Add mice and keyboards to the list of UBS-based peripherals now suspect in any corporate environment. In recent weeks several gadget blogs have been discussing new ways to make the USB HID (Human Interface Device) a viable vector for malware. This is hardware hacking that should be of interest to corporate IT staff. While some of these use cases are not elegant, requiring someone to convince someone else to use a modified device, we’ve seen clever social engineering in the not-so-recent past–especially if your company or industry is targeted for an attack.
Last summer’s Stuxnet attackers knew that getting their code onto a Windows box was just the first step; they also had to find Windows machines that connected to a particular model of Siemens PCL used to control centrifuges during the fuel refinement stage for their malicious code to work. Stuxnet was able to spread within the limited world of Industrial Control Systems because compromised USB memory sticks were distributed at an Iranian nuclear power conference. Until then, the idea of bootstrapping an attack was rare, and someone attacking something so specialized almost unheard of.
Stuxnet used a zero-day in the Windows operating system autorun feature, a vulnerability Microsoft has since closed. Some corporate campuses have since disabled their USB ports (some even putting glue to prevent employees from using them). That crude but effective solution would not, however, work with legitimate devices that need USB access, such as mice and keyboards.
In June, Netragard, a security company, blogged about a compromise they’d made to a USB-based Logitech mouse. They first gutted the mouse’s internal hardware and then retro-fit it with a malicious microcontroller and a USB flash drive. Netragard then used Metasploit, a penetration testing tool, to provide an “undocumented (0-day) technique to completely subvert the dialogue box and to evade detection by Mcafee,” according to the blog. To the untrained eye, the mouse would look and perform as expected. However, after a preset period of time, the malware would activate with whatever system privileges the user had.
The blog stated that to test their handiwork they sent the mouse to a targeted victim under the pretense that it was a reviewers model. Sure enough, a few days after they shipped it, the malware woke up and radioed home the Media Access Control (MAC) address of the victim’s PC. They could have also used a keyboard for this particular attack. The most common gadget, though, is still the USB flash drive.
Last year, Adrian Crenshaw presented at both Shmoocon 2010 and DefCon 18 something he called “Teensy”. It’s a USB drive whose malicious software waits until the victims’ computer is booted and sufficiently logged into a computer network before it begins operation. The idea is that the victim might have extra privileges if the timer waits long enough. That’s the serious side.
The operative part of Crenshaw’s toy is Phantom Keystroker program that acts as a keyboard/mouse USB HID. Among other things, the Phantom Keystroker can send keystrokes, record keystrokes, move the mouse pointer around randomly, or toggle the caps lock. Even playful disruptions at work can adversely affect productivity; the activity doesn’t always have to be malicious.
Others have hacked gaming consoles. This forum post discusses rebuilding a Super Nintendo Entertainment System (also known as the Super NES, SNES or Super Nintendo) controller. Needless to say, IT managers need to start investigatng what’s inside the plastic shell of some of the more common, almost throw-away peripherals that come your way.
Last week, Greg Schaffer, DHS assistant secretary for cybersecurity and communications, testified before the House Oversight and Government Reform Committee that he was aware of instances when foreign-made technology included embedded security risks. He declined to be specific, however, he stated this has been happening for some time. While not exactly news (there were reports of contaminated Cisco routers in 2008), it does represent the first time a high-ranking government official has acknowledged the practice.
This is something different. What Netragard, Crenshaw and others propose is that a purposeful attacker here in the United States, not some foreign supplier, could use a tainted mouse or keyboard—common peripherals, perhaps bought at the corner office supply store–to access your company’s assets. So beware of strangers bearing mice, keyboards, and even free USB drives—they might just be compromised.