Bad USB Weaponized

thanks all right here's our disclaimer um these uh these views don't represent any employer or customer or really anyone and we really don't take responsibility and but we do ask you to take some responsibility in your drinking we we may not even do that so that's great all right so what's a bad USB well USBS are pretty cool nice little storage devices but they're a lot more than that so it's really a mini computer and you can use it to gain physical access of course you don't need credentials

so like I was saying it's a tiny computer and it has firmware okay and because of that you can figure out how to do things with it the important thing to note though is that the architecture it doesn't really validate any of the any of the you know communication between the two devices uh only to the extent that it validates it if it works and you can and you can transmit uh because of that any you can really use it to inject anything and that's kind of the point of the rubber ducky Steve's going to go more into that in a little while and then we'll get more into how do you build these things

okay so wow I seem really really loud hopefully my remote works and we can I can wander around um so really the the difference between the bad USB and the rubber ducky is everybody here know what the rubber ducky is so I see a few people not raising their hands so I'm going to explain it briefly so rubber ducky was designed for this purpose it actually has components on it to slide and micro SD card in and out utilizing it for this purpose of injecting malware injecting things into a host PC how that differs from Bad USB is bad USB is taking in off the shelf product manipulating its original intended purpose to achieve the same result so

you're injecting that malware directly into it it looks innocuous it doesn't look like there's anything wrong with it it could look like the one that you took home last night if we choose to make it look that way so it it totally looks like an off the show product you you it doesn't look like it's going to have anything wrong with it it you know it doesn't have the rubber duct sticker or anything so a lot of people think it's Windows own it's actually not it's a USB Universal it happens in Windows Mac or Linux they're all vulnerable so why do we care who can go through the day without using USB every single person uses USB

all day every day when I contacted a couple of Manufacturers this was a legitimate response I decided right from what they responded to they say that it's theoretical exploit that it cannot be practiced as we all know that can happen any day anytime we it's beyond theoretical so the more we talk about it the more we get it out there everything the more they have to address it somebody needs to make changes that can make USB secure

so for this particular demonstration what do we need we need a USB thumb drive with the files on ps2251-03 net the 07 is out the 07 is actually more prevalent right now because of a the attention that we've been giving this and everything they phase out the O3 and have been putting in the 07 but of course we're already working on reverse engineering the 07 so that we can do the same thing so here is a patriot uh uh XT supersonic USB 3.0 device that we took apart this one comes apart really well because it has a plastic case inside the rubber shell you can peel it back in just a few seconds and it goes

back together extremely quick and and it looks perfect when you put it back together so here it is out of its shell and this is what you're dealing with here the piezon chip this is the exact model of the piezon chip now if you get it Toshiba they will actually say Toshiba instead of Faizon but it's exactly the same chip there's absolutely no difference uh in the 20 the PS 2251-03 so why why Faizon been singled out because Faison gave away their entire schematics for everything on public internet it was out there available of course we read it that's where we start any penetration starts and just reading their website so the Faison burner images if you'll

notice this page is in Russia the Russians are way far ahead of us as far as hacking the Faizon most of the information is in Russia you have to go then translate it and bring it out So Adam and Brandon took this a step further they they presented this talk at Derby con this last year and they took it a step further by creating tools so they made the tool drivecon Drive com communicates with the drive with the nand itself it will pull the old firmware you can actually go through your batch of USB drives now you know I buy 50 here 50 there 50 here and then I instead of having to disassemble them to see what bison chip is in there

now I can just shove it in run drivecon drivecon tells me yep that's good goes in this pile nope that's not golden laptop I can go through a hundred in a matter of just a few minutes instead instead of having to dissect each and every one of them to find what chipett has in it I've now narrowed it down Drive com also can pull the original firmware off put the customized firmware back on all within the one application so they also provided a tool to build the custom firmware it's a little more than a batch script but or excuse me yeah batch file and it does it pulls the things and builds the custom firmware

which you can then embed the payload which is another tool they provide so embed the payload where do you get the payload it's just simply a ducky screw we're just recycling something that we already have and starting to use it in a different manner so we take our ducky script and I I had intended to have a couple of devices that we could do some demonstration but I bricked them last night went just a little too far trying to get the 32 and the 64-bit in there at the same time so ducky script use the duck encoder gives you your inject.bin take the inject.bin put it embed it using the embed payload right into your custom firmware

and you're there if you want to build these tools yourself you're going to have to set up visual studio and you're going to need Java to run the duck encoder but you don't have to because it's already compiled you can download it from the GitHub fully compiled ready to go

so there's the GitHub address for anyone who's not familiar with it can't Google anyone want more time payloads so we can do anything with our payload uh the one I was working on last night was uh Mimi cats to determine whether I needed the 64 or 32-bit version download the correct version pull out all the passwords shoot them to me in an email I got it on my device I can pull it out I can type in a password right then and there I'm in in like 30 seconds or less so we can also make it where it emails them shoots us off to us opens up a persistent listener phones home whatever we want to do the

payload can be anything because there's absolutely no checking within the USB design it was designed uh it really came out in 1996 I was testing USB and we didn't have any devices we it was there supposed to test something with it we had to install it in Windows 95 osr2 but we didn't have anything so we ended up rigging up a set of USB speakers well that's worthless because we got a audio port on the back why do we want that you know so it was a progression and it in 1996 security mentality didn't exist like it does today so we're still operating on old old technology so the the simpler the payload the better

um you know I got a little complicated between my 32 64-bit everything I bricked them but bricking them is not the end of the road if you cricket that's okay because you can you can short the pins get back into boot mode you're okay so the way it works Drive comp sets the device into boot mode once it's in boot mode you can retrieve the flash send a flash anything to it so you flash the firmware then to test cycle the power boots up it's gonna do what you've designed it to do hopefully otherwise you have to go through the next method short the pins which automatically puts the hardware into boot mode Flash the firmware test

print slather repeat and it's many times as you want to keep doing it and as much patience as you have you can do anything you want with these USB

yeah okay so so how do we protect ourselves well one way is you come to events like this and you find out what's going on so that's that's the first thing well you could you could choose to disable the USB a few years back it's been quite a few years now the VA tried this they thought it would be brilliant I'm going to disable the USB and they actually even went to the extent on some of these of gluing a little uh piece of plastic into the USB so you could use it well what happens when you do that it drives people crazy uh makes them pretty mad they're going to find a workaround so

those kinds of activities tend to send people to using the Dropbox or they still have a need to transfer some big files right antivirus well antivirus isn't going to help very much at least today nobody's really got anything that detects bad USB um you can have endpoint protection right you you can while you can do this the simple things that we probably all do a lot of removing Powershell you can do some Hardware encryption and that kind of stuff helps but physical security is the most important thing uh you know Jason talked a lot about what he does in physical security but that is that's the most important thing if I if I have a laptop if I have a

desktop and I'm taking good care of it from a physical standpoint somebody's not going to just easily slip a USB in that that I'm not aware of into it but I can't be there all the time if it's a desktop if it's a laptop maybe I can have it with me all the time or maybe somebody could potentially trick me into putting in a USB so that's why it's so important to have that security awareness and training and what what's up what is it about all these does anybody think of any other ways that we could protect yes okay user education so um I love that answer let me expound on that a little bit

so when we first concocted this idea of hey let's uh kind of take the work that's been done already and see what we can build with it and what we can be buying we didn't know it was going to be so hard to get an environment stood up and everything that it was going to take so we fully intend to actually go right there this this is going to become a platform eventually of security awareness and training where we build these and play some strategically in places and have people plug them in and then the goal would be to have you know be able to show people well you you know you found this you did this and

send them to a little website where they fill out a form social engineer them a little bit more and see how much how much data and kind of walk them down the tree how much can we get from them okay first they plugged it in okay maybe they didn't receive one in a manual envelope on their desk with their name on it but maybe they found it in the parking lot or whatever and we just help walk through that with the eventual goal of giving them back their data that we that we get them to input into some forms and things so that's the platform and that's where we're headed with that any other thoughts of on ways to protect

alternative storage okay so the little uh like flash drives and the little chips that you can put in your computer or you know your watch or your phone or um those kinds of things okay those are going to be probably picked apart and they're going to have some of the same challenges right it's a good idea though one of the things that that we noticed as we were going through this is uh is the chip manufacturers are changing fast enough so the O3 that we have a pretty good platform already worked out is um you know that's that was older technology the 07s are more prevalent now and it takes a little bit of time to

figure it out so they try and stay ahead of the curve and the engineering by by continuing to spit out new Chips right so that that helps a little bit we probably would suggest to him eventually that they maybe not uh put all their tech specs up maybe not there we go all of them any other thoughts on protection yep

yes you can use drivecon to determine the chipset and the firmware that it has um and they have serial numbers in the firmware but there are so many different USB manufacturers that you can't check them all you know you would have to create this big monstrous database of that and then somehow get it you know at the end point where somebody's plugging it in so it's really not possible what we need to see are signatures on the firmware check some signatures you know where we're md5ing something we're doing something to verify that that is a valid legitimate firmware on that device

no you can't because I can take this device and make your machine believe you just plugged in a keyboard and that this text that it's now getting fed it count is coming from the keyboard as if you're the user entering this because I can emulate a keyboard I can emulate a mouse I can emulate a hard drive I can emulate any USB device a plug-in memory device

USB doesn't have that differentiation in the USB handshake when you plug that device in the system says you've just plugged in a device what are you the device says I'm a keyboard and the system says great here's some keyboard drivers Rock on there's absolutely no way to check it no way to determine what device you actually plugged in is legitimate you can literally plug it in and it can say I'm a USB speaker and start feeding it what it believes are audio and you can execute Powershell and rock on because you're just emulating that device and you're sending the same information that that device would

it's not even egressing there I mean you do have egress points along the firewall and intrusion detection stuff like that but the I'm sorry the question was can you do some sort of a endpoint control to that yes you can you can stop the egress of data you can stop you know and notify those type things but inherently in USB you can't stop that firmware from infecting that machine so yes you can be notified that that machine attempted to send this out but realistically what is the response time on that you know uh logs have to be gone through somebody has to be notified somebody has to go down to that machine you know it's a huge vulnerability

because no matter what you plug in it there's no way to stop that firmware from infecting that host yes sir

it's already over

well but I can I can I can make it where it doesn't pop up anything the user will think oh well that one's just dead and they're going to sit there and say oh well it didn't work um maybe my computer's slow they give it a couple more seconds they're just in there waiting waiting then they pull it out they throw it away it doesn't matter they're already infected in that one okay

foreign

yeah in your old USB devices you can sit down fire up Drive com plug it in and in two seconds you know whether that one defies on or the O3 or an O7 or what and and then I just throw them in different piles this one's an O3 this one's an O7 I now have boxes for them I have them labeled because I know the O7 is coming we're going to be able to use that one I got a few thousand o7s and you know a few hundred o3s and so yeah so uh so another Vector is how many people in here have one of those nice little uh USB wireless mice feel this okay so you take the little

dongle right and you plug it in and it's a USB also another delivery mechanism and that one's nice because you're really not expecting to do much with it other than be able to use your mouse so I plug it in and my mouse works and now it's even a lot better it used to be you have to go through some gyrations for it to discover it and download software oh one of the old ones of downloading software includes downloading malware right but um so you plug in that little thing now it's you're not the person that's done that is not expecting to interact with it other than the mouse so wow the mouse works does all the things I'm expecting

and it's just sitting there doing whatever else we might want to make it do any other questions or comments okay

Magic

okay go ahead all right so uh Hardware encryption here's something we came across recently uh that might be somewhat helpful um Jason's calculating all the social engineering ways past this already I can see them this this is kind of a physical uh physical security would help right so you could put a key code on it and uh of course you could put a lot of these around in the parking lot that have no pins so great fun as well or deliver them in the the manila envelope I just love that one why I love it so much yeah this device is not impervious to the the USB vulnerability but if I were to carry a device in my pocket this is

what I would carry because you have to enter the pin number to activate it so I know that if someone got a hold of my device they're not going to infect my device without my knowledge without me being present something like that and they're also not going to get my data out this has Hardware encryption uh it has a battery in it it maintains you know everything and then you lock it and you have to have the PIN to unlock it if you were to like Dan said put a bunch of these out in the parking lot you know somebody would sit there and punch the buttons a million times trying to figure out the code even though it has no code

you could utilize this as an attack vector but it would protect your data yeah if you were to use one of these I'm gonna put it in the parking lot and the code's going to be one two three four right that's the first one this is the first one we're gonna try that's right

okay so um any other questions or comments

so that would be something to do okay but like I said the simplest payload is the best because once you start getting overly complicated you have more variables for failure and so if you want it to work 100 of the time every time you need to know your target whether it's Windows Mac Linux you know you need to know that Target uh 32 64-bit those type things or you have to stick to a very simple payload uh we open it up we launch this persistent listener and we connect back and the instant that you can connect back you can take over that host and own it and then start working out from that host you know so on and so forth and

honestly I believe that if you took a handful of these and put them say in the bowl like Jason suggested out there and it you couldn't keep up fast enough answering back those hosts to own them with how fast people would put it in and that's just a super simple payload of you know open it up open this listener and connect back I tried to get a overly complicated because I wanted to do some demonstrations where you know we would ask for a volunteer and say hey will you plug this in you know we're going to steal all your passwords and we would have found somebody to volunteer for sure back here

in general it's still USB that the inherent fly is USB period I mean it doesn't matter the manufacturer anything it has firmware on it that firmware has to talk to the host and they have to have a USB handshake and there is nothing inherently built in the USB standard at all to validate anything so it doesn't matter what device it is as long as somebody wants to and is persistent enough to break that down and reverse engineer their firmware and determine where it sits on the nand and how it's put in there and what what bytes they can take away and what bytes they can use from that original firmware it's vulnerable just I mean it's just

inherent yes

foreign

and strip their passwords off on the way and then send it via Gmail to some obscure account sure absolutely everybody should do it anyone else Well we'd like to thank our our friends and colleagues at CompuNet for sponsoring thank you thank you