Weaponized USB devices as an attack vector

[harlan4096]

USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

Another — real — story of USB flash drives involved an employee working at an industrial facility who wanted to watch La La Land, so he downloaded the movie to a flash drive over lunch. So begins the story of how an air-gapped system at a nuclear plant got infected — it’s an all-too-familiar story of extremely avoidable critical infrastructure infection.

But people tend to forget that USB devices are not limited to flash drives. Human interface devices (HIDs) such as keyboards and mice, charging cables for smartphones, and even things like plasma balls and thermal mugs, can be tampered with to target industrial control systems.

A brief history of USB weapons

Despite people’s forgetfulness, weaponized USB devices are also not news. The first such devices were written up back in 2010. Based on a small programmable board called Teensy and equipped with a USB-connector, they were able to act like HIDs, for example, sending keystrokes to a PC. Hackers quickly realized the devices could be used for penetration testing and came up with a version programmed to create new users, run programs that added back doors, and inject malware either by copying it or downloading from a specified website.

The first version of this Teensy modification was called PHUKD. Kautilya, which was compatible with the more popular Arduino boards, followed. Then came Rubberducky — perhaps the best-known keystroke emulation USB tool, thanks to Mr. Robot, and looking just like the average thumb drive. A more powerful device called Bash Bunny was used in attacks against ATMs.

The person who invented PHUKD quickly came up with an idea and created a trojanized mouse with a pentesting board inside, so that in addition to working just like a regular mouse, it can do everything PHUKD is capable of. From a social-engineering perspective, using actual HIDs to penetrate systems might be even easier than employing USB sticks for the same purpose, because even the people who know enough not to insert an unknown thumb drive into their PC usually have no concerns about keyboards or mice.

The second generation of weaponized USB devices was created during 2014–2015 and included the infamous BadUSB-based devices. TURNIPSCHOOL and Cottonmouth, allegedly developed by the US National Security Agency (NSA), are also worth mentioning: They were devices so tiny that they could be fitted into a USB cable and used to exfiltrate data from computers (including computers not connected to any network). Just a simple cable — nothing anyone is concerned about, right?

The modern state of weaponized USB devices

The third generation of USB pentesting tools brings them to a whole new level. One such tool is WHID Injector, which is basically Rubberducky with a Wi-Fi connection. Because it has Wi-Fi, there’s no need to program it initially with all that it is supposed to do; a hacker can control the tool remotely, which provides more flexibility and also the ability to work with different operating systems. Another third-gen tool is P4wnP1, which is based on Raspberry Pi and is like Bash Bunny with some additional functionality, including wireless connectivity.

And, of course, both WHID Injector and Bash Bunny are small enough to be embedded into a keyboard or a mouse. This video demonstrates a laptop that is not connected to any networks by USB, Ethernet, or Wi-Fi but has a trojanized keyboard attached to it that allows a remote attacker to execute commands and run apps.

Continue Reading