a device using the FAT filesystem (such as a USB disk or an SD card) is inserted, a security bug could allow malicious devices to execute arbitrary code when they are connected to a Mac.
The vulnerability is created by a memory corruption issue and its exploitation could lead to an attacker taking full control of a vulnerable system, Trend Micro says.
“We do not believe that this attack has been used in the wild. We strongly recommend that users update their software to address this flaw, as well as the others that were part of this update cycle,” the security researchers note.
Tomi Engdahl says:
CJMCU-3212 Virtual Keyboard Badusb ATMEGA32U4 WIFI ESP-8266 TF Storage
https://www.banggood.com/CJMCU-3212-Virtual-Keyboard-Badusb-ATMEGA32U4-WIFI-ESP-8266-TF-Storage-p-1250563.html?p=271314529968201404
Tomi Engdahl says:
January 16, 2018
ATTACKING SECURE USB KEYS, BEHIND THE SCENE
https://www.j-michel.org/blog/2018/01/16/attacking-secure-usb-keys-behind-the-scene
In particular I will explain how we removed the epoxy coating, and how did we de-soldered and then re-balled the BGA.
Tomi Engdahl says:
The Tomu: An Arm Microcontroller That Fits in Your USB Port
https://blog.hackster.io/the-tomu-an-arm-microcontroller-that-fits-in-your-usb-port-31f60af97471
The difference between the Tomu and most other USB stick computers I’ve come across? It’s so small it fits entirely inside your computer’s USB port.
Tomi Engdahl says:
This Mission: Impossible-esque USB Dongle Explodes After Delivering a Malicious Payload
https://blog.hackster.io/this-mission-impossible-esque-usb-dongle-explodes-after-delivering-a-malicious-payload-a267ec493c76
This is a USB dongle that delivers a keystroke-injection attack, and then explodes when the attack has been completed.
A keystroke-injection attack, if you’re not familiar, is a simple way of attacking a computer by using a USB dongle that looks like a keyboard to the computer. Once it’s been plugged in, virtual keystrokes are sent to the computer to execute some sort of code, download and launch malware, or open a website. Because of its simplicity, the attack is actually pretty difficult to protect against.
Tomi Engdahl says:
Build an Affordable Bash Bunny with a Raspberry Pi Zero W
https://blog.hackster.io/build-an-affordable-bash-bunny-with-a-raspberry-pi-zero-w-11a4abf7bde5
The Bash Bunny from Hak5 is a versatile little hacking device for performing USB-based attacks. It’s a tiny Linux computer that emulates various USB devices, like a flash drive or keyboard, in order to inject payloads on a target computer. It’s a fun tool for people who are interested in cracking, but it’s a bit expensive at $100. Using a Raspberry Pi Zero W, Alex Jensen was able to replicate the Bash Bunny for far less money.
Tomi Engdahl says:
Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec
https://hackaday.com/2018/07/11/teardown-of-usb-fan-reveals-journalists-lack-of-opsec/
Last month, Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.
This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers. In this case nothing came of it — the majority of USB devices are merely that and nothing more. One of the fans was recently torn down (PDF) and the data lines are not even connected.
http://www.cl.cam.ac.uk/~sps32/usb_fan_report.pdf
Tomi Engdahl says:
This USB Drive Will Self-Destruct After Ruining Your Computer
https://hackaday.com/2018/01/19/this-usb-drive-will-self-destruct-after-ruining-your-computer/
Who would have thought that you could light up pyrotechnics on USB power? This USB keystroke injector that blows up after it’s used proves the concept.
Fully aware that this is one of those “just because you can doesn’t mean you should” projects, [MG] takes pains to point out that his danger dongle is just for dramatic effect, like a prop for a movie or the stage.
The device is just an ATtiny85 and a few passives stuffed into an old USB drive shell, along with a MOSFET to trigger the payload. If you eschew the explosives, the payload could be anything that will fit in the case
Mr. Self Destruct
A USB keystroke injector with software-triggered 5v payloads!
https://medium.com/@_MG_/mr-self-destruct-7986998f32a8
Tomi Engdahl says:
Tomu: A Microcontroller for Your USB Port
https://hackaday.com/2018/01/20/tomu-a-microcontroller-for-your-usb-port/
Looking for a ultra tiny development board? Tomu is an ARM Cortex M0+ device that fits inside your USB port. We’ve seen these in person, and they’re tiny.
There’s a few commercial devices in this form factor on the market. For example, the Yubikey Nano emulates a keyboard to provide codes for two-factor authentication. The Yubikey’s tiny hardware does this job well, but the closed-source device isn’t something you can modify.
https://www.crowdsupply.com/sutajio-kosagi/tomu
Tomi Engdahl says:
RFID Research Group’s USBNinja Embeds BadUSB into the Cable Itself
https://blog.hackster.io/rfid-research-groups-usbninja-embeds-badusb-into-the-cable-itself-9c2f35032ddc
In 2014, a pair of hackers at the Black Hat USA conference demonstrated what they termed as “BadUSB,” showing how a USB flash drive microcontroller could be reprogrammed to spoof a myriad of other device types to take control of a PC. They were able to achieve a full-system compromise using just the drive and a self-replicating USB virus that was undetectable at the time.
Four years later, the people over at RFID Research Group designed a USB cable equipped with BadUSB built inside, which can be triggered wirelessly to deliver whatever payload you want. The USBNinja functions as a standard USB cable
tiny Bluetooth unit that waits for a wireless command to unleash its payload
https://usbninja.com
Tomi Engdahl says:
Creating Bad USB Using Arduino (Part 1)
https://null-byte.wonderhowto.com/forum/creating-bad-usb-using-arduino-part-1-0179826/
Tomi Engdahl says:
CJMCU-32 Virtual Keyboard Badusb For Arduino Leonardo USB ATMEGA32U4
https://www.banggood.com/CJMCU-32-Virtual-Keyboard-Badusb-For-Arduino-Leonardo-USB-ATMEGA32U4-p-1098876.html?p=27131452996820140438
Feature:
- ATMega 32U4 running at 5V/16MHz
- Supported under Arduino IDE
- On-Board micro-USB connector for programming
“Inexpensive way to show what a malicious usb device can do on an unsuspecting user’s PC.”
Tomi Engdahl says:
Prevent BadUSB Attacks! Here’s How…
https://www.youtube.com/watch?v=Vq0kUxslp80
MalDuino!
https://maltronics.com/?utm_source=yt&utm_medium=vid&utm_campaign=pbad
MalDuino is a keystroke injection tool! Plug it in and it’ll type out any payload automatically.
Gain a reverse shell… Change someone’s desktop wallpaper… Anything you can do with a keyboard and 15 minutes of your time, MalDuino can do in a matter of seconds!
Tomi Engdahl says:
Steal WiFi Passwords with 1$ USB
https://www.youtube.com/watch?v=b5E0u4qNH4s
Steal WiFi passwords and email them to yourself in seconds using a cheap Digispark!
Tomi Engdahl says:
Running Your Android Phone as USB Rubber Ducky 2017 (Ducky Hunter)
https://www.youtube.com/watch?v=CXA-XvuBgD8
How to use your android phone as USB Rubber Ducky
Use Your Android Phone as like USB Rubber ducky and run all usb rubber ducky scripts with your phone.
Best Alternative of USB Rubber Ducky.
Hello everyone,
Today in this usb rubber ducky video tutorial I’m gonna show you how to use your phone as a USB Rubber Ducky.
You can use your phone as HID Device.For this you need to install kali nethunter on your android phone.
Kali Nethunter has a Duckyhunter HID option which gonna help you to use your phone as a usb rubber ducky.
Tomi Engdahl says:
Wireless BadUSB Tutorial | esp8266
https://www.youtube.com/watch?v=Utq4C9S3-uI
Tomi Engdahl says:
MalDuino
https://malduino.com/
MalDuino is an arduino-powered USB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing commands at superhuman speeds. What’s the point? You could gain a reverse shell, change the desktop wallpaper, anything is possible. For penetration testers, hobbyists and pranksters, MalDuino will serve you well!
Tomi Engdahl says:
$3 BadUSB
https://www.youtube.com/watch?v=_yJWwKO3_Z0
Tomi Engdahl says:
Computer killing powered USB hub. (Mac murderer)
https://www.youtube.com/watch?v=Uh6iKilgtG0
This dubious hub has apparently killed three Mac motherboards so far, so let’s investigate what could have caused that. Note that it’s worth removing the hub and attempting to reboot the Mac, since the presence of the hub may be stopping it from waking.
This one is backfeeding!
This is where an illuminated USB cable could actually show if a hub was backfeeding power out its input connection.
Tomi Engdahl says:
USB Drives Deliver Dangerous Malware to Industrial Facilities: Honeywell
https://www.securityweek.com/usb-drives-deliver-dangerous-malware-industrial-facilities-honeywell
Malware is still being delivered to industrial facilities via USB removable storage devices and some threats can cause significant disruptions, according to a report published on Thursday by Honeywell.
The industrial giant last year launched SMX, a product designed to protect facilities from USB-born threats, and the company has also been using it to determine the risk posed by USB drives to such organizations.
Honeywell has analyzed data collected from 50 locations across the United States, South America, Europe and the Middle East. The enterprises whose systems were part of the study represented the energy, oil and gas, chemical manufacturing, pulp and paper, and other sectors.
Honeywell said its product had blocked at least one suspicious file in 44% of the analyzed locations. Of the neutralized threats, 26% could have caused major disruptions to industrial control systems (ICS), including loss of control or loss of view.
Furthermore, Honeywell says 16% of the detected malware samples were specifically designed to target ICS or IoT systems, and 15% of the samples belonged to high profile families such as Mirai (6%), Stuxnet (2%), Triton (2%), and WannaCry (1%).
Tomi Engdahl says:
USB threat vector trends and implications for industrial operators
https://www.helpnetsecurity.com/2018/11/02/industrial-usb-threats/
The findings
The threats targeted a wide variety of industrial sites, including refineries, chemical plants and pulp-and-paper manufacturers.
Trojans were the most pervasive – 55% of all the malware detected – followed by bots (11%), hacktools (6%) and Potentially Unwanted Applications (5%).
15 percent of the threats detected and blocked were well-known threats such as Mirai (6%), Stuxnet (2%), TRITON (2%), and WannaCry (1%).
26 percent of the detected threats were capable of significant disruption by causing operators to lose visibility or control of their operations, and and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.
9% of the threats was designed to directly exploit USB protocol or interface weaknesses, and some were able to attack the USB interface itself.
“2% were associated with common Human Interface Device (HID) attacks, which trick the USB host controller into thinking there is a keyboard attached, allowing the malware to type commands and manipulate applications. This supports earlier Honeywell findings that confirmed HID attacks such as BadUSB as realistic threats to industrial operators,” the researchers pointed out.
Advice for industrial administrators
Their advice to companies that run ICSes is to:
Regularly update systems, AVs and other security solutions in use
Improve USB security
Tightly control outbound network connectivity (“The attack types here reveal a tendency for hackers to establish remote access, and to download additional payloads as needed.”)
Patch and harden end nodes.
Preempt loss due to ransomware by maintaining regular backups and having a tested recovery process in place.
Tomi Engdahl says:
Do You Really Need to Eject USB Drives?
https://www.youtube.com/watch?v=6p5UMrJfHWg
You’ve probably seen warnings advising you to “eject” your USB drives before removing them from your computer – but is this really necessary?
Tomi Engdahl says:
MalDuino!
https://www.youtube.com/watch?v=hi8IFzpTiUk
MalDuino is an arduino-powered USB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing commands at superhuman speeds. What’s the point? You could gain a reverse shell, change the desktop wallpaper, anything is possible. For penetration testers, hobbyists and pranksters, MalDuino will serve you well!
MalDuino: How It’s Made
https://www.youtube.com/watch?v=856D92qWpYo
Tomi Engdahl says:
Can e-cig chargers load malware or viruses into your computer? (old video)
https://www.youtube.com/watch?v=t7gouh-rTqo
This is an old video. It is now very cheap and easy to implement a “rubber ducky” device that is small enough to hide in a USB plug and can extract password information in approximately 15 seconds.
Since the big “thing” at the moment is media hysteria about chargers for electronic cigarettes loading malware and viruses into your computer I thought I’d strip apart some very common Ego clone chargers and see if they contained any circuitry that could do that.
Tomi Engdahl says:
BadUSB Cables
http://mg.lol/blog/badusb-cables/
Born from Mr Self Destruct. The same circuit was used, but I further reduced the size of the board into a more implantable packag
Tomi Engdahl says:
Tomu by Sutajio Kosagi
An ARM board that fits inside your USB connector
https://www.crowdsupply.com/sutajio-kosagi/tomu#products-top
“The craze of making everything as small as possible is still with us!”
Tomi Engdahl says:
New Protocol Authenticates USB Type-C Chargers, Devices
https://www.securityweek.com/new-protocol-authenticates-usb-type-c-chargers-devices
The USB Implementers Forum (USB-IF) on Wednesday announced the launch of the USB Type-C Authentication Program, which aims to protect host systems against non-compliant chargers and potentially malicious devices.
The USB Type-C Authentication specification, unveiled by the USB-IF and the USB 3.0 Promoter Group in 2016, provides the cryptographic mechanisms needed for authenticating various types of USB Type-C devices, including chargers, cables, storage drives and power sources.
https://usb.org/sites/default/files/article_files/USB_Type-C_Authentication_PR_FINAL.pdf
Tomi Engdahl says:
USB Type-C Authentication Program gets started, sounds like it’s effectively DRM for Type-C devices
https://www.androidpolice.com/2019/01/02/usb-type-c-authentication-program-gets-started-sounds-like-its-effectively-drm-for-type-c-devices/
Today the USB-IF, the non-profit behind the USB standard’s marketing and specifications, revealed the formal launch of its “USB Type-C™ Authentication Program,” originally announced back in 2016. The optional program “defines cryptographic-based authentication for USB Type-C chargers and devices.” If that sounds like a thinly veiled euphemism for hardware DRM to you, that’s because it is.
Tomi Engdahl says:
USBHarpoon: How “Innocent” USB Cables Can Be Manipulated To Inject Malware
https://fossbytes.com/usbharpoon-usb-cable-malware-transfer/amp/
A researcher from SYON Security has managed to build a modified USB charging cable that will enable hackers to transfer malware on your PC without you even noticing it. Under the hood is the infamous BadUSB vulnerability.
Tomi Engdahl says:
USB-C Just Got a Huge Upgrade – What You Need to Know
https://www.tomsguide.com/us/usb-c-authentication-program,news-28949.html
The association of manufacturers responsible for managing the USB standards have announced plans for a new authentication standard in order to make USB Type-C ports safer for the devices that use them.
The USB Implementers Forum, which consists of representatives from manufacturers including Apple, HP, Intel and Microsoft, has introduced an authentication system in order to make the increasingly popular cables and ports more secure and safer for users.
Tomi Engdahl says:
Teardown Of USB Fan Reveals Journalists’ Lack Of Opsec
https://hackaday.com/2018/07/11/teardown-of-usb-fan-reveals-journalists-lack-of-opsec/
Singapore hosted a summit between the leaders of North Korea and the United States. Accredited journalists invited to the event were given a press kit containing a bottle of water, various paper goods, and a fan that plugs into a USB port.
Understandably, the computer security crowd on Twitter had a great laugh. You shouldn’t plug random USB devices into a computer, especially if you’re a journalist, especially if you’re in a foreign country, and especially if you’re reporting on the highest profile international summit in recent memory. Doing so is just foolhardy.
This is not a story about a USB fan, the teardown thereof, or of spy agencies around the world hacking journalists’ computers. This a story of the need for higher awareness on what we plug into our computers.
https://twitter.com/HaraldDoornbos/status/1005746788303867905
Tomi Engdahl says:
https://www.cl.cam.ac.uk/~sps32/usb_fan_report.pdf
Tomi Engdahl says:
Beyond Bad USB: Poisontap takes over your sleeping computer with a $5 USB stick
https://boingboing.net/2016/11/16/beyond-bad-usb-poisontap-take.html
Tomi Engdahl says:
PC Backdoor With Pi Zero | P4wnP1 Tutorial
https://www.youtube.com/watch?v=Pft7voW5ui8
THIS VIDEO IS FOR EDUCATIONAL PURPOSES ONLY. IF ORDINARY CITIZENS UNDERSTAND HOW ONE MAY CIRCUMVENT THEIR SECURITY THEN THEY HAVE THE CHANCE TO PROTECT AGAINST SUCH SECURITY BREACHES. I TAKE NO RESPONSIBILITY FOR RECKLESS USE OF THE KNOWLEDGE IN THIS VIDEO.
P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W.
https://github.com/mame82/P4wnP1
Tomi Engdahl says:
Raspberry Pi Zero USB Dongle
https://www.youtube.com/watch?v=OU9e3jIqaBY
MalDuino! Learn More Here: https://malduino.com
MalDuino is an arduino-powered USB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing commands at superhuman speeds. What’s the point? You could gain a reverse shell, change the desktop wallpaper, anything is possible. For penetration testers, hobbyists and pranksters, MalDuino will serve you well!
Tomi Engdahl says:
$7 LAN Tap – Raspberry Pi Zero Build
https://www.youtube.com/watch?v=wi9W0rrye2A