164

We all know the story of the USB drive left outside a power plant which was found by a worker and inserted into a computer to see the contents which then allowed a hack to ensue.

Here is my question, how? I get that code is executed but how? I would really like to be able to do this (for my own curiosity of course). I have always had a good grasp on security how to make things secure etc etc but things like viruses, trojans, USB drivers... how are they activated with little human interaction?

I would really like to learn about these things, I am a programmer/sys admin so would like to knock up a script but having never been taught or never have done it I don't know how or where to begin. I would really like a big discussion on this with as much information as possible.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
TheHidden
  • 4,315
  • 3
  • 22
  • 40
  • 2
    SET (social engineering toolkit) has an option to create infections media, may be a good starting place. – Jay Oct 16 '15 at 08:15
  • 14
    I hate being a script kiddie though, I am fine with using scripts but only if I understand how it works. any resources? – TheHidden Oct 16 '15 at 08:17
  • @silverpenguin I really meant the software point of view - no idea what *todays kids* are doing to that poor term. However, most USB stick attacks (except, well, swallowing and frying your PC) are using a software based approach - let it be a hidden keyboard, an exploit or a simple autorun (= social engineering). – Sebb Oct 16 '15 at 13:50
  • 4
    http://superuser.com/questions/709275/what-is-the-danger-of-inserting-and-browsing-an-untrusted-usb-drive – RyanS Oct 16 '15 at 16:01
  • 22
    Friendly Note: I would not satisfy your curiosity with actual power plants. – PyRulez Oct 17 '15 at 02:59
  • 1
    Related: [What is the danger of inserting and browsing an untrusted USB drive?](https://superuser.com/q/709275/150988),   [How can a flash drive spread a virus?](https://superuser.com/q/93939/150988),   [How do I safely investigate a USB stick found in the parking lot at work?](https://superuser.com/q/1206321/150988),   [Safely opening a suspect USB Drive](https://superuser.com/q/167878/150988),   [How can I browse an untrusted USB flash drive safely?](https://superuser.com/q/983709/150988),  and probably more. – Scott - Слава Україні May 06 '17 at 22:06

5 Answers5

229

Take a look at this USB keyboard:

Rubber Ducky USB Device

"But that's not a keyboard! That's an USB drive, silly!"

Actually, no. It looks like a USB drive to you, but when it gets connected to a computer, it will report that it is a USB keyboard. And the moment it is installed, it will start typing key sequences you programmed on it beforehand. Any operating system I know automatically trusts USB keyboards and installs them as trusted input devices without requiring any user interaction the moment they are connected.

There are various payloads available for it. For example, there is one which types the keyboard input to open a shell, launches WGET to download a binary from the Internet, and runs it.

Panzercrisis
  • 554
  • 4
  • 13
Philipp
  • 49,017
  • 8
  • 127
  • 158
  • 4
    Might also be worth mentioning usb [U3](https://en.wikipedia.org/wiki/U3) (usb hacksaws, switchblades) which takes me back :). Also the social engineering aspect; simple tricks like a normal usb stick with a word document called "super secret.doc" with macros for example. – GreatSeaSpider Oct 16 '15 at 08:42
  • 2
    In order to be a full answer, you should really at least mention examples about exploits (stuxnet etc). – Sebb Oct 16 '15 at 11:34
  • 39
    Also... this.... (ouch!) https://grahamcluley.com/2015/10/usb-killer/ – GreatSeaSpider Oct 16 '15 at 11:57
  • 11
    If USB HID devices had to be approved before they could be installed, installation might be a bit tricky! "I've just split coffee on my keyboard. Never mind here's a spare"->"To install new hardware you need to authenticate. Enter your password". Solving this would be interesting. – Chris H Oct 16 '15 at 12:19
  • 9
    It wouldn't be too hard to have a hub and storage in there as well, then you'd need very sharp eyes to spot the extra installation, as the expected drive would appear. – Chris H Oct 16 '15 at 12:21
  • 13
    @ChrisH you might be laughing about it, but that would actually be a solution: any new keyboards first need to enter the password of the user that is currently logged before they can enter anything else. They are installed, but before they can be used, you need to prove it's actually a keyboard. – Nzall Oct 16 '15 at 13:42
  • 23
    @NateKerkhofs, I'm not laughing. Enter the username of the *current user* might work if you did it *after installation*. Admin/root PW as for normal installation would be less appealing. Maybe better: enter a random string displayed on screen a bit like bluetooth pairing (I'm wary of getting users to type passwords unexpectedly). I was thinking the hardware would be blocked until the password was entered like in normal hardware installation (basically treat a keyboard like other stuff). – Chris H Oct 16 '15 at 14:31
  • 2
    @ChrisH I wasn't sure how serious you were since you were talking about a hypothetical situation involving an actual USB keyboard. I would also make the requirement that the newly plugged in keyboard has to be the one to type the password. The reason I'm personally wary of a random string on screen is because a sufficiently advanced keyboard might even be able to exploit that. Something that's only known to a sufficiently genre savvy user and never displayed might be a better option. – Nzall Oct 16 '15 at 14:37
  • 4
    Not all HID devices are capable of typing in all passwords: think of a USB numpad. If you want this level of paranoia you're better off building a new sort of device that does challenge-response authentication at the protocol layer. – pjc50 Oct 16 '15 at 14:40
  • @NateKerkhofs. I'm perhaps a little too willing to fall back on an example, even a slightly absurd one. But if a fake keyboard is detected as a keyboard causing a prompt, a real one will do the same. You make a good point about the random string, and overall I think our discussion indicates that any solution would take work especially given real-world users who we can assume don't read dialog boxes asking for passwords and just type. – Chris H Oct 16 '15 at 15:04
  • 4
    @ChrisH Case in point: [Yubikeys](https://en.wikipedia.org/wiki/Yubikey)? – user Oct 16 '15 at 19:11
  • @ChrisH: there's a freebie tool that forces manual activation for yet unknown USB keyboards: [G Data USB Keyboard Guard](https://www.gdatasoftware.com/en-usb-keyboard-guard). – StackzOfZtuff Oct 18 '15 at 08:09
  • @Nzall Just modify the recorded key sequence to start with `password` :P – LegionMammal978 Sep 23 '16 at 10:35
  • @Philipp : Sorry, wrong question. Can the same thing applies to sd cards ? – user2284570 May 02 '17 at 01:17
  • @user2284570 SD cards are nothing but mass storage, so this particular attack shouldn't be possible. But SD cards aren't may area of expertise. You should open a new question asking about the risks of putting untrusted SD cards into your reader. – Philipp May 02 '17 at 01:19
  • @ChrisH Easy solution: Display a four character random number on the screen. Require the user to either enter that code to continue, or use a trusted keyboard or mouse to click a button or type a command to bypass it – Radvylf Programs Feb 01 '21 at 19:30
  • @RedwolfPrograms, sure, it's not insurmountable, but should be built in to the OS, as the new keyboard has to be able to send keystrokes to implement this method - also things have moved on a little since this question – Chris H Feb 01 '21 at 20:34
93

Recently, a form of attack has surfaced which does not "hack" the computer through code or software vulnerabilities, but instead does actual damage to the electronics.

A creator known as Dark Purple created a device known as the USB Killer 2.0 (based on an earlier version created by him based on the same concept) which, when plugged into the USB slot of the computer, stores the small amount of power sent to the device in capacitors, and then sends the stored energy back all at once at -220 volts.

It keeps repeating this process until the computer is dead. This destroys the I/O controller, often built into the motherboard (and may cause other damage as well; I haven't read any details on extensive testing). (Original source in Russian and the Google Translated version.)

USB drive, USB Killer 1.0, USB Killer 2.0

On the right, the exposed USB Killer 1.0 and its successor, the USB Killer 2.0, and on the left, the USB Killer in an enclosed case, which looks just like an ordinary USB flash drive.

The results are shown here, killing the motherboard of a Lenovo ThinkPad X60 just after being plugged in to the USB slot:

YouTube: USB Killer v2.0 testing.

Peter Mortensen
  • 885
  • 5
  • 10
IQAndreas
  • 6,667
  • 9
  • 33
  • 52
  • 2
    But how? Surely there are protection diodes on the inputs. – Michael Oct 16 '15 at 17:34
  • 4
    @Michael Protection diodes have their own physical limitations. Each type of diode has its own reverse voltage and I wouldn't be surprised if the voltages aren't too high. Also I'd expect inputs to be mostly protected from shorts among the pins and from static electricity. Static electricity has high voltage, but not much energy. Those capacitors could be packing quite a bit more energy than expected. Also that's all assuming that there is indeed protection circuitry as described in the standard. Many cheaper motherboards don't have it. – AndrejaKo Oct 16 '15 at 18:51
  • 65
    For a moment I thought that is an embed YouTube player. – Derek 朕會功夫 Oct 16 '15 at 19:35
  • 7
    @Derek朕會功夫 Nah, [some sites have embedded players](http://meta.stackexchange.com/a/104189/205964), but unfortunately _Security StackExchange_ does not, so it just showed up as an ugly link in the answer. [As you can see](http://security.stackexchange.com/posts/102915/revisions), I edited in an "alternative solution" just so it looks prettier. ;) – IQAndreas Oct 16 '15 at 19:48
  • 4
    FYI the proper solution to physical attacks is optically isolating ports that untrusted hardware will be connected to. – R.. GitHub STOP HELPING ICE Oct 18 '15 at 04:42
  • 23
    Poor ThinkPad, it did not deserve such a fate. – Hugo Oct 19 '15 at 08:18
  • @r.. You still have to power the thing somehow. It will take longer, but I guess I'll be able to fry the power supply anyways. – John Dvorak Oct 19 '15 at 10:14
  • 1
    What's the purpose of this attack, exactly? I wouldn't expect a foreign USB device to be plugged into anything important. I guess you can drop a couple of those in front of an office and kill a couple of corporate laptops (just the motherboards, the HDD in the video above survived), preventing the owners to work for (OMG!) a whole day. Doesn't seem to be worth the trouble. – Dmitry Grigoryev Oct 19 '15 at 13:55
  • @JanDvorak: Yes, but at most it can fry the (isolated) power supply, nothing beyond it. (If you want to go crazy on this, you can optically isolate even the power (LED/PV power transfer). – R.. GitHub STOP HELPING ICE Oct 19 '15 at 15:38
  • 1
    @MartinCarney Are you referring to the video from 1st of April? – kasperd Oct 19 '15 at 21:53
  • @kasperd Yup. Damn. – Martin Oct 19 '15 at 22:16
  • If you must check the USB pen, this attack can theoretically be prevented by using a [USB hub](https://en.wikipedia.org/wiki/USB_hub). Supposedly it will fry the hub, not the PC (a test would be useful though). – Armfoot Oct 22 '15 at 11:52
  • I'm not very electronics- or physics-savvy. Is the minus sign in "−220 volts" intentional? What does it mean? – Lynn Jan 22 '16 at 01:21
  • @Mauris To quote [the translated version of the article](https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F268421%2F) _"The "output" voltage, it is now 220 (strictly speaking, minus 220)."_ I could be entirely off, but I believe the minus refers to the direction of the current, in this case, sending 220 volts backwards into the pin that normally is sending +5 volts to the device (it may even be sending the current through one of the other TX ports). – IQAndreas Jan 27 '16 at 03:11
40

The "USB stick left outside the power plant" you are talking about sounds a lot like the Stuxnet affair. There was a surprising (and satisfying) amount of detail about the technical aspects in the book Countdown to Zero Day. If you are genuinely curious I would highly recommend reading it.

To give you a tl;dr for your question; it's not done with a script but rather an file crafted on a lower level to exploit vulnerabilities in the way that the operating system handles USB drives. When you plug a USB drive into Windows, it will try to do helpful things like assess the file structure and see if there are any files you might particularly want to use, in order to give you a prompt to immediately access those files. While it doesn't intentionally execute any of the files directly, there are exploits to the way the OS scans the files that can be used to trick the operating system into executing code.

Jeff Meden
  • 3,976
  • 13
  • 16
28

A famous example of what you are asking about is this advisory from Microsoft. The vulnerability referred to is triggered just by inserting the USB stick; no other interaction from the user is required. This is how the Stuxnet virus spread - see e.g. reports from Symantec and F-Secure.

psmears
  • 900
  • 7
  • 9
  • 2
    Isn't that vulnerability patched for several years now? – Philipp Oct 16 '15 at 11:50
  • 7
    @Philipp: Besides that there are many unpatched systems out there (ATMs anyone?) what reason is there to believe that there aren't countless similar vulnerabilities that sell for millions on the black market... – PlasmaHH Oct 16 '15 at 13:05
  • 2
    @Philipp That exact vuln was patched in 2010, poorly. See http://www.extremetech.com/computing/200898-windows-pcs-vulnerable-to-stuxnet-attack-five-years-after-patches for the rest of the story. Attacks almost exactly like the one used by Stuxnet were possible until this year, and attacks that are similar but not discovered/patched yet are probably out there (for a price). – Jeff Meden Oct 16 '15 at 13:34
23

These kind of approaches used to work, but due to the high spreading of viruses through pens, the option autorun on operating systems that enabled USBs to run when plugged, was disabled.

Before that option was disabled, you could have an EXE file on a USB device that would execute when you plugged the USB into the computer. On recent operating systems the autorun option is disabled by default.

A USB device can be re-programmed to emulate a USB keyboard. When the USB device is plugged into the system, the operating system recognizes it as a USB keyboard. Or for a simpler alternative, you can obtain hardware created specifically for that purpose like @Philipp suggested.

This follows the principle of the duck test (adapted version from USB rubber ducky):

If it quacks like a keyboard and types like a keyboard, it must be a keyboard

USB keyboards have the rights of the logged in user and can be used to inject malware into the operating system.

Peter Mortensen
  • 885
  • 5
  • 10
pedromendessk
  • 918
  • 1
  • 6
  • 19
  • 1
    Here is an [example](http://security.stackexchange.com/questions/34009/i-found-a-virus-on-my-usb-stick-now-what). – Vorac Feb 12 '16 at 09:22