Does dropping an infected USB drive in a parking lot work when it comes to a hacker luring its prey into a digital trap? The answer is a resounding yes.
At Black Hat USA, security researcher Elie Bursztein shared the results of an experiment where he dropped 297 USB drives with phone-home capabilities on the University of Illinois Urbana-Champaign campus. He also explained how an attacker might program and camouflage a malicious USB drive outfitted with a Teensy development board to take over a target’s computer within seconds after plugging the drive in.
“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” Bursztein said.
The researchers from the University of Illinois Urbana-Champaign, University of Michigan and Google, dropped the drives in six campus locations. Of those placed across the campus, 48 percent of drives were picked up and plugged into a computer with the user clicking on files. The average time it took for someone to plug the USB drive and click on an HTML file that phoned home was about seven hours with 20 percent of USB connections occurring within one hour from when the drive was dropped.
In the experiment, Bursztein along with other researchers did not booby-trap the USB drives with remote access tools or fill them with malicious files. The USB drives were actually safe to use, but contained documents labeled “final exam” or “spring break pictures,” and when the finders double-clicked on one HTML file they were connected to an email survey. What researchers found was 68 percent of survey recipients said they clicked on the file so they could help return the USB to its rightful owner. Another 18 percent said they were just curious.
The study was conducted last year, and besides being outed by Reddit users halfway through the experiment, it was considered a success. But the research didn’t stop there. In an effort to illustrate the dangers of USB-based attacks, Bursztein showed Black Hat attendees how an attacker could create a malicious USB drive with HID (human interface device) that would give attackers instant access and control of an internet-connected PC or Mac.
Using a small development board (Teensy 3.2), a USB connector, hobby silicon and resin to cast the fake drive Bursztein made a malicious drive for a cost of around $40.
The payload was a reverse TCP shell that connects back to a server chosen by the attacker. The drive he created was cross-platform. Other parameters for the USB attack included making no assumptions that targeted computer had internet connectivity and anticipating AV software defenses.
“This forced us to not rely on not downloading anything and ensuring our payload retries to connect periodically,” Bursztein said. To avoid AV or firewall detection Bursztein relied on a scripting language to establish the outbound connections. The payload length was small with the keyboard throughput capped to 62.5 keys per second on some OSes, he said.
The actual compromise was accomplished in three phases with the first ensuring the key is recognized by the OS and the USB driver loaded. Next is OS fingerprinting to determine the platform and which commands to execute. The final stage is the reverse shell execution that included “injecting the keystrokes that form the commands needed to spawn a background TCP reverse shell that will connect back to a server chosen by the attacker, he said.
Bursztein said the attacks work reliably on Mac OS X and Windows and links to the code he used on GitHub via a technical description of the USB attack. Some of the biggest obstacles in creating the USB drive beyond developing the payload software was fitting the code – that would have support multiple operating systems – on the Teensy devise. The next step was creating a convincing enclosure for the Teensy board and USB connector.
Building the fake USB case was not easy and involved several attempts fine tuning techniques with silicon molds, model resins and perfecting a flawless looking USB drive. Bursztein said the malicious USB stick is still a work in progress with room for adding a GSM/Wifi module and fake storage space to maximize remote exfiltration and air-gap breaching.
With 50 percent success rate there is a huge need for more education around the untrusted USB devices, he said. The alternative, he said, is preventing USB devices from connecting to computers by using programs such as killusb or configuring an OS to lockout any USB device.