USBDriveby Device Can Install Backdoor, Override DNS Settings in Seconds

Samy Kamkar has a special talent for turning seemingly innocuous things into rather terrifying attack tools. First it was an inexpensive drone that Kamkar turned into a flying hacking platform with his Skyjack research, and now it’s a $20 USB microcontroller that Kamkar has loaded with code that can install a backdoor on a target machine in a few seconds and hand control of it to the attacker.

Kamkar has been working on the new project for some time, looking for a way to install the backdoor without needing to use the mouse and keyboard. The solution he came up with is elegant, fast and effective. By using code that can emulate the keyboard and the mouse and evade the security protections such as local firewalls, Kamkar found a method to install his backdoor in just a couple of seconds and keep it hidden on the machine. He loaded the code onto an inexpensive Teensy USB microcontroller.

Kamkar said the stickiest problem with the whole thing was figuring out how to move various windows around on the screen without the mouse.

“The fun applications are when you can mount an attack pretty simply,” Kamkar said in an interview. “In general, it’s a pretty simple attack. Figuring out how to move things took the most time.”


The USBdriveby attack Kamkar devised is somewhat similar to the work done by Karsten Nohl and Jacob Lell on the BadUSB attack. But Kamkar said he had done nearly all of the work on his code before Nohl and Lell disclosed their findings at Black Hat this summer.

“Karsten’s attack is much more sophisticated. He’s rewriting the flash memory on the USB,” Kamkar said. “The way he’s adjusting the network preferences is by emulating a network device.”

In both cases, the attack takes advantage of the trust that computers have in any USB device that’s inserted. Kamkar’s USBdriveby attack can be executed in a matter of seconds and would be quite difficult for a typical user to detect once it’s executed. In a demo video, Kamkar runs the attack on OS X, but he said the code, which he’s released on GitHub, can be modified easily to run on Windows or Linux machine. The attack inserts a backdoor on the target machine and also overwrites the DNS settings so that the attacker can then spoof various destinations, such as Facebook or an online banking site, and collect usernames and passwords. The backdoor also goes into the cron queue, so that it runs at specified intervals.

“In the video, I slow it down quite a bit, but it could be done in a few seconds. The terminal backdoor could be done in a second. You don’t want to send more than sixty characters a second. To an average user, I don’t think they’d find it. You could look in the cron tab and find the backdoor. But if someone modifies it, then maybe not,” he said. A forensics person would find it, but I don’t know if I’d even notice if you did it to my machine.”

Kamkar is hopeful that other researchers will look at his code and build on it, looking for other uses for it.

“It would be cool if people came up with different attack vectors, maybe have it read an address book or something, especially if they can escalate privileges,” he said. “A lot of people don’t think that it will work if they’re not logged in as an admin. But all I need to do is plant this, and it’s still listening. So if you go in as a normal user and escalate privileges to admin, then I have that.”

Image from Flickr photos of Dewagi

Suggested articles

Threatpost News Wrap, November 18, 2016

Mike Mimoso and Chris Brook discuss the news of the week, including this week’s House hearing on the Internet of Things, Samy Kamkar’s PoisonTap tool, and Windows 10’s ransomware protections.

FBI Mum on Real-World KeySweeper Attacks

The FBI warned its business partners of the risks associated with KeySweeper, a device hidden in a USB wall charger that sniffs keystrokes from Microsoft wireless keyboards.