Security assesment on USB Human Interface Device
The article aims to simulate a possible USB attack using HID (human interface device). It is a proof of concept revealing ways to keyboard emulation, reading data from SD cards, creating python scripts that scans files and emails them and ways to prevent the USB hacking devices.
The article explains in a detailed movie about Arduino keyboard exploit and prevention. It provides an experiment that uses below materials in order to build the device by assembling the components and uploading the necessary programming code.
Experiment purpose: using an Arduino device, you can emulate mouse and/or keyboard to open a terminal (in UBUNTU linux); write a small script that will access /Documents folder inside the user home folder; copy .txt files there and email them to someone.
1. Materials used:
- Arduino device
- Micro USB card reader
- A few GB SD card
- Pushbutton like (VCC, Ground and signal)
- Female-male and female-female jumper cables
- Micro USB to USB cable
2. Building the device
- Assemble the components
- Get the arduino code
- Upload the code to arduino device
- Format the SD card (using FAT16 or FAT32)
- Copy the hack.txt file on the card
- Edit sender email and password and the receiver email address
- Remove the card and insert it into the arduino card reader
3. Get an insight of how attacks work
- When the button pressed, the arduino will read the SD card and find the “hack.txt” file (the file contains keys, key combinations, commands like “Command::”).
- Arduino will read line by line, and interpret the commands and emulate the keys on the keyboard. In provided example, the “hack.txt” will do the following:
- opens a terminal (CTRL + ALT + T)
- opens a python file for creation using vi (writes “vi hack.py”)
- writes a python script inside that collects all text files inside of documents home folder and sends them over to a specified gmail address
- runs the file in the background (“nohup python hack.py &”)
- deletes the file (rm -rf hack.py)
- closes the terminal (ALT + F4)
- Arduino will run this in few seconds and it won’t leave traces
- The device opens a console and writes a small script taht copies all .txt files in \Documents folder, then send them over an email address
The entire experiment was to prove that you can prevent security issues by:
- Locking the computer while you’re away
- Disabling unused USB ports
- Disabling automatic installation of new USB devices
Article date: Jan 30, 2018