[Discuss] code for hacked USB drive (BadUSB) released on Github

[tmetro+blu at gmail.com (Tom Metro)]

Tom Metro wrote:
> Something like a USB Rubber Ducky could help implement this:
>  https://hakshop.myshopify.com/collections/usb-rubber-ducky/products/usb-rubber-ducky-deluxe
> 
> A pass phrase can be stored on them, and it'll replay it with the press
> of a button.
> ...
> With the discovery that you can hack the firmware in some USB Flash 
> drives, I wouldn't be surprised to eventually see instructions online 
> for how to turn a $5 USB drive into a emulated keyboard replay device.)

Well that didn't take long to happen...

http://mashable.com/2014/10/03/bad-usb/

  BadUSB is a dangerous USB security flaw that allows attackers to turn
  a simple USB device into a keyboard, which can then be used to type
  malicious commands into the victim's computer.
  ...
  By hacking the code of the USB micro-controller of an "innocent"
  device, like a USB memory stick, you can turn it into something far
  more capable, such as a keyboard... Stick the device into a computer
  and it could execute commands or even a malicious program without the
  owner knowing.

  This is made worse by the fact that malware scanners cannot access the
  firmware running on USB devices, meaning they cannot fix the problem.
  ...
  The fact that BadUSB code is available on GitHub means that anyone
  with sufficient knowledge can hack a USB device in a similar way.


But that also means good guys can take the code and repurpose it to
create inexpensive dongles that type out high security pass phrases when
hotplugged. (In the video embedded in the article, one of the
researchers actually references the "Rubber Ducky" functionality.)

So the next thing I expect we'll see is a gizmo built on an Arduino or
Raspberry Pi that lets you plug in a USB drive and then exercises it to
see if it exhibits any malicious behavior.

If these drives look like an ordinary USB storage drive when first
attached, I wonder what they are using as a trigger to have them switch
into malicious keyboard mode? I don't think it can pose as both
simultaneously. The switch might occur after a simple count down timer
starting when it was powered up.

So the tester gizmo just needs to wait it out. Maybe you'll "quarantine"
your USB drives for 24 hours before attaching them to your real
computer. At least until the hackers increase the delay, or figure out
how to fingerprint the host they are attached to, and only go malicious
if it's the desired target (like a machine running Windows). There's a
good chance this sort of fingerprinting would be possible by looking at
how the OS interrogates the USB controller. So your tester would need to
have a custom USB driver that emulates Windows or OS X.

One way to address this vulnerability is to modify the OS to put up a
dialog any time a USB hotplug event is detected. "Found a new keyboard
device, identifying itself as ... If you did not just plug in a
keyboard, answer no. Use this device? Yes  No"

Of course the hackers could return an identification matching some very
popular USB keyboard and hope to get lucky, or pester the user enough
times so that they think their keyboard has a loose plug.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/