Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

USB flash while windows locked?


  • Please log in to reply
30 replies to this topic

#1 resertedlab

resertedlab

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 08 September 2016 - 02:54 PM

Friends, lets assume someone plugs usb flash, any memorycard or anything soever while i am gone and my laptop (Dell Inspiron) is locked with windows password. I belive there is no way for anything to be installed in locked state, am i right in this? 

However, lets say  i fail to notice the flash (specially if its some tiny), or lets say there is cd or memory card inserted in (someone put it on puropuse), and i unlock it and start working, can any bad spy program/keylogger or anything like that installs instantly when i unlock if the flash was plugged while i was gone?  Will any notification/pop or anything appear showing me something is being installed. I've never changed any options on the autorun settigs, so is windows 8 by default starts autoplaying usb flashes when they are pluged or it requires specific changes to do that. I fear beacause i used to leave my laltop in not so friendly enviourment a while ago. If you have any anwers i will be glad :) Thanksfe


Edited by Chris Cosgrove, 08 September 2016 - 04:16 PM.
Moved from Win 8/8.1 to General Security


BC AdBot (Login to Remove)

 


#2 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:05:01 PM

Posted 08 September 2016 - 05:51 PM

BadUSB: http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

And, Make Your Own Bad USB. http://null-byte.wonderhowto.com/how-to/make-your-own-bad-usb-0165419/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:10:01 PM

Posted 09 September 2016 - 09:36 AM

There is a simple solution to keep a flash drive from loading anything to your computer when it is started... disable autoplay.

 

1. Open the Charms bar (Windows key + C) > Settings.
2. Click on Change PC Settings > PC and devices.
3. Go to the Autoplay section.
4. Turn off the following options "Use Autoplay for all media and devices".
 
This is your second topic on the same subject.    

Edited by dc3, 09 September 2016 - 09:43 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 09 September 2016 - 06:05 PM

Hi there, thanks for your response. The option is currently off. :) But do you know if it's its default state to be off? I mean when you install windows/buy laptop is it turned off by default or its on or its different for each machine? 


Edited by resertedlab, 09 September 2016 - 06:07 PM.


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 10 September 2016 - 04:27 PM

Friends, lets assume someone plugs usb flash, any memorycard or anything soever while i am gone and my laptop (Dell Inspiron) is locked with windows password. I belive there is no way for anything to be installed in locked state, am i right in this?

 

No, your machine is not safe in locked state.

 

There's the recent USB-network-adapter attack Crazy Cat pointed to.

 

But there's also older stuff like Inception http://www.breaknenter.org/projects/inception/ and point-and-print http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 13 September 2016 - 09:21 AM

Thanks BC Advisor for that, i never knew it. Arch, my question was if there would be any signs of instalation, any notification or anything else thay will show something is being installed/transfered. I am not asking you what to do from now on, rather if i would have notice if anything happened in the past.



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 13 September 2016 - 03:25 PM

You mean pop-up dialogues that would show after the facts, for example when you log in again? No.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 13 September 2016 - 03:51 PM

No i mean if the flash is set to autorun when plugged, do you see anything like loading bar that shows something happens? Or it can install something without absolutly no notification. ( I am talking in normal case not about that malware that can be installed even when locked)


Edited by resertedlab, 13 September 2016 - 03:55 PM.


#9 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:01 PM

Posted 14 September 2016 - 07:50 PM

there is also falsifying the PnP GUID to make the USB appear to be a keyboard which will load drivers even at the locked state!



#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 16 September 2016 - 03:52 AM

What OS are you using?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 16 September 2016 - 09:35 PM

Windows 8, i updated it to 8.1 but i belive that happened after i moved out from the apartment i shared with the evil roomates.

 

Just imagine the next scenario, while the windows is locked they plug small flash, that is formated to install some malware (keylogger for example) directly. Now i than come back home, open the lid, insert windows password and start working. By this day, every time i have ever plugged something it always showed either menu with differenet possible tasks (like open folder, run this or that), or if its like wirless mouse some small windows shows me the software installation. So thats basicly what i am asking - will anything notify me that something starts happening the moment i sign in to my laptop :) Thanks for the responses again 


Edited by resertedlab, 16 September 2016 - 09:42 PM.


#12 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 16 September 2016 - 09:42 PM

Johny i never knew that either .. Thanks 



#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,720 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:01 AM

Posted 18 September 2016 - 08:04 AM

Windows 8.1 disables autorun by default.

 

When the machine is unlocked, you get a popup to select what you want to do.

When the machine is locked, you get no popup. Autorun does not start the executable.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#14 resertedlab

resertedlab
  • Topic Starter

  • Members
  • 143 posts
  • OFFLINE
  •  
  • Local time:07:01 AM

Posted 18 September 2016 - 11:09 PM

Thanks  Didier, thats what i  wanted to know from beggining, one last thing, does it apply to windows 8 only (not 8.1?) Becuase i belive i updated it from 8 to 8.1 after i left the roommates, if my memory doesnt cheat on me :)



#15 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:03:01 PM

Posted 19 September 2016 - 07:15 PM

Johny i never knew that either .. Thanks 

Yes even at any locked state a windows box can be exploited (This exploit does not use the AutoPlay feature) by reprogramming the micro controller (Phison) on the USB drive and then falsifying the HID (Lets say a keyboard) to execute the pay load (KeyStrokes).

This can also be used to exploit Mac's and Unix, Linux systems.

 

There was a USB stick that exploited multiple OS's a few years back that simply needed to be plugged in at any running state of the OS to execute the payload. This is why physical access to secure devices must be very limited.


Edited by JohnnyJammer, 19 September 2016 - 07:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users