Why the Security of USB Is Fundamentally Broken | Threat Level | WIRED

Computer users pass around USB sticks like silicon business cards. Why the Security of USB Is Fundamentally Broken http://www.wired.com/2014/07/usb-security/ article tells that we typically depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work. The security of USB devices has long been fundamentally broken: USB firmware,(which exists in varying forms in all USB devices) can be reprogrammed to hide attack code and USB device can completely take over a PC. USB firmware on many USB devices could be reprogrammed by malware on that PC, converting an innocent device to attack tool. All this is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets.



  1. Tomi Engdahl says:

    New Offensive USB Cable Allows Remote Attacks over WiFi

    Like a scene from a James Bond or Mission Impossible movie, a new offensive USB cable plugged into a computer could allow attackers to execute commands over WiFi as if they were using the computer’s keyboard.

    When plugged into a Linux, Mac, or Windows computer, this cable is detected by the operating system as a HID or human interface device. As HID devices are considered input devices by an operating system, they can be used to input commands as if they are being typed on a keyboard.

    Created by security researcher Mike Grover, who goes by the alias _MG_, the cable includes an integrated WiFi PCB that was created by the researcher. This WiFi chip allows an attacker to connect to the cable remotely to execute command on the computer or manipulate the mouse cursor.

    In a video demonstration by Grover, you can see how the researcher simply plugs a cable into the a PC and is able to connect to it remotely to issue commands through an app on his mobile phone

  2. Tomi Engdahl says:

    A Malicious WiFi Backdoor In A Keyboard’s Clothing

    The USB Rubber Ducky burst onto the scene a few years ago, and invented a new attack vector – keystroke injection. The malicious USB device presents itself as a keyboard to the target system, blurting out keystrokes at up to 1000 words per minute. The device is typically used to open a phishing site or otherwise enter commands to exfiltrate data from the victim. Now things have stepped up a notch, with ESPloitV2 – a WiFi-enabled take on the same concept.


  3. Tomi Engdahl says:

    A malicious USB cable with its own wifi rig

    MG has built a proof-of-concept malicious USB cable with a tiny wifi radio hidden inside of it, able to wirelessly exfilatrate stolen data; he calls it the O. MG, and while the prototype cost him $4k and took 300 hours, he’s working with a team on a small production run for other security researchers to play with.

  4. Tomi Engdahl says:

    Thunderclap Vulnerabilities Allow Attacks Using Thunderbolt Peripherals

    Modern computers that come with a Thunderbolt interface and run Windows, macOS, Linux, or FreeBSD are vulnerable to a range of Direct Memory Access (DMA) attacks performed by potential attackers with physical access to the device using malicious peripherals.

    The security flaws collectively dubbed “Thunderclap” can be exploited to run arbitrary code using highest possible privilege level on the system to potentially access or steal “passwords, banking logins, encryption keys, private files, browsing,” and other sensitive data present on machine that come with ports for peripherals that use PCI Express (PCIe) and USB-C ports.

  5. Tomi Engdahl says:

    WiFi Hides Inside a USB Cable

    If you weren’t scared of USB cables before, you should be now. The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.

    You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.

  6. Tomi Engdahl says:

    Attorney: Mar-a-Lago Infiltrator Had Hidden-Camera Detector

    A Chinese woman recently arrested at President Donald Trump’s Mar-a-Lago club lied repeatedly to Secret Service agents while carrying computer malware unlike anything a government analyst had ever seen and had more than $8,000 in cash at her hotel room, along with an electronic device that detects hidden cameras, federal authorities told a judge Monday.

    Assistant U.S. Attorney Rolando Garcia told Magistrate Judge William Matthewman during a bond hearing that “there are a lot of questions that remain”

    “She lies to everyone she encounters,” Garcia told the judge. He said that not only did Zhang falsely tell a Secret Service agent at a Mar-a-Lago checkpoint that she was a member there to use the pool, even though she had no swimsuit, she told agents she was carrying her computer gear because she was afraid the items would be stolen if she left them in her hotel room.

    Secret Service agent Samuel Ivanovich told the judge that when an agency analyst uploaded the malware found on Zhang’s thumb drive, it immediately began installing on the analyst’s computer and corrupting its files.

    “That was something that had never happened before,” Ivanovich told the judge. He said the analyst immediately shut down the computer to protect it. He said the malware’s ultimate purpose remains unknown.

    When agents analyze suspicious devices that might contain malicious software, it is done in a controlled environment and not performed on a computer connected to any government networks, according to Secret Service officials.

  7. Tomi Engdahl says:

    No one, not even the Secret Service, should randomly plug in a strange USB stick

    alarm bells ringing was how the Secret Service handled the USB drive, which cannot be understated — it was not good.

    agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis.

  8. Tomi Engdahl says:

    Secret Service learns why you don’t plug strange USB drives into computers

  9. Tomi Engdahl says:

    Another reason why not to plug in strange usb sticks. I call it pharming – seeding a targets parking lot/lobby with usb sticks with labels like “employee termination”

    Video is great, it demos the usb kill on a car , tv, phones..anything with a usb port is suspect, about 95%..

  10. Tomi Engdahl says:

    Weaponized USB devices as an attack vector

    USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.

    The first such devices were written up back in 2010. Based on a small programmable board called Teensy and equipped with a USB-connector, they were able to act like HIDs, for example, sending keystrokes to a PC.

    The person who invented PHUKD quickly came up with an idea and created a trojanized mouse with a pentesting board inside

    The second generation of weaponized USB devices was created during 2014–2015 and included the infamous BadUSB-based devices.

    The modern state of weaponized USB devices

    The third generation of USB pentesting tools brings them to a whole new level. One such tool is WHID Injector, which is basically Rubberducky with a Wi-Fi connection. Because it has Wi-Fi, there’s no need to program it initially with all that it is supposed to do; a hacker can control the tool remotely, which provides more flexibility and also the ability to work with different operating systems. Another third-gen tool is P4wnP1, which is based on Raspberry Pi and is like Bash Bunny with some additional functionality, including wireless connectivity.

  11. Tomi Engdahl says:

    An Open Hardware Rubber Ducky

    it’s not an open source version of Bert’s favorite bathtime toy (though seriously, let us know if you see one), the PocketAdmin by [Radik Bechmetov] is intended to be an alternative to the well-known “USB Rubber Ducky” penetration testing tool from Hak5. It might look like a standard USB flash drive, but underneath that black plastic enclosure is a whole lot of digital mischief waiting to spill out.

    The general idea is that the PocketAdmin appears to the host computer as either a USB Human Interface Device (keyboard, mouse, etc) or a USB Mass Storage Device. In either event, the user has the ability to craft custom payloads which can exploit the operating system’s inherent trust in locally connected devices. The most common example is mimicking a USB keyboard that starts “typing” once connected to the computer.


  12. Tomi Engdahl says:

    High Precision Analog IO With Digital Pins

    How to make ‘High-Resolution’ Sensor Readings with DIGITAL I/O pins

    For more than a year we’ve been oversampling the Arduino’s humble ADC to get >16bit ambient temperature readings from a 20¢ thermistor. That pin-toggling method is simple and delivers solid results, but it requires the main CPU to stay awake long enough to capture multiple readings for the decimation step. (~200 miliseconds @ 250 kHz ADC clock)

  13. Tomi Engdahl says:

    Maybe one of these (knock off) digispark Kickstarter dev boards:


    If this was loaded with the V-USB firmware then you have a keylogger. You maybe able to download the firmware if they left the protection fuses intact

  14. Tomi Engdahl says:

    These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

  15. Tomi Engdahl says:

    Why You Should Never Borrow Someone Else’s Charging Cable

    Protect your charging cables like you protect your passwords, say cybersecurity experts.

    “There are certain things in life that you just don’t borrow,” says Charles Henderson, Global Managing Partner and Head of X-Force Red at IBM Security. “If you were on a trip and realized you forgot to pack underwear, you wouldn’t ask all your co-travelers if you could borrow their underwear. You’d go to a store and buy new underwear.”

    Malicious charging cables aren’t a widespread threat at this time, says Henderson, “Mainly because this kind of attack doesn’t scale real well, so if you saw it, it would be a very targeted attack.”

  16. Tomi Engdahl says:

    You probably know better than to plug a USB flash drive from an unknown source into your computer. It could infect your machine with malicious code. But would you think twice about a cord? You should.

    Kevin Mitnick hands me an iPhone charging cable. Like a magician, he asks me to inspect it. It looks kosher. He plugs it into a…


  17. Tomi Engdahl says:

    Avoid charging your phones, laptops etc via unknown cables !

    O.MG cable that can be controlled through it’s wireless interface and is a malicious cable that allows payloads to be sent remotely to your device ones you plug it in your device to charge your device (it looks like a genuine charging cable). It has boot payloads and can remove all it’s firmware (without leaving any trace that can be used by forensics to establish any proof that it was used to hack). This project initiated by Mike Grover


  18. Tomi Engdahl says:

    Rawcoon USB Device Allows Users to Automate Anything and Collect Assets

    There are a ton of USB devices on the market or at any number of DIY websites that allow users to inject custom script for everything from data acquisition to automation. It seems as if most of these types of devices are used to carry out HID (Human Interface Device) attacks, keystroke data logging, monitoring incoming/outgoing traffic, or other illegal applications and exploitations. Rubber Ducky, PCsync, and USB Kill are prime examples of devices designed for illicit activities.

    A new USB device from Switzerland-based Rawcoon joins that pile of fine-line (legal/illegal) hardware and claims to “automate anything you want,” by merely plugging it into any available port.

    It sends keystrokes to open a terminal, download your script and execute it.

    As with most any USB automation devices, there are drawbacks to employing the technology. In the case of the Rawcoon, the PC it’s used with must have an internet connection, as the device is used in conjunction with an app that stores scripts in user accounts rather than locally.

    Rawcoon is compatible with Windows 10, Linux (all distributions with GNOME/MATE desktop), BSD (with GNOME/MATE desktop, and Macc OS, as well as QWERTY, QWERTZ, and AZERTY keyboard layouts.


  19. Tomi Engdahl says:

    The worst cyber attack in DoD history came from a USB drive found in a parking lot

    The media dubbed it “The Worm that Ate the Pentagon” and it was the most serious breach of the Pentagon’s classified computer systems. In November 2008, the Army caught a worm called Agent.btz crawling through the Defense Department’s Secret Internet Protocol Router Network – the classified SIPRNet

    The worst breach of U.S. military computers in history begins in 2008, in a parking lot at a U.S. military installation in the Middle East. A flash drive infected with a virus called “agent.btz” was inserted into a DoD computer network and quickly spread throughout the U.S. military’s classified and unclassified networks. Data – anything on these networks – could now be transferred to other servers under the control of agent.btz’s creator. The worst part is that no one knew it was there, what it might have sent, and to who the information went.

  20. Tomi Engdahl says:

    How long until someone does this


  21. Tomi Engdahl says:

    Keep in mind that ps2 connections can also be exploited, if you have physical access to it.

    It is possible to replace ps2 keyboard or mouse with emulator that sends whatever key presses and mouse clicks you want.


    This library allows arduino to emulate ps2 keyboard and/or mouse, so you can implement your own ps2 keyboard or whatever…

  22. Tomi Engdahl says:

    Varo vaaraa! Tavallisessa usb-kaapelissa voi piileskellä hirvittävä yllätys

    Tietoturvan parissa työskentelevät ovat jo vuosia tienneet BadUSB-nimellä tunnetusta haavoittuvuudesta. Sen avulla tietokoneen usb-liitäntää voi käyttää erilaisiin hyökkäyksiin. Eräs tuoreista tekniikan sovelluksista kulkee nimellä Evil Crow Cable, silloin hyökkäystekniikka on pakattu ulkoisesti aivan tavalliselta näyttävään usb-kaapeliin.

  23. Tomi Engdahl says:

    HOW TO
    Catch USB Rubber Duckies on Your Computer with USBRip

    If left unattended, a hacker with a USB Rubber Ducky and physical access to the computer can infiltrate even the most secure computer. Such attacks often go undetected without the use of a tool like USBRip, which can provide you with assurance that your device hasn’t been compromised.

  24. Tomi Engdahl says:

    How to Catch USB Rubber Duckies on Your Computer with USBRip « Null Byte :: WonderHowTo
    A human-interface device, or HID, is any device that is used by a person to control a computer; keyboards

    and computer mice are prominent examples. HIDs have elevated privileges compared to a program or a script

    because the operating system assumes that commands from an HID are coming from a person with permission to

    use the computer.
    Hackers have created tools, such as the USB Rubber Ducky, which exploits the inherent trust between a

    computer and an HID. While a USB Rubber Ducky mimics the look of a standard flash drive, when plugged into

    a computer, it acts as a keyboard that can input prerecorded keystrokes and commands at lightning speeds.
    Because the computer believes that the USB Rubber Ducky is just another keyboard, it will execute the

    commands immediately without giving the target any visible warning that they were compromised. As long as

    the Ducky Script is careful about cleaning up after itself — by closing all windows it opened, erasing the

    terminal history, and making the computer appear to be in the same state that the target left it in — an

    attack can go completely undetected.
    That doesn’t mean it’s impossible to prevent against or detect these kinds of attacks. There are some

    tools out there, such as DuckHunter, that aim to limit the impact of HID attacks by watching for

    suspicious behavior like keystrokes that are typing too fast. While the DuckHunter project hasn’t been

    updated since 2017, there is another tool that can provide evidence of an HID attack, which is both

    powerful and currently maintained.
    USBRip takes advantage of system logs to show a complete history of every USB device that was plugged into

    a Linux computer.
    USBRip is written in Python, which is cross-platform and should allow USBRip to run on most Linux systems.

    However, because it’s mostly parsing Linux system logs, it currently only runs on Linux devices.

  25. Tomi Engdahl says:

    Computer Hacking with Arduino UNO

    In this experiment, I am using an Arduino UNO board. My final target is a sending some preloaded commands in the Arduino board to my computer through a USB Cable.

    In default, this Arduino UNO board is not supported for this kind an activity, so I have to do some modifications to get this job done.


  26. Tomi Engdahl says:

    FBI Warns of Malicious Attacks Disguised as Gift Cards
    Last week, the FBI warned that malicious hackers are mailing USB drives along with gift cards in a twist on the classic “lost USB” attack.

    There are many possible variations of this attack, but all of them rely on you to plug a USB device into your computer. To achieve that, they send you a package with the USB device along with some other items designed to convince you to plug it in. For instance, in one actual attack a person received a package that said it was from Best Buy. Inside was a $50 gift card, a short signed note from “customer relations,” and what appeared to be a USB drive. The note said the gift card was a reward for the person’s loyalty, and that they could check the USB drive for a list of products that could be purchased with the gift card.

    That was, of course, all a farce. The USB “drive” was actually a device that emulates a keyboard when it’s plugged into a computer. Such devices are relatively easy to make using a Microchip ATmega32U4, which is the same microcontroller you’ll find in an Arduino Leonardo and several other development boards. Once the device is plugged into a computer, it begins typing out Windows PowerShell commands. Those commands are used to download and install a JavaScript bot, which can, in turn, install more malware.

  27. Tomi Engdahl says:

    The ESP8266-Powered Masterkey Wi-Fi USB Keylogger Offers Plug-and-Play Capture, Remote Access

    Built around an ESP8266, and on the back of the Arduino-powered Wi-Fi USB Keylogger, Koko’s design is impressively flexible.

  28. Tomi Engdahl says:

    New fuzzing tool finds 26 USB bugs in Linux, Windows, macOS, and
    Eighteen of the 26 bugs impact Linux. Eleven have been patched

  29. Tomi Engdahl says:

    This custom-built keystroke injection device is even more compact than the popular Rubber Ducky.

    Meet Rubber Ducky’s Smaller and Cuter Sibling, Tinyduck

    A custom-built keystroke injection device that’s even more compact than the popular Rubber Ducky.

  30. Tomi Engdahl says:

    Honeywell Sees Rise in USB-Borne Malware That Can Cause Major ICS Disruption

    Honeywell says it has seen a significant increase over the past year in USB-borne malware that can cause disruption to industrial control systems (ICS).

    Honeywell Industrial Cybersecurity this week published its 2020 USB Threat Report. The report is based on data collected over a period of 12 months by the company’s Secure Media Exchange (SMX) USB security platform from oil and gas, energy, chemical, food, shipping, building, aerospace, pulp and paper, and manufacturing companies across 60 countries in the Americas, Europe and Asia.

    An analysis of the data showed that SMX blocked at least one threat at 45% of industrial sites using the product, up from 44% in the previous report, which the company published in 2018.

    While only 11% of the malware found on USB drives was specifically designed to target industrial systems — this represents a slight drop compared to the 14% identified in 2018 — 59% of the detected threats could cause significant disruption to industrial systems, compared to only 26% in 2018. On the other hand, that 11% becomes 28% if ransomware, which has increasingly targeted operational technology (OT) systems, is also taken into consideration.

  31. Tomi Engdahl says:

    BadPower attack corrupts fast chargers to melt or set your device on fire

    Attackers can alter the firmware of fast charger devices to deliver extra voltage and damage connected equipment.

    Chinese security researchers said they can alter the firmware of fast chargers to cause damage to connected (charging) systems, such as melt components, or even set devices on fire.

    The technique, named BadPower, was detailed last week in a report published by Xuanwu Lab, a research unit of Chinese tech giant Tencent.

    According to researchers, BadPower works by corrupting the firmware of fast chargers

    A fast charger looks like any typical charger but works using special firmware. This firmware “talks” to a connected device and negotiates a charging speed, based on the device’s capabilities.

    If a fast-charging feature is not supported, the fast charger delivers the standard 5V, but if the device can handle bigger inputs, the fast charger can deliver up to 12V, 20V, or even more, for faster charging speeds.

    The BadPower technique works by altering the default charging parameters to deliver more voltage than the receiving device can handle, which degrades and damages the receiver’s components, as they heat up, bend, melt, or even burn.

    When the user connects their infected smartphone or laptop to the fast charger, the malicious code modifies the charger’s firmware, and going forward the fast charger will execute a power overload for any subsequently connected devices.

    The Tencent team said they verified their BadPower attack in practice. Researchers said they selected 35 fast chargers from 234 models available on the market and found that 18 models from 8 vendors were vulnerable.

    The good news is that “most BadPower problems can be fixed by updating the device firmware.”

    Researchers said that 18 chip vendors did not ship chips with a firmware update option, meaning there was no way to update the firmware on some fast charger chips.

    Suggestions to fix the BadPower problem include hardening firmware to prevent unauthorized modifications, but also deploying overload protection to charged devices.

    A demo video of a BadPower attack is available at the bottom of the Tencent report


  32. Tomi Engdahl says:

    By rewriting improperly-protected firmware from the USB port, it’s possible to send 20V to devices only capable of receiving 5V.

    “BadPower” Attack Leverages High-Speed USB Charging to Damage Devices, Start Fires

    By rewriting improperly-protected firmware from the USB port, it’s possible to send 20V to devices only capable of receiving 5V.

  33. Tomi Engdahl says:

    {nixCraft Patreon supporters content} This guide explains how to use USBGuard to configure the Linux server or desktop dynamic policy to block, reject, or permit access to specific USB devices. https://www.opensourceflare.com/how-to-protect-linux-against-rogue-usb-devices-using-usbguard/


Leave a Comment

Your email address will not be published. Required fields are marked *