40

From what I've seen, USB-based attacks such as RubberDucky need to be able to open a terminal and then execute commands from there, usually to download and then install malware or to open a reverse shell.

Is this how most, if not all USB-based infections operate? Would being able to detect and prevent keystroke injection ensure I would be safe from USB-based malware attacks?

If at all relevant to the question, key combinations used to send signals to the shell would be caught and detected alongside regular keystrokes.

edit: I am mostly concerned with USB-based attacks whose purpose is to infect a machine with malware and/or to open a backdoor through which manipulate the system.

In the case of a reverse shell being opened, will the attack/er still rely on executing commands, i.e., assuming that on the system in question, there was only one terminal open or available will I be able to see keystrokes if this attack were taking place?

In the case of data-exfiltration, would there be ways for the malware on the hardware to mount the partition/filesystem and then copying the files without being able to enter keystrokes?

Anders
  • 64,406
  • 24
  • 178
  • 215
user942937
  • 983
  • 8
  • 14
  • 1
    Here's are site with some listed - https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/ – Alex Probert Jan 23 '20 at 10:39
  • 4
    Besides the other answers, don't forget the simplest attack of all: An infected file sitting on a flashdrive, waiting to be manually executed by the victim. – Potaito Jan 23 '20 at 14:15
  • 1
    Also another main one being USB file exfiltration. – Alex Probert Jan 23 '20 at 15:27
  • 4
    The USB device acting as either keyboard, mouse, ethernet adapter or WiFi adapter seem to be the main attack vectors, beside simply malicious files on a mass storage. – caw Jan 23 '20 at 23:07
  • 4
    Not sure if that counts as "USB based attack", but the USB port could be used just for delivering power to a tiny microphone + wireless transmitter. – Gabriel Devillers Jan 24 '20 at 10:27
  • Considering that USB devices can present as several different kind of devices, a vulnerability in the communications between a device and system could enable a malicious attack. A quick google search of "malware that exploits driver" finds a lot of pertinent results. – Nathan Goings Jan 24 '20 at 20:30
  • related: https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma – Jasen Jan 25 '20 at 07:15

8 Answers8

48

There were also attacks based on the autoplay-feature (other source), although I think this is a bit outdated with newer OS like Windows 10. There are also USB-Killers which operate on a hardware-level and kill your machine through sending high current shocks.

Here's a list of other attacks that might fall in the same category, including but not limited to:

  • An attack that actually emulates a USB ethernet adapter, which then injects malicious DNS servers into DHCP communications, potentially changing the computer's default DNS servers to use these malicious ones; sites of interest (email, banking, ecommerce, etc) can then be mimicked remotely, and the victim redirected to the mimic sites via the malicious DNS server.
  • Attacks that use a small hidden partition on a mass storage device to boot and install a rootkit, while otherwise behaving like a normal mass storage device
  • Various attacks intended for data exfiltration on a secured device (generally only relevant to secure air-gapped computers that the attacker can get physical access to, such as a contractor with access to secure systems)
Doktor J
  • 324
  • 2
  • 8
Lexu
  • 936
  • 1
  • 7
  • 14
36

Besides all previous good answers, there's another one that nobody mentioned: USB-based Ethernet devices. Like the excelent PoisonTap.

One can make the device register as a Ethernet device, and change the default route for the IP of the device. This way, every cleartext request and every DNS request will be sent to it, and a request for important domains (think on commonly used CDN's, like Cloudflare, Akamai, and the likes) can be poisoned.

If an HTTP request is made and the domain resolution was poisoned, the attacker can serve a malicious jquery.js file, for example, put a very long expiration header on the answer, and have a backdoored jquery running on every site that links to that script, for a long time after he removed the malicious device.

Other than this, the attacker can set another host on the same network and change the default gateway too. This way, the attacker is in position to perform MitM againt the host without resorting to ARP poisoning - noisy and can be caught pretty fast by the new firewalls. Being the gateway means any non-encrypted protocol can be attacker, recorded, edited, and any secrets captured.

Keystroke-injecting is a good attack, but the machine must be unlocked. Network changing attacks will work even if the machine is locked, it only needs one process to try to resolve a domain and the result can be cached.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
  • 7
    Such a device can also establish an ordinary network connection with the host, enabling all of the usual network-based attacks to be executed right from the USB device. – Lily Finley Jan 23 '20 at 23:43
  • 1
    I don't think an Ethernet device can _change_ the host DNS settings. It can offer a DHCP server and via DHCP offer a DNS server, but the host likely has a wired or Wifi network connection that also offers DNS. How it chooses between the two connections is unspecified. The bigger risk IMO is that the device _can_ claim a shorter direct route to the public internet, as the real connection is likely through a router. That means the device can offer a direct route to 8.8.8.8 and 1.1.1.1 – MSalters Jan 24 '20 at 13:24
20

No, there are others.

USB Killer, for example, is a device that aims to damage your hardware by applying a high voltage to the data lines.

An attacker could use such a device to bait employees to involuntarily damage company hardware, resulting in a loss of availability and monetary damages.

  • Fun fact, a bit of circuit wizardry may be able to multiply voltage from a button cell battery, making a flash-drive-sized USB killer (albeit possibly somewhat less effective if the ports are properly fused) – Doktor J Feb 12 '20 at 19:25
20

Infamously, Stuxnet exploited a feature of Windows that automatically installs USB drivers on a USB stick when inserted as long as the drivers have appropriate digital signatures. The Stuxnet virus had drivers that were signed with a Microsoft-owned private key.It's not publicly known how that particular Microsoft private key was obtained -- whether it was stolen, or whether Microsoft collaborated in the attack.

Stuxnet was designed to breach internet-connected networks in Iran. Stuxnet would then copy the drivers onto USB stick inserted into devices on the infected network. When operators in Iran's nuclear processing plants used those USB sticks to move data to their air-gapped secure network, the drivers would get installed on machines on the other side of the air gap, getting Stuxnet one step closer to it's final goal: destroying networked industrial controllers for the centrifuges Iran used to refine uranium.

At least one virus used drivers signed with a private key stolen from an Asian USB device manufacturer, which was subsequently revoked.

According to material in NSA Cyberwarfare user manuals, leaked by Wikileaks, one of the attack options is for "brief access to a computer's USB port". So presumably, the NSA has (or had) attacks that could infect computer systems just by inserting a USB stick.

Robin Davies
  • 301
  • 1
  • 4
  • 1
    Possibly the key was made using the recently-discovered bug in Windows 10, with the crypt32.dll library, which allowed to sign a file as if Microsoft did it themselves. – Ismael Miguel Jan 24 '20 at 12:33
  • 2
    @IsmaelMiguel: Impossible. Windows 7 is not affected by that bug, and if it were used here it would have been known a long time ago. – Joshua Jan 24 '20 at 19:18
18

In some cases, acting as a mass storage device will enable a lot of havoc.

Any operating system that will autoplay anything (no longer implemented for good reason these days) is vulnerable - this will at least enable the attacker to do a lot of things at the privilege level of the person logged in; in case any local privilege escalation is taken advantage of, even more.

Any OS or desktop environment that previews files ... and has an exploitable buffer overflow or similar vulnerability in any preview handler ... can be made to do the same.

Any device that is set up to boot off removable media can obviously be made to do almost anything, except when whatever information you want to access is encrypted - though a malicious bootable device might perfectly well emulate the key entry screen for a manual-key-entry full disk encryption system and go for it ....

An operating system that has a buffer overflow or similar vulnerability that can be triggered with a corrupt filesystem is also vulnerable. The same applies to vulnerabilities that can be triggered by unexpected dynamic changes in filesystem structures - USB mass storage devices could be emulated by active code....

Also, a vulnerable MTP or custom camera/scanner or similar driver could be exploited.

rackandboneman
  • 975
  • 4
  • 9
  • 2
    Besides active file content attacks, there have also been (linux) kernel bugs with Filesystem handling code where parsing Filesystem data structures can cause buffer overflows or similiar problems. – eckes Jan 24 '20 at 13:01
10

There's some other examples of USB-attacks, in addition to the ones mentioned above. For example the PS3 was first jailbroken using a USB stick that presented itself as a USB hub with a lot of devices attached and specially crafted device identifiers. This allowed for code execution.

Mavamaarten
  • 201
  • 1
  • 4
1

Together with the great answers already provided, I want to add a first-hand experience relevant for Windows systems.

In my university a few years ago stared appearing some infected USB with a malware that worked like that:

  • When a key was infected, all files where moved to a hidden, system-protected folder.
  • A special link was created and renamed with the same name of the USB key and the icon for external disks used by Windows.

When an unknowing person would access the infected USB, it would open the drive and then, without considering it, open the link. The link would open the hidden folder, but at the same time would install the malware on the PC.

The malware would then start listening for new USB keys, to infect them, and would also start listening for commands from a remote server, probably becoming part of a botnet or such.

So yeah, sometimes USB attacks rely on naive users.

bracco23
  • 123
  • 5
0

USB interface can give you access to the CPU if you have (or not?) the keys to sign the CPU firmware. Can't remember where I read this, some website for conspiracy theories maybe.

It's not impossible to obtain the keys, see how Microsoft allegedly collaborated with Stuxnet creators. Intel may collaborate with the malware creators too just like Microsoft. Or the malware creators can steal the keys.

Once the malware is installed into the CPU there is no way for the OS to test for such malware. According to the anonymous conspiracy theorists all popular CPUs (Intel, AMD) have malware installed with backdoors to be (ab)used by the three letter agencies.

But it's probably not true, because such conspiracies does not exist in the real world. Nothing to see here, go to sleep.

This is why some paranoid individuals and organizations are using air-gapped computers in Faraday cages.

I think that there should be a physical switch (jumper) on the motherboard to enable/disable firmware updates.

Valentin Stoykov
  • 101