170 likes | 314 Views
Emulating Human Interface Devices as an Attack Vector. By: Dillon Korman. Introduction. A Human Interface Device (HID) is a computer device that interacts directly with, and usually takes input from, humans; examples include a keyboard and mouse.
E N D
Emulating Human Interface Devices as an Attack Vector By: Dillon Korman
Introduction • A Human Interface Device (HID) is a computer device that interacts directly with, and usually takes input from, humans; examples include a keyboard and mouse. • These types of devices were created primarily for the purposes of fast deployment and easy installation across a wide selection of operating systems. • Due to the frequent use of Human Interface Devices, an inherent trust has been built up between the “host” and the “device,” or human. • A new attack vector has been observed since about 2010; it leverages and exploits the trust that Human Interface Devices have been granted. • Software-based attacks have received much attention, while hardware-based attacks generally fly under the radar; there are two established devices that are available to exploit this new attack vector via emulation as legitimate HIDs.
Hypothesis • To evaluate the risk factor of malicious Human Interface Devices, I hypothesize that if a properly configured payload, or mischievous piece of code, on an emulated HID is launched onto a target machine via a USB port, then the payload will achieve its desired outcome. • Hardware-based materials include:Teensy++ 2.0, USB Rubber Ducky, USB adapter, USB micro SD card reader, and a physical computer running Windows 7 (target). • Software-based materials include:Virtual Machine running BackTrack 5 Release Candidate 3 (attacker), Kaultilya, Social Engineering Toolkit, Duck Sauce, and Arduino. Materials
Procedures • Insert the PHUKD (Programmable HID USB Keyboard Dongle) or micro SD card reader into a computer's USB port. • Mount the device to the BackTrack5 virtual machine in VirtualBox. • Open a software payload generator. • Create a customized payload for the PHUKD. • Program or copy the payload to the PHUKD or micro SD card. • Unmount and remove the PHUKD or SD card from the computer. • Insert the PHUKD into the target machine’s USB port. • Check if the payload was run successfully and repeat all the steps for each new payload tested.
Observations • The experiment tested a total of 18 unique payloads, each within one of five different groups; in total, I conducted 35 payload tests. • All but one of the payloads were retested under an antivirus security suite, and all but one of the payloads passed the test. • Each of the 18 different payloads were successful in their efforts, as predicted by my hypothesis. • Most of the payloads completed their tasks in less than a minute, with some finishing in as little as 12 seconds. • The actual commands used in the payloads took very little time; the main barrier towards faster times is the one-time initialization.
Discussion • This experiment demonstrates a new attack vector, which presents a very great and respectable security threat towards any organization. • The possibilities of different payloads are essentially endless, and payloads can be specially crafted to target specific organizations. • A wide assortment of operating systems and computing machines with access to a USB port (billions) are vulnerable to this attack. • Security companies, manufacturers, and IT managers need to understand the scope of this attack and limit potential damage. • Traditional defenses are not very effective at countering this type of attack; creative solutions and strategies need to be created.
Data Types of Payloads • Valuable Information • Important data • Direct Attack • Shell or executable • Helping Hand • Leads to other attack options • Backdoor • Helps set up for later options • Miscellaneous • Other types
Teensy in Computer Teensy with Adapter Teensy Front Teensy Back
Rubber Ducky in Computer Rubber Ducky in Discreet Case Rubber Ducky In Case Rubber Ducky Front Rubber Ducky Back
Keylogged Text on Pastebin Powershell on Keylogging
Anti-Virus Blocking Detecting Shell Anti-Virus All photos, screenshots, graphs, and tables were prepared by the student researcher. All Logos taken from Agency and Company Websites
National Cyber Security Division National Security Agency US DOD Cyber Command Defense Information Systems Agency Army Cyber Command Navy Cyber Command Coast Guard Cyber Command Air Force Network Integration Center
Computer Sciences Corporation Science Applications International Corporation Booz Allen Hamilton Boeing Northrop Grumman Lockheed Martin General Dynamics CACI
Data Title Results Wireshark Screen Shot Rubber Ducky Photos Introduction Teensy Photos Flashing Screen Shot Hypothesis Materials Observations Discussion Keylog Screen Shot Procedures Agency Logos Company Logos Anti-Virus Screen Shot