Thank you. I hope everybody on the screen can hear me and hopefully this lovely speaker is a gift from Freaknik.
Hopefully someone else that was here accepts Freaknik and has one of these things because they all use the exact same signaling.
Huh. That is an incredibly not so useful pointer.
Okay folks, my name is David Crenshaw and my talk today is malicious USB devices or is that an attack vector in your pocket or are you just happy to see me?
That is my little malicious USB logo. I think it's strangely appropriate.
So we'll go ahead and continue this escapade of ignorance in a second.
You know what? This thing is complete garbage for this particular purpose.
So we'll go the old fashioned way. I got buttons.
That's not so much malicious, it's just kind of like a person at DMV may not be malicious, they're just not useful.
Alright, first of all a few special thanks to NASA Solutions for getting my butt out here as far as flight is concerned.
And of course people at Dojo Con for putting me up and putting up with me.
And PJRC who actually sent me some free hardware to experiment with.
Alright, first of all a little bit about me. I run irongeek.com. Hope some people have visited it.
Irongeek.com. I have an interesting infosec education.
I don't know everything. I'm just a geek with extra time on my hands. It's possible to get things wrong.
If I do, let me know. I'm also very regular on the ISD podcast.
Usually every Thursday depending on what's going on.
Alright, first of all a few definitions. We'll talk about Maltronics, malicious hardware.
Basically any kind of hardware that we use for badness.
And hardware instead of software.
And when I was trying to explain to some professors what exactly Maltronics was or that, you know, I'm not talking about malware directly.
It's something a little bit different.
A few examples that are non-USB would be like PS2 keyloggers.
It's zip to your keyboard or your computer and log all your keystrokes.
Another example that people talk about a lot is like backdoor routers. They might send the traffic some place else.
But that, you know, they get shipped from China but they're not actually really from Cisco or what not.
There's been talk about these kind of things being in existence. I haven't found any real confirmation.
Maybe someone in the room can talk to me about that later on.
Also triggering self-destructing hardware.
Let's say you're a company that does work in one particular country but no country wants to buy the products.
And you want to have the ability to shut them off remotely or destroy the hardware.
Send in a certain signal.
I'm sorry, let me replace that before it goes bad.
I gotta replace the mic battery before it goes bad. I don't want it to be popping like it was yesterday.
It sounded like somebody was beatboxing yesterday.
Pardon the interruption.
Thank you, Laj.
Also things like weakened crypto chips. There's probably a lot where they do things that, I mean, in the right circumstances,
the cryptography is as strong as it's supposed to be and it allows people to get signals of intelligence on what's coming out.
But a lot of these attacks are really, really theoretical. You read the academic papers.
And by the way, I'm really not a fan of academic papers.
If you don't implement something, my father would write anything almost.
Almost.
A little background on USB also.
Most of the stuff will probably be already known by this crowd.
Alright.
Those hardware strings basically identify what the device is.
These are reported to the OS.
Now, USB, pretty much every USB device in existence, anyone I can know of, has a vendor and a product ID.
It's proofable but these are common vendor things.
And using these vendor and product IDs and a few other strings that are represented by the hardware to the OS,
we know what drivers to load and whatnot.
If you want a large list of what USB IDs go with what particular piece of hardware,
you can find a lot of detail at linux-usb.org.
There's actually an official database out there, so to call, but I find the one I have posted up there a lot more useful.
I've had a lot better results looking for stuff than it.
Actually, I will use this thing so I have a point of view device of some kind.
Alright.
And sometimes you also get things like serial numbers, which are more unique,
but there's no standard way of doing serial numbers.
Sometimes it might be just a simple 10 character decimal number.
Sometimes it might be a large hexadecimal string.
But there's no commonality there, unfortunately it seems.
Alright.
Malicious USB devices. Why am I concerned with malicious USB devices versus some other type of maltronic device?
Well, first of all, there are actually real world examples of them.
It's not just something that you see as an academic attack.
These things do exist.
Also, USB is incredibly easy to install.
A lot of USB devices are just plug and play.
Wherever you're an admin, you plug it in, it just functions.
Very small, easy to carry with you and whatnot.
And also, depending on what the device is, it's easy to social engineer someone to plug it in.
That goes back to the whole convenience factor of these devices.
Alright.
I have a few proposed categories for malicious USB devices.
The first one we'll go ahead and mention is USB mass storage devices containing malware.
Basically, these are, I'll explain what they are in a second.
Next category, euphrates phone drives with evil auto run payloads.
These basically can actually lump into one category if you really want.
Hardware key logos and programmable USB keyboard dongle devices.
Or as I like to call them by the way.
Alright.
First of all, first category, talk a little bit about mass storage containing malware.
Essentially, you have what's the USB mass storage device class.
Most operating systems nowadays support this.
This allows you to take your phone drive to any old machine, plug it in,
and automatically sees it as storage and can do what it wants with it on multiple OSes.
This doesn't need a custom driver to do that.
And that's pretty much been in existence since, well, in the Windows world.
I think everything post-Windows 98 has supported that.
And this also is used commonly for things like digital cameras, MP3 players, digital picture frames.
Just a ton of different devices all use USB mass storage because, well,
if the driver's already there, it makes it nice and convenient to use.
Now, the problem with this particular category, I'm considering these non-intentional.
That's why I kind of separated it off from the second category.
Because sometimes this quality control issues lead to problems with these sorts of devices.
Now, there's also different trigger vectors out there for these.
One might be the old auto run.
Now, probably most people, I'm assuming in the facilities, have auto run disabled by now.
And newer versions of the Windows OS, at least, have gotten better about locking that down to where it's not as automatic.
It may ask you, well, what is this you want to do? Are you sure you want to do this?
All sorts of confirmations.
Also, another way of getting these things triggered would be to make it intentionally ran by the user.
For instance, if, let's say, some company shipped a picture frame
and it had setup.exe on the picture frame storage, most people are going to end up running that.
I would think that, oh, that's how I set it up.
So, your mom definitely is going to think that's the case.
All right, another way is software exploitation bugs.
So, even if auto run is turned off, you can't even get a person to install something,
if there's one of these bugs around that automatically does code execution as soon as Explorer brings up that particular storage device,
you can still get it to run. For instance, the WMF Metafile vulnerability
and the more recent Linkfile vulnerability, essentially all someone had to do is bring up an Explorer window
that was looking at that particular space, and as soon as it looked at that particular file,
didn't have to double click on it, didn't have to run it,
it would automatically launch this vulnerability and you'd have it launch arbitrary code.
A few real-world examples of this kind of thing happening.
There's the Moposa botnet that was found on Vodafone systems being shipped out.
Another one would be now shipped on Apple video iPods.
And another third category, digital photo frames and other gadgets that have been infected.
And there's like a ton of different case examples of this happening.
My understanding, mostly because of quality control issues at the factory.
For instance, some guy is like messing around at home, gets infected on his thumb drive,
takes his thumb drive into work, machine happens to be hooked in the same network
or the same machine that's actually tasked with loading software
or loading files onto these parts before they ship.
And there you go, Bob's your uncle. Someone has a new piece of malware.
Alright, detection mitigation, user awareness.
I like the idea of user awareness because it adds flexibility about locking things down
where people can't do their jobs, but I have my doubts about how easy it is
to actually make people aware or make them actually care.
So good luck with that one.
Disable auto-run, which hopefully most people have done by now.
Like I said, there's other alternative ways, but that goes a fair distance.
Keeping passion up to date. I hope you can keep here those things like the link vulnerability and so forth.
You might still get hit by zero days, but there's only so much you can do in that regard.
Of course, running with a lower privilege level helps a whole lot.
Also, of course, running anti-malware systems.
Now, if someone has something that's custom-written to specifically target you,
that's not going to do much good at all, but it's another step you can take.
And locking down the hardware so nothing can be installed, or at least those devices can't be installed,
and I'll be covering that later on in the talk.
Alright, second category. U3 thumb drives with evil auto-run payloads.
Who all here is familiar with Pack 5?
I did a lot of work a while back with U3 thumb drives.
It essentially just has a CD partition on it that, since Windows did different things with a CD partition,
if it had the auto and IMF on it, you could make it automatically run something on that CD,
and it could go look for the flash drive portion of the device and run something off of there.
The original intention was to make it easier for people to carry around applications on a USB thumb drive,
go from place to place, but of course people have submitted that for extra tasks.
And there's also things people try to accomplish with this.
For instance, it could be something like dubbing password hashes, automatically installing some tool,
and the big advantage is you can walk into a machine, plug it in, pull it back out,
and have it done quickly as opposed to having to sit down at the terminal to do everything.
Also, sometimes people have done things that aren't malicious with this kind of technology.
For instance, I'm trying to think of the gentleman's name.
I'll see it here in a second because I think I have it in the notes.
He created Instant Response Switchblade.
Essentially, it had a bunch of instant response tools.
He didn't want to leave machines up and running at all times because, in fact,
the other machines on the network are possibly having some kind of liability issue
by going out and attacking other machines on the Internet.
So what he did, he made this little thumb drive, plug it in,
it automatically dumps a ton of information that would be useful for live forensics,
for what in the process is happening and other details.
Dumps it to there, and then you can go look at it later on,
and you get some of the advantages of doing live forensics,
but you can take the machine back down to make sure it's not attacking anything else in the meantime.
Also, he left these thumb drives at various facilities he had to support
because he might be able to get there in time, but he can say,
okay, go ahead and plug in this particular thumb drive, wait until it's finished,
remove it, and I'll shut down the machine and I'll be there.
So it's convenient for him in that particular regard.
All right, trigger vectors.
Once again, we got the autorun, and we also have, if autorun is disabled,
there's a few other techniques people can just run the directives for instance.
Now, if you will, a little example for this.
You can go ahead and check out the Hack 5 Switchblade, of course,
and they've got multiple payloads,
and they're having dumping password attaches and whatnot for later cracking.
Also, Russell Buterini, that's how you say his name,
he created the Incident Response Switchblade.
And by the way, all these URLs are incredibly unuser-friendly,
but there's a version of these slides on my website,
you can skip them to me later.
He was creating that Incident Response Switchblade for, well, Incident Response, as the name says.
And another example of this would be, I have no idea how to pronounce this gentleman's last name,
Steve Stolanski?
Oh, no idea.
All right, he works for some place called Secured Network Technologies,
and he basically, what he did, and there's multiple sorts of this,
he got a bunch of thumb drives, got one of his people on his team to create a custom piece of malware,
and then left it around the parking lot, I think it was a credit union,
to see how many people would plug them in.
And I think he had close to 100% success rate on that.
People would just pick him up, well, free thumb drive in the parking lot, what you gonna do with it?
So he had pretty good success adapting to an attack.
And I've heard of cases of people doing it, usually not attributed to an individual,
that I can actually go look up.
All right, detection and mitigation, once again, user awareness.
Disabling auto-run goes a long way, at least that would make someone have to stop at the machine,
start doing some double-clicking to make things work.
Coach, keeping patches up to date, and running any malware stuff.
Now, the custom hardware, custom payload, that's probably not gonna be that useful.
And once again, locking down the hardware.
And the biggest difference between this and the first category I was talking about is intent.
This one is intentional versus someone just screwed up in the production.
Now, that's out of the way, I'm gonna focus on the last two categories.
And here's the main reason why.
Any malware is fairly well covered, maybe it doesn't work very well most of the time,
but it's a fairly well covered topic.
And essentially, these first two attacks basically involve malware.
Yeah, you bring them to the device machine on a piece of USB hardware,
but really, ultimately, it's not conceptually that much different than back in the olden days
when you had a floppy with an infection.
So it's not all that interesting.
The next two categories don't rely on actual malware to do what they need to do.
They can be enhanced by actually using malware on a piece of storage,
but the attackers themselves don't involve malware directly, and no auto-run is required.
The first thing is hardware keyloggers.
And essentially, these devices are very easy to think of conceptually.
They just sit between your keyboard and your computer and log all the keystrokes.
Really easy to understand.
If you don't want to see some later, I think I've brought every single one I've got here in a baggie.
And the picture up there just to give you an idea of how small these things actually are.
I'll pick that back up in a second.
Yeah, here's two keyloggers I have.
This one here is an older PS2 one.
And they don't have to be very big.
This is one of my USB ones.
Basically, they just sit there, manage their library, look at the traffic,
log it, and then someone can come back later on and get data from it,
like passwords, documents someone typed in, webpages they visited if they typed into the URL bar,
all those kind of things.
Now, there's a few different trigger vectors.
Trigger vectors really aren't quite applicable to these in the sense that you plug them in and then start logging.
But to recover data, there's a trigger vector.
You have to either type in a series of keys usually, or you'll hear some secrets.
And what will happen is either it will start typing in all the stuff that's recorded into like notepad or...
Wait, let's start a war here.
Vi e-mat.
Wrong answer, Edmund.
I'm just going to keep the room old enough to abuse Edmund.
What was that?
I said Pico.
I hate to make it, but I use Nano a whole hell of a lot.
All right.
Because after the trigger happens, that's one way it can happen.
And the other thing is some devices like the ones from Keylog,
what they do is they come like a little thumb drive and you just copy a text file off and get your data back that way.
Now, we'll probably have some real world examples.
People tell me there's real world examples.
Then I go Googling them out for people who have actually got hit by these.
I can't find news stories that say this corporation was hit by this hardware keylogger.
I don't think people like to get hacked.
Someone's come up to me at a conference before and said, yeah, yeah, I heard about this particular case.
I said, email me that.
Well, this time, if anybody actually knows a real, legitimate case, come up to me after my talk so I can write it down
because people don't email me this stuff.
Because I'd like to have an actual story I can point to what is just happening.
But if some of these devices are sold, I know it has to be happening.
I imagine the biggest use case is probably people looking in on their spouses.
It's probably the number one seller for this particular thing.
What keeps me is the people who sell these things, they say crazy crap like it's a backup device.
If you have to recover your documents and your computer goes down, you can recover them all from the keystroke blogger.
I don't know about how you write documents, but that would be incredibly painful.
I'd be spending like 70 bucks on a device like that where I could just get a hard drive and make sure I do backups myself.
I mean, because I write documents.
Some stuff up here, some stuff down here, some stuff down here, up here.
That'd be a nightmare to get, especially with all my typos.
Anyway, they have a few disadvantages, of course.
One, they're a little expensive.
Like I said, $60 I think was the cheapest one I could find.
Luckily, I got more of these ones for free.
Get enough traffic to your website, people will send you demo units.
Lovely.
Also, most of the time you're going to need physical access to actually install and recover a USB keylogger.
There are some ones that actually are working to use wireless.
So you only need physical access to install it the first time.
Then you can recover the keystrokes later on by just getting it in the vicinity.
But the one I've tested didn't work all that particularly well.
So generally you're going to need physical access, and I've got an exception to that.
Also, the USB spec is a little harder to get implemented right.
I'll get into that in a bit in the detection, where I have some problems.
Sometimes USB keyloggers just don't work right.
As far as needing physical access, there's some possibilities of socially engineering someone into putting the keylogger for you and not having to show up.
Well, imagine if you did this. How many people would you think?
I use my personality as birth control. I can't socially engineer shit.
Is there social engineering crap?
Let's say Chris decides, I don't know if he'd use this. I don't know if you think this would work.
You have somebody, a target victim, and you say, hey, we want you to try out this new demo product we have.
And we'll even let you keep it forever.
This is a special dongle that you have to use to keep it from expiring.
I'm trying to explain this to people in academia and other places. They haven't ever experienced an anti-piracy dongle.
You all seem anti-piracy dongs, right?
Is this the perfect way to hack a currency, guys?
Access data is empty.
Those people in academia, you've never heard of them.
What you do is say, I'm going to send you this free tool. I'm going to send you this new forensics tool. It's awesome.
Or some other tool. But it has a special hardware dongle.
But the nice thing is, I'll send you the hardware dongle along with it so it doesn't expire.
And it doesn't even take up a USB port because you just plug it right in line with your keyboard.
And it works just fine.
You don't even have to take up one of your USB ports. It's awesome.
So you send it to them, and then you also send them a CD with the demo software on it.
Well, eventually the demo software expires.
And they call you up. Oh, I must have sent you a bad dongle.
Send that one back to me. I'll send you a new one.
You think that might work?
Yes.
I'm not sure how well it's going to work, but I'm sure it'd be somewhat dumb enough out there to fall for it.
Most of them.
Most of them, okay.
Should we replace them?
All right, detection and mitigation. First of all, physical security.
These hardware keyloggers, there's not a whole...
I have one that shows up as a USB hub device.
I'll rant on that a little bit later.
But other than that one, pretty much all of them show up completely passively.
You don't see anything in Device Manager or if you do an LSUSB, you're not going to see anything listed.
It's completely passive for the most part.
Until you put them into recovery mode.
But you don't have to put them into recovery mode to get your keystrokes back until you take it back to your own machine at home.
So most of these things, I'll call it leave any direct evidence.
So that's a kind of a problem.
You can lock down what hardware can be installed in the machine, but since they don't show up as devices, that really doesn't help.
Physical inspection would probably be a good idea.
Though they do make some that are designed in such a way that you can put them inside of keyboards if you have a little soldering skill.
That does raise the bar a little bit about the amount of time you need to actually install one.
But it's a possibility.
You could make someone a really nifty keyboard and send it to them and see if you can get them to plug it in.
This is a mouse, but I'll get to why I have this thing out here a little bit later.
And one way you can send that to tech, but this is not something that can be easily automated.
You can look for odd vendor product IDs.
One USB keylog I have does show up as a device, but only one of them.
Everything else is completely passive.
And the device that shows up, it identifies itself as I believe a Texas Instruments hub device.
That's pretty innocuous.
I probably have not raised too many red flags in most people's eyes.
Also though, sometimes inline USB devices like these keyloggers cause problems for other USB devices.
So if you plug something in and you have, let's say, a keyboard plugged into a trading system device, it should probably just work.
I know there's some keyboard computer combinations that don't work, but generally that should work.
However, some of you probably have a keyboard that has a hub built into it also, right?
Well, if you're using that hub built into your keyboard and you plug your thumb drive in there, you notice also it's going at 1.1 speeds.
That might be a sign that something weird is happening.
Or you notice other weird glitches.
But I don't know if I want to educate my users in this way, if there's any odd glitches, you might have a hardware keylogger.
I'd give reports constantly that had nothing to do with hardware keyloggers.
But sometimes they do cause weird effects.
So if you notice something weird and you're a security professional, you might want to prompt you to actually do a little more physical inspection of the system.
And who want more details on hardware keyloggers?
I did a review of all the ones I got with me.
There's tons of them out there.
Those URLs are incredibly Google friendly as far as indexing, but incredibly human-sucking.
All right.
The final category I want to talk about and spend more time on, and how am I doing for time?
All right.
It's the Crammable Edge USB Keyboard Dongle, or as I like to call it, by its acronym.
But essentially, it's a simple little microcontroller called a TenC that sits there and it can act as a keyboard and mouse device.
And you can program it to do whatever you want.
And I'm going to show a demo of that in here in a bit.
It can be used to script any kind of action that you can do with a keyboard and mouse.
The nice thing about it, having AutoRun turned off, doesn't matter.
It doesn't use AutoRun.
It uses, it's a keyboard.
And pretty much every OS I've encountered, and this could be a token of effort to lock it down,
where I would not do an admin, you plug in a new keyboard, it will automatically disinstall it.
No questions asked.
Way more info is out on my project website, along with source code for pretty much everything I'll be showing today.
If it's not out there, it's because I just made a minor tweak and didn't bring the post up there.
But I have a whole project site on this.
I'm going to show you a presentation from DEF CON that focuses just on this particular target.
Why would an attacker want to have one of these?
Those are all the payloads they can have dumped.
They could basically, likely, type faster than you can and type without typos.
So they could use it just like one of the U3 drives.
They could plug it in and basically have it run a bunch of commands and be less conspicuous
and sitting down in front of the terminal to do what they want to do.
Like I said, it runs the end of auto run, it's turned off, and it can be hidden in other items.
I was mentioning the devices.
The reason I have this up here is inside of this mouse, I have the little glory LED just so I can make it kind of look like a cool gift idea to give to somebody.
But it also has a hub, some USB storage and a tency all in here.
And if I think of the select lock on, oh wait, I'm trying to think of what lock it is.
Maybe control lock, one of the lock keys on here triggers this to automatically start copying everything off the desktop to this device.
But it turns into a payload someone might want to try.
Add a user to the box, might be one payload someone might want to try.
Yeah, that's a classic.
Run a program that sets up a backdoor.
Now granted, auto run is disabled, but you can use this tency along with the storage to run an EXE off that storage, if you get what I'm saying.
So that's a possibility. Copy files to a thumb drive, which is exactly what this device does.
Unfortunately it's programmed to do that for Windows and I'm doing this presentation from Linux, so that's not going to work so well for this demo.
Also, you'll go out to a website and maybe do something.
Now, at one time I had a version that was implemented that would go out to Facebook, use a mobile site because it was easier to tab around to get to just the right form spots you wanted and make a Facebook post at a certain time.
That's easy enough to do, but it doesn't have to be something as trivial as Facebook.
If the person's already logged in, well first of all, most people, and probably most people in this room, they don't have to go and raise their hands right now, may check off that little let me stay logged in.
So what you do is you have one of these device programmed to automatically, and you know what bank they use, you have this thing, banks don't usually, hopefully, most banks don't have it to where you can use that option.
But let's go back to the Facebook example.
If they're automatically logged in, all you have to do is fire up the browser, the person only has to click in for that website, and then it goes to that webpage in their favorite browser and does some transaction.
And a while back I actually had a version of this that would work and go out to Facebook and make a post, but I currently am not connected to the internet on this, and I've been having some reliability problems.
I think Facebook's changed the way the mobile site's laid out, but it doesn't have to be that.
It could possibly be a bank, I suppose. It could possibly be some kind of configuration change on a machine you know that they regularly access and they're likely to have some kind of active session with.
This is tons of different things you can do.
Think about cross site and press forgery and what you can do with that, but in a hardware form, more or less.
Alright, trigger vectors. This is also the way you can trigger when you're saying.
You can trigger them off by a timer, have it go off eight hours after you plug it in, something like that.
We fix them, it's going to be logged in.
The lock keys. I'm working on one that's both a hardware key logger and a buck device at the same time.
The one that worked out quite yet.
But whenever you hit a lock key, like a cash lock, a scroll lock, things like that, that message gets sent out to all the other keyboards that are hooked to that device.
So you use that for monitoring. Someone gave me the idea to use a cap slot trap.
Essentially, you just turn on cap slot for the Tensei and then you wait for someone to turn off cap slot.
As soon as they do, you know someone's at that terminal and logged in.
Another thing you can look into as far as attack vectors is sometimes when people log in, watch your lock keys and watch when you log in the windows, sometimes those toggle to different positions.
Like the num lock will go from being on to off or off to on.
That's another way you can figure out when someone's actually using the machine so you know at a time you could actually possibly have your payload fire off and work.
Also, you can have it run via live emotion or some other environmental condition.
A few samples. I showed you this little one and told you what it did. I don't think I can actually demo it.
I've got VMware and Windows on here, but you just need devices inside of VMware.
If you have things doing this, something's probably working. Here's a few demo units I have.
I have a schematic on my website and whatnot. One of the things I'm messing around with is embedding it in other items.
Who else ever seen those little doggies that literally mate with your USB port?
Yes. Well, embed one of those. Embed it in a cubicle toy and give it to someone as a present.
If you know the CEO, Tenacity sponsors someone that researches for this.
You're literally fucking me.
Tenacity sponsors projects and Tenacity's logo is this wolf.
At one time, I sculpted up this wolf to tie the tinse in.
Imagine if you send the CEO or some company their logo and say you're another part of the company.
You give them this cool desktop toy that has a wolf with changing color eyes that blinks and so forth.
Maybe occasionally it says the name of the company. Something silly but cool as a desktop toy.
You might very well be a social engineer to plug in the thing in for you if it's the right kind of cubicle toy.
Come on, how many people here were tempted when they saw that little humping dog the bite?
Come on, some of you were tempted. You were tempted. You got three of them? You go girl.
But you know, that's what I'm going to look into. Real examples, not much yet.
A whole bunch of people gave presentations though. This last Freaknik and, sorry, that's rich.
Last Def Con B-Sides black hat time period back in Vegas earlier this year.
Chris Dave Kennedy did one on PowerShell and B-Sides Vegas actually, which by the way was awesome.
Dave Kennedy did a talk on just using set and payload generated by set in the fuck key to do various things.
From a social engineering standpoint. Dave Kennedy and Josh Kelly did that PowerShell by God one.
Richard Brushman did a talk as well at Black Hat. Manta Elkins did one as well at Def Con.
Of course, USB rubber W is based on the exact same shit that's out there at Hack 5.
And of course, my own talk from Def Con as well.
Detection and mitigation, that's a little bit harder.
User awareness, just don't plug in everything someone sends you. It would go a long way.
But more likely, if you send someone a cool desktop toy, they're going to plug it in probably.
Unless they're like really security aware, they're probably going to plug it in.
Physical security, if someone can't plug it in, can't get to the machine, that goes a long way.
There's ways you can lock down hardware to keep it from being installed.
And also you can do physical inspection and looking for anomalies.
For instance, if you see an Apple keyboard plugged into a Dell machine, that might be something to look into.
Or two keyboards on the same machine.
Now it's possible one might be a presentation remote or something else like that.
But it might be giving you an idea of something to look for.
Now, before I continue, I want you to go a little bit dimmer with this.
I'm assuming you have a good time still?
Alright, my main Windows laptop is over there capturing video.
So I have this here and hopefully it doesn't utterly fail on me.
I'm giving this presentation from Linux, but all my payloads I wrote for Windows.
So let's see if my little Windows VM reacts and behaves all appropriately.
Now, my TenZ here can be made a lot smaller than this.
I'm actually using the TenZ 2++ which has more pins.
It's actually more expensive and better for homebrew projects like robotics or whatnot.
But it's a little bit bigger.
But these can be made a lot smaller.
I'll come up and talk more later on.
The chip is like a little bit bigger than a post stamp that you actually have to use.
And this one is the one I set up for demoing.
Instead of having it go off by time or something else, I have it going off via pushing this button.
Just because having it go off by time would be kind of painful to do for a live demo.
So I'm going to plug this bad boy in.
I currently have dip pin one set, which is basically just to give me a reminder of what I have as far as payloads.
And I can choose a different payload just by going in and flipping the dip switches.
Alright.
Alright, here's the different things I have.
I had this put out some diagnostic information like lighting is in there and so forth, what LED keys are hit or down.
I can use that for like triggering stuff.
The payloads I have on here is the first one you've already seen.
It shows the diagnostic page.
Another one is fire up an application type Aiden was here.
And while that's not exactly the slickest thing in the world, it shows you can fire up any old application you want.
You could drop it to a command line and add an account or whatnot or go out to a website and do something.
But that's the world's simplest demo of what it can do.
A more complex one would be make it go to a certain website.
I don't have an internet connection right now, so this isn't actually going to go to my website.
But you can have it go out and I hope I chose the right one.
Open up a web browser and go to a certain website that you have some other payload on.
And actually those people who are now giving away business card like devices that when you plug it in it automatically takes you to the website.
I actually have one here.
My bag of many things.
My friend Reed was at like I think it was a VMware Expo in Louisville and he gave me this little device.
And that's like a USB business card.
You're not going to see it in the back of the room.
That when you plug it in it takes you to the vendor's website.
That's not Tenzi based, but you get the concept.
I need to look at the scene how this can be reprogrammed because that is tiny.
But it tried to go to my website, but I don't have an internet connection right now.
Alright, another payload I have on there of course is the Facebook post.
I also have one called setCaps Lock. What that does is it sets Caps Lock and files up something whenever Caps Lock is toggled on and off.
For instance, I was going to set that one.
That's on DIP Switch 4 for my demo purposes.
Wait a second.
Yeah, DIP 4.
And you're not going to see it up here, but it's going to turn on Caps Lock.
Or at least it should have.
Oh, it brought that up and Caps Lock is on.
It's supposed to wait until Caps Lock has switched the opposite direction.
Which unfortunately, you know what? In the dark it's awfully hard on this particular keyboard to actually see.
Use the light it has.
Right. I had a bright idea.
Alright, I'll stay on here.
Let's try that.
Actually, you know what? This might be one of those VMware issues I was mentioning before.
Because I don't think the signal is actually getting back out.
That I'm type tapping that.
That wasn't the way it meant that it would come out.
And what else we got going on?
Thank you very much VMware. I now have no ability to actually move anything inside of VMware.
Huh.
Small technical difficulty.
Yeah, of course.
Actually, strange enough, while I was giving a presentation on the Fuck device while I was at DEF CON.
It actually did a blue screen on my machine.
Which kind of brings you up to the topic. Whenever you get that kind of movie corruption where you have a blue screen.
And this was in Windows 7 64 bit.
If you have that kind of corruption.
I wonder how, well let's put it this way. These generic USB drivers for various normal classes.
I wonder how much fuzzing people have done against them.
Because if it did enough damage to cause the blue screen.
I wonder what other things we can do with that movie corruption.
Someone that's better at the signal than me would have to try it.
But I'm just saying. And actually one of the ways people have been cracking the jailbreakers.
The PS3s is with a tensing.
Because it can send the right kind of signals that the PS3 is not expecting.
And use the vulnerability to actually be able to jailbreak.
So actually the tensing started selling off really well.
Not because of this kind of research. But because if someone figured out how to jailbreak PS3s with it.
And I'll have this back up momentarily. I'm sorry for the interruption.
And I think that's going to be the last, well not quite the last part of the demo.
I think I'm going to do the rest of the demo in Linux.
Even though it's not designed for it. Because of liability issues here.
VMware plugging in USB devices that aren't really recommended USB devices.
Because they're also keyboard devices. It's a little bit funky.
How's the video looking over there Chris?
It's almost there. It's flashed a few times.
Alright. I got your cursor.
Alright.
Do you have your keyboard on there?
No. Yeah it's short. Bite me.
It's a small keyboard man.
That wasn't a sexual reference. Why are you all out of it?
It's not decided by the drivers.
Sometimes this one's a keyboard. But this is a black keyboard.
It's not decided by the drivers.
What was that?
It's not decided by the drivers.
It's not decided by the drivers.
You can't do that.
That's what she said.
I'll be back to get this going in just a second.
Alright. Hold on. Just a second more.
And I think I'll have my ducks in a row.
Instead I want to do this inside of a text editor.
Because there's one last part of the demo I did want to show you all.
And that was using the environmental features to decide when it's going to do something naughty.
Just because I think the demo is neat.
So I need to figure out once again which particular dip switch I put that on.
Because I have so many different payloads on this thing.
I apparently put that one on what is brightness detection and motion detection.
Let's go ahead and go with motion detection.
And...
8888.
Motion detection essentially just waits for the lighting conditions to change.
And you see it trying to bring up notepad and then type in motion detected.
Whenever it sees a change.
And because of how dark it is that may not work all that reliably.
But that's the idea of what it's supposed to do.
But let's try a slightly different payload than that one.
Let's go ahead and turn on the brightness detection.
Essentially you can have it trigger different things depending on how bright the room is as well.
That all by the way is part of the bringing up the run bar.
It certainly says I'm scared of the dark because well it is kind of dark in this room.
I'm going to put it in a little more light and see if I can get it to say something else.
The lights seem to be on. Finally I got that right.
And of course sometimes you've got to go for the nuclear option.
Alright.
Sorry.
Let me move that over some because it doesn't quite come up on that screen does it?
There you go.
Anyway there is ways of locking all this stuff down.
And there's a longer demo out on my website from the DEF CON talk.
There's ways of locking this down inside of a VISTA in New York at least.
You can go in and say what USB devices can be installed and not be installed based on device strings and what not.
Now the way I normally and you can set this to be a GPO or manually via local group policy.
You can even go in and edit various registry entries to accomplish this exact same thing.
For instance the editing you see right here basically it says disable automatically install of any device.
Publish it says disable because agent says so.
And essentially they'll have to call an admin over who will go into the device manager and manually say yes this device I want you to run.
That's probably one of the safest calls you can do.
You can start locking down by device IDs like the vendor ID and project ID and what not.
But those can be spoofed.
Like my front devices usually I make it like vendor project ID 666 and 1313.
And I change one of the device strings to say Cthulhu keyboard and mouse.
So in Windows you can get in there and make the settings.
Me meeting through this probably won't be that interesting but I got tons of data out there.
I have an article on my website that basically says all the different things you can use for locking down.
Just keep in mind though white lists are better than black lists because some can spoof device IDs.
And if everybody had a serial number, if all USB devices had a serial number that was a decent link.
That would probably be a good thing to key on but they don't so there you go.
USB lockdown. In Linux there's ways of doing it with UDEV rules.
First of all you have to find out some information like use LSUSB to see what devices are out there.
You can cat out what devices are currently installed.
You can use UDEV info and query device to find all its different device strings.
You can test your scripts that you create using UDEV admin test and name the script.
I'll actually give you an example of the script.
And you can also see what USB devices are what by using UDEV admin monitor.
And let me see if I can actually demo just a little bit of that.
Alright.
Let me find me a command prompt.
And let's see UDEV ADM monitor.
Alright. Basically it's monitoring any changes in hardware.
So basically I can take one of those device IDs that just came and went and do a query on it.
Yep. Like that?
Scroll on up. See if I can find the correct device.
Unfortunately the file system is not always the same it seems the way you might expect it to be.
So sometimes it takes a little effort to find the device you're supposed to query.
But you can take one of these devices and go in and take a look at it.
Like for instance I suppose if you want to look at this particular device that I just plugged in.
We could while we're at the command prompt we could use UDEV admin info.
I think it's dash A, dash P, SIS and then the rest of that particular path.
Unfortunately it doesn't seem to always keep the same path depending on OS.
Let's see what that actually gives us.
Crap.
Okay. Oh I see. Backspace is the wrong spot.
I'm having an epic fail here.
Let's query a different device just so you have an idea of what kind of things you could see.
Let's go into class. Let's go into US.
Failure, failure, failure. I hate it when this happens. Catch your stuff up way ahead of time.
Let's just choose edit devices.
Let's just do the PCI. Just give you an idea of what kind of output you'll get.
You'll get some output that gives you device strings you can actually key on.
That can be useful here in a second.
I'll give you an example of a script we can write in UDEV to make the world a better place.
If I was doing this in Black Hat and in a backtrack, I could have done an LSUSB, noted the device,
looked for its bus and device ID, and then essentially query it with UDEV admin and look it up.
But for whatever reason, that's not quite working the same way in Stranger Buntube.
But I can find all those device strings I can key on.
Then I can write a lovely script like this that's totally unreadable to anybody in the back.
Essentially what we're doing is we're saying whenever action ads happen on subsystem USB,
run this particular script.
What's in that particular script is basically something just to say disable this device automatically.
And automatically disable all the USB devices that are coming in.
Then down at the bottom, I have essentially a whitelist that says if it has this particular vendor ID or product ID,
go ahead and enable it by entering a 1 into a particular path inside of sysfs.
Same thing with a couple other devices like this one I have based on serial number.
That's this whole attribute part.
If the serial number happens to match this, create a vendor script which basically echoes 1 into the device path authorized.
You can not only do that, you can also base it on the product string or the ID of the vendor or whatnot.
I have a whole article, it's all just out there online.
I have a part of a larger paper that anybody wants to read that details it.
There's more information you can find out in sysfs.
Essentially what it amounts to is just creating a rule and the following path to see at the top and placing it in there.
Alright, finding the needed information.
Now I showed you a little bit about finding the information inside of Linux.
In Windows, there's other ways of doing it.
You can use the device manager, but the device manager is kind of painful to actually work with this information.
A better thing would be USB Debut from Neosoft.
It gives you a lot of great information.
You can export it out to a compensated value file, do your queries on it.
The best thing about it is you can remotely query another box on your network.
So what you can do with that is you can have a text file with a bunch of boxes you want to check,
have it automatically generate that file for you, look for anomalies to see what stuff is installed,
see what stuff you would need to whitelist or blacklist, and there you go.
That's a real simple command in USB Debut.
Just say what your remote file is and say the output format and that's obj.
I have a lot of details on using these kind of techniques to be able to find out what's plugged in.
One of the nice things about this, I remember who here was battling conflict?
I remember one of the ways it was passing itself around was via thumb drive.
Let's say you want to know who the title we'd marry was who was doing this.
Well, if you notice, this picking machine was hit and it had this particular thumb drive plugged into it,
because even if it's not currently plugged in, there's still a log in it. It would still be recorded.
So you can start tracing around by its serial number.
Most of the thumb drives I've tried do have serial numbers.
You can start tracing around and saying, okay, this serial number thumb drive is plugged on this machine, this machine, this machine.
All of them were infected. It was first installed plugged in this machine, and it's currently running on this machine.
That might compare you to the machine of the person who actually owns that thumb drive.
Because Bob's down in accounting, it's in his machine currently,
but when he's going around from machine to machine around the network, he's carrying that same thumb drive.
It makes it easier to trace down who the actual type for you marry is, if that makes sense.
You can also look up suspicious vendor IDs.
Like I said, I set my vendor IDs to like 666, and I think the product ID of 1313.
You can actually look for things like that, various other oddities like Adele with the Apple keyboard plugged in.
There's a lot of these devices for some reason. They still Apple's vendor IDs. I don't know why.
But some of them do that. That little business card thing I showed you earlier, you plug it in, it says it's an Apple keyboard.
Go figure. Looking for computer 2 keyboards might sometimes be helpful.
Future plans, things I want to mess around with in the near future, is I found this device that will turn a HIP device into a serial device.
So my plan is to take that, plug it into my Kensey, not only log keystrokes, but then we play that later on out with Kensey.
And the idea is I can essentially look for like control, delete something, tab something.
And on Windows box, what's that going to likely be if I take those somethings as variables?
Using them in password. I can take that and have it log, and then 8 hours later when I think that the noise will be at the machine,
have it log into the machine and do what I want it to do, using the credentials I typed in earlier.
And I think that would be pretty nifty. And I ordered this apart from a company online, but I'd get to actually put it together.
It hasn't arrived yet. So hopefully I can get that to work function.
Finally, I'm going to announce a few events. Louisville InfoSec happens every year in Louisville, Kentucky.
Make it if you can. Also we're having DoobieCon for the first time, once again in Louisville, Kentucky in 2011.
More information is on doobiecon.com. And there's a ton of conferences I want to give a shout out to.
I guess I'll mention I'm going to have to go ahead and add DojoCon to this list as well.
It'd be kind of funny if you guys sent it over to AnnounceCon at the same conference.
But SkydogCon, Hackathon, FreakNet, Connaticon, and OuterZone are all ones that I want to get props to.
Make it if you can. And I'm probably running short on time, so are there any questions?
No questions? Sorry I kind of rushed that. Feel free to ask more later on.
And after that machine's finished recording, I can actually give you better demos if you want to see them in person.
On a system where it's not hopefully going to crack bad time.
Thank you.
Yes?
Just so people know that when they look at the TTC they think that's small.
But after they'll have chips that are probably 3 milliliters in size.
Yeah, but you have to do all the... Yeah, you have to do a lot of the electronics around it though.
Not very much though.
We might want to talk later.
Thank you.
Applause
I don't know if you've been to his website, but this website is absolutely awesome.
I don't know how this guy has so much time to do all this research.
University job.
He has a university job, so he just sits around and does research all the time.
Should he be started as hackers, man? No, that's good.