At the back end of 2018, a member of our commercial team was sent a USB device by one of our larger suppliers. The device was simply a ‘big red button’ connected via USB.
When this arrived, it was handed to our IT team who had the job of validating that it was legit. Using an isolated laptop, our team inserted the device and pressed the button. We were astonished when we saw the run box appear and a web browser opened. The laptop, whilst isolated, is subject to the same configurations we put on our corporate devices.
This raised alarm bells in the room and as such, it was then handed to me to look further. When I looked into the device in a bit more depth and monitored the steps it took, it was clear that this could have been used for some very nefarious means, had it been designed in that way.
The device carried out the following steps as keystrokes on the device:
- [WIN]+[R] keys to open the Windows Run Command
- Types in the partner portal web address
- The web browser opens at the login page
Whilst I was aware that the technology has existed since around 2010 (with Rubber Ducky and others), to see such a well-respected Hardware and Security vendor send this kind of device sent shivers down my spine.
The adoption of USB
Over the last decade or two, computer peripherals have become more or less entirely USB based. Whilst this has been good in terms of compatibility with generic devices, it has decreased the overall physical security of devices massively.
Take the following scenario…
You have a receptionist who resides in a public area of your building. A man walks in off the street and asks to see another employee at lunchtime. The receptionist calls the person, but they are away from their desk, so the receptionist puts their head around the door to look in the main office to see if the employee is eating his lunch in a public area.
Whilst the receptionists back is turned, the man plugs a small USB device into the reception PC. The device looks like a wireless keyboard dongle and shows when installed to be a Human Input Device (a keyboard or mouse). The device has been built using ‘USB Rubber Ducky’ to modify the firmware with some malicious commands. Voila, the man has a backdoor into your network, he’s able to search for data, monitor the network for traffic and take control of your systems.
For the purpose of this example, let’s say that the dongle downloads and installs a TeamViewer session, sets the local password and sends the ID and password to the man who plugged in the device. He now has access to this device, and by default, the network, servers and other computers in the company. This company has been pwn’d.
Whilst this kind of scenario may seem unrealistic to most companies, let’s change it a little bit to make it more relevant…
You have an employee who doesn’t like the manufacturer keyboard that came with their work PC. They have asked their line manager to buy an expensive wireless keyboard and mouse set, and their line manager has refused. Out of frustration, the employee goes on Amazon and buys a gaming Mouse and Keyboard from a vendor in Russia. The device looks like a legitimate brand, but its price is less than a third of the cost.
When the device arrives, the employee takes it into the office and smugly inserts the USB into the PC. The PC automatically installs the drivers for the USB device. Unbeknown to the employee, the Keyboard has been modified with ‘USB Rubber Ducky’ in the same way as the dongle in the previous example. In this instance, the PC is now accessible to a Cyber Criminal in Russia, who are able to remotely access the PC.
USB Rubber Ducky
Since 2010, USB Rubber Ducky has been a favourite among hackers for gaining physical access to servers and workstations and allowing future remote access. Whilst it used to be the case that you would walk up to a computer or server (like in reception) and plug in a USB Thumb Drive, in recent years, these devices have been embedded into other USB devices, such as Keyboards, Mice and Webcams. These products have then been purchased as cheap devices from sites such as Amazon and eBay, and plugged in by the purchaser, effectively making the hacker’s jobs easier…
One of the biggest issues with these devices is that they have been developed to act as ‘Human Input Devices’ like keyboards, making them extremely difficult to detect and block. If you block a USB keyboard, the user can’t type.
What Can You Do?
There are a number of advanced techniques that can be done to detect and block rogue devices, and to protect your devices from the actions they typically take.