Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB Device Safety


  • Please log in to reply
5 replies to this topic

#1 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 05 August 2015 - 01:12 AM

Hello everyone

 

I have a topic/question that has been on my mind for a while now.

I was browsing through flea market electronics section one day and I noticed this pretty new keyboard. I looked specifications and it

even had ARM processor. It was pretty cheap too. This however raised my general question about safety of these devices. I don't know

much about how USB communicates with hardware so correct me if I state something wrong.

 

Using keyboard as point of reference(I think this might apply to almost every USB device), how easy would it be to modify this keyboard to do malicious actions(motives aside)? I would imagine that the easiest way would

be modifying keyboards firmware.

 

So let's say I plug this keyboard to my PC. It's Windows 7 32bit. I can imagine at least two scenarios:

 

Keyboard plugged while PC is off and then is turned on

 

At this point there is no OS managing the hardware so the malicious keyboard is communicating with CPU directly(correct me if I'm wrong).

You can install new OS from USB so you must have access to harddisk at this point so you could, for example plant rootkit there for kernel to load. Or just wipe the whole disk

for fun.

 

Keyboard plugged while PC is on(OS is loaded)

 

Would this make difference the first scenario or does OS interfere some way? OS detects new devices so the device might disguise itself as someway or just

register itself as keyboard and let OS setup generic driver for it. If generic driver would be the case could this device still do whatever it wants?

 

Detection

 

How could one check if device is malicious? I imagine that there must be atleast some way to create sandbox which communicates with device and checks what instructions it send. However, this type of dynamic analysis does not always yield best results. Is there some way to perform static analysis on possible harmful usb device?

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:08:36 PM

Posted 05 August 2015 - 02:59 AM

Let's not over-complicate it.

 

It is possible to add memory to a keyboard to host malware, though prohibitively expensive considering the likely reward. Extremely unlikely unless you are being targeted specifically for valuable information. (ie: military, research, etc...)

 

If you wanted to be sure that no application from outside your system could run on your system you can always set up a restricted execution policy. (ie: executables only in program files and windows directories are allowed to execute). This also stops most malware. An easy way to implement this is with Cryptoprevent, if you don't want to get into all the fun and games of creating group policy and local policy objects.

 

To eliminate the possibility of having 2nd hand USB storage devices infect your Windows system with malware simply turn off Autorun/Autoplay and format the USB devices before using them.

 

TsVk!


Edited by TsVk!, 05 August 2015 - 03:09 AM.


#3 Slurppa

Slurppa
  • Topic Starter

  • Malware Study Hall Senior
  • 658 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:36 PM

Posted 05 August 2015 - 04:17 AM

Let's not over-complicate it.

 

It is possible to add memory to a keyboard to host malware, though prohibitively expensive considering the likely reward. Extremely unlikely unless you are being targeted specifically for valuable information. (ie: military, research, etc...)

 

If you wanted to be sure that no application from outside your system could run on your system you can always set up a restricted execution policy. (ie: executables only in program files and windows directories are allowed to execute). This also stops most malware. An easy way to implement this is with Cryptoprevent, if you don't want to get into all the fun and games of creating group policy and local policy objects.

 

To eliminate the possibility of having 2nd hand USB storage devices infect your Windows system with malware simply turn off Autorun/Autoplay and format the USB devices before using them.

 

TsVk!

 

Your points are valid but this was more like a hypothetical scenario. Yet you did raise more questions: Do the prevention mechanics like disabling autorun ja autoplay prevent you get infected if the malware resides in firmware? If the device manages to get its code executed I would believe it is going to be in kernel mode so it would be considered rootkit. I doubt execution policies would help there.

And formatting USB devices won't clear infected firmware as far as I know. But in general, good advices.

Sorry if my text wasn't clear enough.



#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,236 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:08:36 PM

Posted 05 August 2015 - 04:46 AM

Firmware infected devices are like evil unicorns and must be treated as such. Even though they exist almost no one has seen one, and they are each enabled with their own magical powers and need to be treated individually. There is no "general" answer for something that is so very specific.

 

Whether or not disabling autorun and adding GPO's would prevent the infection would depend on the theoretical infection and how/which vulnerabilities it targets.... we would need to catch the unicorn first to know what powers it has.

 

Sorry to drop into analogies here. But I don't believe there exists a definitive answer for your question.



#5 rp88

rp88

  • Members
  • 3,061 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:36 AM

Posted 06 August 2015 - 12:40 PM

I can suggest the following, a keyboard could be modified to contain a hardware keylogger in such a way that nothing on the computer could ever detect what was going on. The keylogger could be fitted by physically placing a second switch under each key and wiring these into a totally separate electronic system, this system could be powered by built-in batteries, or it could probably draw it's power from the computer without arousing any suspicion. There would be no software at all which could detect this, however well secured an OS was this could record the keystrokes, then maybe transmit them away with a built in radio transmitter of some sort.


Similarly, using only hardware methods, and almost entirely electronically isolated from the computer, a system designed to send malicious keystrokes could be built-in, it would be possible to built a part into the keyboard which could send keystrokes along the wire into the computer, and they would look exactly like real keystrokes coming from the keyboard, this could be triggered by some sort of system built into the keyboard, and entirely electronically isoltaed from the computer, which had sensors under the keys and a built in clock with instructions like "wait until a period of 10 minutes passes without any keystrokes being made, then activate the function to send a series of malicious keystrokes to the computer.".


Neither is all that likely, but both could be built (even combined into one system) and could be undetectable, because the keylogger could be entirely electronically isolated from the computer (or it could be connected only in the sense of drawing power, and not in any data exchanging sense), and the malicious keystroke generator could be isolated except for some wiring to allow it to send key presses to the computer without any key presses actually occuring. Neither relies on software or hardware vulnerabilities, instead each would simply be using an extra part or two to perofmr it's functions, whilst appearing to the computer to be a nomrla keyboard. Either could be built fairly simply, though minaturising this equipment to fit it all within the keyboard's housing could be tricky.

Edited by rp88, 06 August 2015 - 12:41 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 PM

Posted 09 August 2015 - 02:22 PM


Using keyboard as point of reference(I think this might apply to almost every USB device), how easy would it be to modify this keyboard to do malicious actions(motives aside)? I would imagine that the easiest way would

be modifying keyboards firmware.

 

 

Very easy. There are keylogger modules for sale that you embed inside a keyboard, example: https://www.keelog.com/hardware_keyboard_logger.html

 

AFAIK, there is no way to detect this besides opening and inspecting the keyboard.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users