Cyber Awar3ness v1.5 – USB stuff… yeah if you have seen Mr Robot, then you are really in for a surprise of how real that show is (as it is shown the director wanted to make everything as real as possible, no fiction)

Sorry if I am spoiling last season’s stuff and if you have not seen it yet, please go do so.
https://motherboard.vice.com/en_us/search?all=true&model=articles&q=a%20round%20table%20of%20hackers

Do not try any of this on a system you do NOT own, if you do such things be sure you are in a test environment of a systems you own or have authorization to run such experiments as everything below is an experimental (hacking)

This is a demonstration to give an insight of what “a wild usb appears” can do if you find one out in the wild.

Contents

• Reprogrammable microcontroller USB attacks. 2
• Maliciously reprogrammed USB peripheral firmware attacks. 3
• Attacks based on unprogrammed USB devices. 4
• Electrical attacks. 5

Reprogrammable microcontroller USB attacks

• Rubber Ducky – a commercial keystroke injection attack platform released in 2010. Once connected to a host computer, the Rubber Ducky poses as a keyboard and injects a preloaded keystroke sequence.
  1. https://hakshop.com/products/usb-rubber-ducky-deluxe
• PHUKD/URFUKED attack platforms – similar to Rubber Ducky, but allows an attacker to select the time when it injects the malicious keystrokes.
  1. https://www.irongeek.com/i.php?page=security/homemade-hardware-keylogger-phukd
• USBdriveby – provides quick covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB in a matter of seconds by emulating an USB keyboard and mouse.
  1. http://samy.pl/usbdriveby/
• Evilduino – similar to PHUKD/URFUKED, but uses Arduino microcontrollers instead of Teensy. Also works by emulating a keyboard/mouse and can send keystrokes/mouse cursor movements to the host according to a preloaded script.
  1. https://www.slideshare.net/Rashidferoz1/evilduino
• Unintended USB channel – a proof of concept (POC) USB hardware trojan that exfiltrates data based on unintended USB channels (such as using USB speakers to exfiltrate data).
• TURNIPSCHOOL (COTTONMOUTH-1) – a hardware implant concealed within a USB cable. Developed by the NSA.
  1. http://www.nsaplayset.org/turnipschool
• RIT attack via USB mass storage – attack described in a research paper. It relies on changing the content of files while the USB mass storage device connected to a victim’s computer.
  42. https://pdfs.semanticscholar.org/70d7/d873c72d0db9968650ad359c6ef915ffbb42.pdf
• Attacks on wireless USB dongles – a category of attacks first explored with the release of the KeySweeper attack platform by Samy Kamkar, a tool that covertly logs and decrypts keystrokes from many Microsoft RF wireless keyboards.
  1. https://www.mousejack.com/
  2. https://samy.pl/keysweeper/
• Default Gateway Override – an attack that uses a microcontroller to spoof a USB Ethernet adapter to override DHCP settings and hijack local traffic.
  98519. https://support.symantec.com/en_US/article.HOWTO98519.html

Maliciously reprogrammed USB peripheral firmware attacks

• Smartphone-based HID attacks – first described in a research paper for which researchers created custom Android gadget drivers to overwrite how Android interacted with USB devices. The malicious driver interacted with the Android USB gadget API to simulate USB keyboard and mouse devices connected to the phone.
  1. https://null-byte.wonderhowto.com/how-to/hid-keyboard-attack-with-android-not-kali-nethunter-0164349/
• DNS Override by Modified USB Firmware – researchers modified the firmware of a USB flash drive and used it to emulate a USB-Ethernet adapter, which then allowed them to hijack local traffic.
• Keyboard Emulation by Modified USB Firmware – several researchers showed how poisoning the firmware of USB flash drives, an attacker could inject keyboard strokes [1, 2, 3].
• Hidden Partition Patch – researchers demonstrated how a USB flash drive could be reprogrammed to act like a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
• Password Protection Bypass Patch – a small modification of a USB flash drive’s firmware allows attackers to bypass password-protected USB flash drives.
• Virtual Machine Break-Out – researchers used USB firmware to break out of virtual machine environments.
  1. https://whatis.techtarget.com/definition/virtual-machine-escape
• Boot Sector Virus – researchers used a USB flash drive to infect the computer before it boots [1, 2].
  1. https://usa.kaspersky.com/resource-center/definitions/boot-sector-virus
• iSeeYou – POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning.

Attacks based on unprogrammed USB devices

• CVE-2010-2568 .LNK exploit used by Stuxnet and Fanny malware
  1. https://www.cvedetails.com/cve/CVE-2010-2568/
• USB Backdoor into Air-Gapped Hosts – attack used by the Fanny malware, developed by the Equation Group (codename for the NSA). Attack uses USB hidden storage to store preset commands that map computers in air-gapped networks. Info on networks saved back to the USB flash drive’s hidden storage.
• Data Hiding on USB Mass Storage Devices – a large collection of tricks of hiding malware or stolen data inside a USB flash drive (eg.: storing data outside of the normal partitions, hiding the file inside an invisible folder by making that folder’s icon and name transparent, etc.).
• AutoRun Exploits – depending on how host computers were configured, some PCs would auto-execute predetermined files located on a USB device’s storage. There’s an entire malware category dedicated to this called autorun malware.
• Cold Boot Attacks – aka the RAM dump attack. Attackers can store a memory dumper on a USB flash drive and extract left-over data from RAM by booting from a USB device.
• Buffer Overflow based Attacks – Several attacks that rely on exploiting OS buffer overflows when a USB device inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted [1, 2, 3, 4].
• Driver Update – very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device inserted. This attack is possible, but very hard to pull off in the real world.
• Device Firmware Upgrade (DFU) – attackers can use the Device Firmware Upgrade (DFU), a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version.
• USB Thief – a USB flash drive based data-stealing malware that was recently discovered by ESET
  1. https://securityaffairs.co/wordpress/45741/malware/usb-thief-trojan.html
• Attacks on Smartphones via the USB Port – attackers can hide and deliver malware (malicious) via USB phone chargers.
• USBee attack – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data.
  1. https://arstechnica.com/information-technology/2016/08/meet-usbee-the-malware-that-uses-usb-drives-to-covertly-jump-airgaps/

Electrical attacks

• USB Killer – permanently destroy devices by inserting a USB device that triggers an electrical surcharge