If i leave my screen locked and someone sticks in a thumbdrive that was manipulated using the bad USB exploit would an attack be possible?
2 Answers
The three most widely known ways that Bad USB affects a computer is:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
The device can also spoof a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
If your screen was locked, then discounting a brute force attack against the lock screen only (2) would apply, affecting any currently active or scheduled process that makes outbound connections from your computer. However, if these processes authenticate the remote server by use of TLS/SSL certificates then this threat would be mitigated.
- 33,408
- 6
- 67
- 178
-
How would this work? connecting an infected usb wlan thumbrive?BUt if the screen is locked how would it be possible to change the used internetconnection to this drive? – Junior J. Garland Aug 04 '15 at 12:56
-
The OS _may_ begin using the new interface as default without configuration if it is acting as a USB wireless card. – SilverlightFox Aug 04 '15 at 12:59
-
That's assuming the bad USB device isn't still plugged in when you unlock the screen. If it is, well, either a trigger looking for you to have typed in password (would need to be on same USB hub) or remote activation via radio or some such by the attacker having observation (through window or something?) – ewanm89 Jun 20 '16 at 13:06
Depends on the hardware group policy settings on the computer and hardware availability.
In many cases you can disable USB plugs on certain areas of the motherboards. Also windows does install drivers for connected active USB ports depending if your logged in or not. If the drive is plugged in and driver loaded by windows then the BAD USB could auto launch and begin running malicious code.
Group policy also sets permissions on if drives can be added or not. This helps prevent items from running. I am not sure what code is executed or at what stage of initialization of the drive but good deterrence is use of GPO and BIOS restrictions.
That is my first hand testing. Not sure what others could say. I can definitely see that if the drive is powered and it is initialized somehow with power code can be executed to inject a driver and run malicious code.
- 151
- 1
- 7
-
If i am not logged in the driver could be loaded but it should not be possible to run commands via terminal, is that right? – Junior J. Garland Aug 04 '15 at 13:43