BSidesIA 2017 Track2: USB Gallagher – Nicholas Starke

all right our next presenter for truck number two is Nick's dark when they started a security researcher pentester here in the Des Moines area right he works on the militia security team Mike's developing exploits and likes blowing up things he's going to be talking about USB Gallagher today so I'll turn it over to Nick alright everyone I'm Nick stark this is USB Gallagher or the presentation you give when you don't have any real research to prevent one so just a show of hands real quick who knows Julio Gallagher was the comedian okay so for anyone who doesn't know who he is we're gonna just show this little video real quick so that you can familiarize

yourself with Leo Gallagher's comic stick

I guess there's no I did but you know it's okay you don't need to hear it basically what he does is is he gets all of these watermelons at the end of his show and he snatches them with a big mallet like for its he was known for doing this for like decades and there's no real reason behind it it was just his thing you know it was his trademark signature finishing move so this is Leo Gallagher he inspired this talk who am i okay I'm Nikolas stark just a little bit about me real quick I'm a penetration tester a lift security we're based out of Washington State you ever need web application assessment come talk to me

or come talk to lift we'd love to talk to you about it I'm also the vulnerability advisory coordinator at the node security project that's node security IO I'm also a security Reacher researcher in my spare time I do that I do it a lot just for fun for you know breaking stuff and I'm also a minor Twitter celebrity with like 250 followers so yeah if you want to follow me make it 251 and be great so USB kill what is USB kill USB kill is a thumb drive like device in fact let me just show you what a you can see what it looks like but what it does is it charges capacitors on USB power and then

discharges that power on the USB data lines so it charges like 200 volts of power into these capacitors and then discharges them on the data lines multiple times per second like I think 8 to 12 times a second it comes with this nice little card like when you order it from Taiwan or Hong Kong it comes with a full card and I'd like to read this card to you it says important read before use the USB killer is a high-voltage testing device misuse may damage electronic equipment including the USB killer itself after testing disconnect the USB killer immediately permanent damage can occur to the usb killer if left connected for over 30 seconds when using a testing shield never short

the test leads continuously permanent damage can occur if the leads are connected for over 30 seconds so there's actually this test shield that you can plug the USB killer into and then plug the test shield into a device and it protects the test the device from the USB killer but at the same time you have to be discharging that electrical current using these two little wires and it actually creates a spark you know like you're visible spark that you could supposedly light a cigarette off of if Andy's here maybe not maybe always the guy doing the other presentation told me that story last night so here are the technical specifications the input and I'm not an electrical engineer so I

don't really know what this means other than you plug it into something and it destroys it but input voltage for point five to five point five B DC output voltages for the version three it's 215 volt volts that that was 200 in the version two so there's there's there's actually like three versions of the USB killer and we're gonna be looking at the version three today I think so it's also C and FCC approved me and meets certain compliance minimums that they can actually stamp those stamped those credentials on to the device and supposedly safer right so allowing you to test and complete safety so the end result of plugging this device into another device is that the device you

plug in into doesn't work anymore like it's by discharging the date the power over the data lines it'll fry the motherboard the hard drive motherboard sound cards video cards and just generally make the laptop unusable or other electronic device it can anything with a USB port in it there's really no documentation on what devices are vulnerable to this attack there's a wiki on github that the manufacturer manages but it's all community driven and there's only like you know maybe 10 or 15 devices on there so if you want to take a look at it or if you if you want to if you're interested in actually buying one of these it's a great little thing to you

know upload if if you actually do some testing and you find out your device is vulnerable so you can also make these at home using a couple of different techniques like you can take an electric bug slaughter and create a USB killer out of that however the homemade ones tend to end up like this video that I'm about to show you and we're gonna try to avoid that today so Leo Gallagher had his mallet that he smashed watermelons with I've got my fire extinguisher just in case we have any accidents but we're gonna we're gonna avoid that today because we're using a device that's tested and complete that's supposed to be completely safe to test against so

and the other consideration we're going to take when we test this at the end of the presentation is that we're going to test only against things that have DC current by a battery so we're not going to test anything that's actually plugged into the wall in this video of this guy's testing a desktop computer that's actually plugged into the you know is main breaker and that's alternating current and that's that's where you get things that catch on fire so we're gonna we're not gonna even plug anything into the wall today when we start testing this so the pricing on this is in Euros $54 for this anonymous version over here which looks like any other thumb drive

you might see anywhere in your office that you would just you know maybe someone in your office would plug in to their computer to see what was on after they found it in the parking lot so that's about 60 dollars the standard edition which looks like this is about 53 and then shipping seven bucks so like 70 dollars you can get this little device that someone will definitely plug in if they find it laying around and it'll destroy something probably something expensive

so I'm gonna post these slides later I wanted to post some links that you can use to build your own one of these if you're that adventurous like I said you can build them out of like bug zappers and other miscellaneous things you go off Amazon you can build one of these one of these 60 70 dollar devices for about 25-30 dollars in parts but at the same time you're building something that will probably shock you and probably catch whatever you plug it into on fire so it might be worth the extra money to if you don't want that if you don't want to catch it on fire to spend it on buying a seee FCC approved device from

Hong Kong so I'd like to talk a little bit about the use cases for this device so the marketing on USB kill comm which is where you would buy this off the internet claims this to be a tool for penetration testers and so I asked myself the question what legitimate use cases exist within penetration testing for this device and if you have any at any point that you think of just shout it out because I don't really know of any valid uses for this device the only one that I've been able to really think of is like if you're a spy somewhere and you're in a really bad spot you have to destroy a computer for some reason but I

would imagine those guys have their own tools that they're built in-house that are probably smaller and better and more effective than this but yeah so thank you for shouting out a valid use case there we go

yeah so that's a good point and along those lines the the newest MacBook Pros supposedly have some sort of anti capacitor device installed in the USB ports that don't allow the USB tour to discharge over the data lines and supposedly it's not vulnerable to this attack right but you'd have to be more adventurous tonight plug it one of these into like a two thousand dollar laptop like I just but a little bit but still that's I mean if you plug it into every USB port right and you can't plug any more USB devices right no more adaptors yeah okay so I've got two slides that kind of go over some of the legal ramifications that might apply to using

this in a particular scenario but I am NOT a lawyer and if you have any questions about this ask a lawyer as Dola consult an attorney and ask your questions to them so I found this in the Iowa Code I'd like to read this really quick without any commentary criminal mischief is criminal mischief in the first degree at the cost of replacing repairing or restoring the property so damaged defaced altered or destroyed is more than ten thousand dollars or if such acts are intended to do or in fact caused a substantial interruption or impairment of service render to the public by a gas electric steam or waterworks corporation telephone or telegraph corporation common carrier or

public utility operated by a municipality criminal mischief in the first degree is a class C felony it's also worth noting there are criminal mischief in the second and third degrees which are Class D and E felonies so federal law has this big block about destruction of government property I won't read the whole thing but I will point out at the end it says if the damage exceeds $100 the defendant is subject to a fine of $250,000 or ten years of imprisonment or both I can't really make any legal recommendations but I will I'll go ahead and say it don't plug this into a government computer I mean you just gonna get yourself in trouble so how is

this tool different than other hacking tools like how is this different than Metasploit well I think the underlying theme here is that Metasploit won't destroy property to the point where you can't use it again medicine won't render your USB drive if you plug it if you run it on a USB port so I'd like to ask a couple of fundamental questions about this device is this a tool without many use cases is this still a tool and I got the definition of a tool at merriam-webster a tool is the thing used an occupation or pursuit is this a toy an object especially a gadget or machine regarded as providing amusement for an adult that might be a little closer I mean we're

gonna have to follow this later we're going to get some entertainment out of this when we light up some of these devices but in my opinion this classifies more as a weapon this is a device that's specifically designed to do and inflict physical damage maybe not necessarily bodily damage or bodily harm you know any sort of injury to a person but it's definitely designed to inflict physical damage on property and that's why I think this is more of a weapon than a tool and if anyone has again valid use cases that use this as a tool I'd love to hear just shout it out at any point if you come up even though it's the craziest thing like you've got

a disabled alien nuclear reactor you know just shout it out because I'd love to hear how this could be validly used in a penetration test or any other scenario anything even know okay [Music]

[Music] so one of the one of the questions that a friend asked me when I was preparing this conversation or this presentation is the Second Amendment protections extend a USB killer if this is a weapon do my right to bear arms extending to this device do I need a permit to get something like this or or maintain something like this or or carry it in my pocket what Skynet there we go that's that's a valid use case everyone thank you [Music]

okay so that that's what the the marketing site says and that's that's a valid use case like CableLabs I guess CableLabs the group that tests the docs is compatibility with cable modems so your cable modem has a USB port on it you want to you want to test your cable modem against this divide against this electrostatic device attack plug it in and then you don't ever have to do it again right you know instantly if it's gonna be vulnerable or not so I I like that use case but I think that if you if you're in that specialized of a circumstance you're gonna build your own tool you don't need a mass-marketed tool that anyone any thirteen year old can

buy off the internet all right so I'm gonna preface this with I have never plugged this into anything before because I don't have devices just laying around that I can destroy it so this should be fun for all of us yeah

yes correct the question was is this going to discharge on the data lines and go through the data bus of the motherboard or the USB controller yes

correct

correct and I don't know why it does that cuz I don't I don't I'm not a hardware engineer either but I assume that they'll ditch the the voltage it's not used to getting that much voltage it's used to getting so the dis the actual discharge is measured in amps then right okay the current that's being sent over the data lines okay I think I don't think there's data lines on a battery pack I've thought about this about like what could happen I think you would have to have some sort of data connection to cause a problem at the same time I've got a battery pack here and we're not gonna be plugging into it today because I know I don't know what

will happen and I don't want to find out because it seems kind of dangerous okay so let's uh let's turn some of these on and plug some stuff into it and see what happens I'm gonna switch over here to my document camera so you guys can see all the funny games as we do this

yeah oh yeah what yes I'll just throw it up in the air and you can shoot it that way the sound okay we are ready to make history this is a Samsung Galaxy Tab 3 and I've got a little dongle attached to it that allows me to plug this device into it now can I turn it back on

so I wonder if I I wonder if this cable got fried and not the actual device let's try it one more time the galaxy samsung samsung galaxy 3 okay so maybe this cable doesn't work that's kind of anticlimactic wasn't it yeah I'm pretty sure you don't think so okay then let's just do it on a table here

oh yeah that's a little like hot sauce left on it's uh one of the original blackberry ones I wasn't afraid to I think that cable wasn't gonna train with those use of micro USB yes

all right so maybe that's another maybe doesn't work

[Music]

[Music]

[Music]

so these things are dangerous

okay so back to slides I got one more slide and that is questions I believe so I got 20 slides out of this thing it's not bad does anyone have any questions any concerns yeah this is Brandon safe you have a question no sorry okay well I was expecting to spend more time on trying things but I'm a little scared to do that so you want you alright let's do that

[Applause]

yeah that's one smoking to keep sitting current through it so yeah yeah one second [Music]

[Music] okay this thing is that's all I got we have Elena I'm gonna try this one I can't take the bedrail this one though you think I'll be okay this guy brought a laptop

[Music]

is this the 3.0 or to point to point oh yeah yeah that one no oh no it didn't go off

as the tablet action yes that's how you charge it

okay so tablet I guess is it vulnerable

so as you would have a 2016 MacBook Pro II one

[Music] thank you very much holding the [Music] make sure [Applause]