The Return of USB “Auto-Run” Attacks
USB Autorun attacks became the rage back in 2005. Hak5 created a project to increase awareness of this security issue called USB-Hacksaw, originally a U3 device that would auto-run a series of programs. This could be used from general system administration tasks, or potential malicious tasks; such as installing back-doors and running password collection programs. Shortly, Vendors like Microsoft started to remove Auto-run capabilities to prevent more serious malware from infecting their Windows Operating System. Mainly because malware was being found on all manner of digital storage devices; portable hard-drives, flash drives and digital picture frames, all typically manufactured from factories on the other side of the world.
This post discusses recent developments, leading to the return of USB Auto-Run attacks.
Back in 2010 Seth Fogie noted that certain car manufactures were sending out USB devices. These USB devices presented themselves as keyboards in order to inject key strokes into the computer to which they were attached.
Why a keyboard? Well in order to circumvent security controls designed to stop the automatic execution of anything potentially malicious from untrusted USB sticks they had to be a little ingenious and no longer rely on a program running or user interaction.
So instead these devices inject key sequences as if the user typing in order to cause the browser to load and visit a particular website.
Fast forward a few years and it now seems that this approach is becoming ever more common as operating systems become increasingly more secure, platforms diversify and marketers are looking to stand out from the crowd.
Pentura recently received a sample in the post which was based on technology by Visible Computing Ltd and sold as theiKyp webkey ™ . This technology works on Microsoft Windows, Unix based OS (e.g. Linux) Mac OS X, Android and iDevices (only tested on iPad notes application) where a USB port/adapter is available.
The vendor details extensive case studies demonstrating that these devices have increased in prevalence while carrying with them interesting security implications.
In a series of future posts we will provide an introduction to the technology, an overview of its use and other well-known examples of open source tools to achieve similar functionality. We also plan to include tips for detecting if such devices have been used previously on your estate. We also plan to provide guidance on possible strategies to mitigate their impact should such devices be sent to your organisation.
Hak5 have produced a programmable USB device (currently $40(USD), the price is falling due to demand and batch sizes meaning savings for all). Based on the Atmel AVR Chipset the micro controller can pretend to be any USB based device (within the limits of its flash memory and processor). The firmware development was initially slow and disappointing, and the device only mimicked a HID keyboard with a US language map.
One community developer Midnitesnake(@midnitesnake) appears to have single handedly taken on the challenge of unlocking the potential of this device. Midnitesnake has further improved the platform by allowing customisations of the code, to except different language maps enabling the device to emulate keyboards outside the US. Current support exists for:
- US – English American Keyboards
- GB – English Great Britain Keyboards
- FR – French Keyboards
- DE – German Keyboards
- PT – Porteguese Keyboards
- RU – Russian Keyboards
- NO – Norweigan Keyboards
- SW – Swedish Keyboards
- BE – Belgian Keyboards
Additionally, Midnitesnake has written several different flavors of firmware available at http://ducky-decode.googlecode.com; Not just a plain ole HID keyboard anymore… we now have access to:
- HID Injection with BOOT enabled.
- USB Mass Storage.
- Multiple Keyboard Trigger HID Payload.
- Composite Device: USB Storage & HID Keyboard.
The later, effectively brings back “Auto-Run” attacks! Insert the USB device into any OS, the HID payload will trigger, and call an executable on the Mass Storage partition. You may think your safe with Device Control Software; However, the developer has built in a function to easily change the VID and PID of the USB device on the fly – this can effectively bypass your security measures provided the attacker knows a white-listed device or by “luck of the draw”?