boing boing brings us - Usbdriveby: horrifying proof-of-concept USB attack
Samy Kamkar has a proof-of-concept attack through which he plugs a small USB stick into an unlocked Mac OS X machine and then quickly and thoroughly compromises the machine, giving him total, stealthy control over the system in seconds, even reprogramming the built-in firewall to blind it to its actions.
Unlike most hacks, this one is visually pretty spectacular, since the attack emulates a keyboard and mouse, making windows appear and disappear at speed, while phantom words appear in the terminal and a phantom hand clicks the mouse on interface items deep in the OS.
This discussion has been archived.
No new comments can be posted.
Usbdriveby: Horrifying Proof-of-concept USB Attack
|
Log In/Create an Account
| Top
| 28 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 0) by Anonymous Coward on Saturday December 20 2014, @03:05PM
etc. etc.
(Score: 1) by Ethanol-fueled on Saturday December 20 2014, @04:34PM
I did this years ago as and end-run around the fact that the IT department of my then-employer wouldn't allow me access to the database/API. I used the Java Robot [oracle.com] to automate mouse clicks and fill the database' front-end fields based on routines I had programmed (routine "fault X" would order part number Y and part number Z etc.)
Since it was essentially blind to what it was doing, its successful operation depended on the window of the application placed exactly on the upper left corner of the raster, and calculating all of the mouse positions was a tedious matter of trial and error.
Of all the shit people are talking in this discussion about how unremarkable it is, well, did you think of this? In my current job I developed a test to identify a serious known issue in one of their most important products. Later, during an internal job interview for a better position, I was grilled about it: "So all you did was change a few commands?" and I replied, "Yeah, but I was the first get the idea and do it."
Kudos to the hacker and his Rube Goldberg hack.
(Score: 2) by Fnord666 on Saturday December 20 2014, @06:21PM
Of all the shit people are talking in this discussion about how unremarkable it is, well, did you think of this?
Yes, yes I did, or near enough. I built a small dongle that emulates a keyboard and mouse that you can plug into a co-worker's computer. Every so often it adds a character, deletes a character, or nudges the mouse. loads of fun on April Fool's Day.
(Score: 2) by emg on Saturday December 20 2014, @08:41PM
1. Build this backdoor into every phone your Chinese company manufactures.
2. Sit back and watch the fun as people plug them into their corporate PCs to recharge.
(Score: 2) by Fnord666 on Saturday December 20 2014, @10:34PM
That's why you use a "charge only" USB cable if you aren't actually syncing with the computer.
(Score: 2) by davester666 on Sunday December 21 2014, @04:04AM
Are you kidding? People would be calling tech support all the time over how their phone can't connect to their computer anymore.
If you need to charge your phone at work, and it's your personal phone, bring your own charger to work.
(Score: 2) by NotSanguine on Saturday December 20 2014, @03:20PM
That would seem to defeat the purpose of a stealth hack, no?
Also, why would a script pasting text, opening and closing windows and making config changes be "spectacular"? I thought *I* was easily amused.
If Cory Doctorow is really impressed by such things, he could learn a little perl, VB or any number of other scripting languages to do similar stuff. Ooh, look! Shiny!
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Insightful) by Nerdfest on Saturday December 20 2014, @03:30PM
It would also be a lot more impressive with a *locked* machine.
(Score: 0) by Anonymous Coward on Saturday December 20 2014, @04:37PM
What part of proof-of-concept makes you think it's trying to be a stealth hack?
(Score: 2) by NotSanguine on Saturday December 20 2014, @07:11PM
What part of proof-of-concept makes you think it's trying to be a stealth hack?
The TFS:
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by Immerman on Saturday December 20 2014, @07:15PM
Which, as I read it, only claims the *control* is stealthy, not the initial attack.
(Score: 2) by sjames on Saturday December 20 2014, @07:55PM
With the delays removed, it certainly speeds things up and reduces the chances of being caught.
(Score: 2) by metamonkey on Monday December 22 2014, @04:24PM
I wanted to watch the video, but going to boingboing made ghostery and noscript light up like christmas trees. Jesus, Cory, for a "free culture" guy, you sure like to gangbang my browser for visiting your site.
Okay 3, 2, 1, let's jam.
(Score: 2) by FatPhil on Saturday December 20 2014, @03:50PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by iwoloschin on Saturday December 20 2014, @04:01PM
So this is pretty neat, sure, but it's not really news. Once again, physical access to a machine results in a compromised machine.
Here's a few steps that might help.
1) Never leave your machine unlocked. If you've got a lockscreen up, unless they know your password, this gizmo isn't doing much.
2) Change the hot keys used. This is basically a script that relies on defaults, make Spotlight/Alfred/etc use some weird key combo that isn't default, and this gizmo fails again.
3) This is harder, but I bet you could find a way to require external devices be authenticated. Maybe this is a great excuse for a new Linux kernel? On a laptop at least, there's no reason to automatically trust an external keyboard/mouse, though that could get a bit confusing on a desktop.
I've done some work with USB manipulation, and basically had a similar idea to this years ago, but never pursued it because it's easy to defeat.
(Score: 2, Insightful) by daver!west!fmc on Saturday December 20 2014, @08:26PM
Being logged in as a "Standard" user (i.e. not in group "admin") should frustrate this attack too: I think System Preferences will then require an "Admin" user's name and password to permit changes to DNS settings.
Apple's initial out-of-box setup script sets that first user up as an "Admin" user, so if you are the unboxer and the day-to-day user, you actually need to take steps to make sure your day-to-day login user is "Standard", and most folks don't.
(Score: 2) by frojack on Saturday December 20 2014, @09:07PM
Apple's initial out-of-box setup script sets that first user up as an "Admin" user,
If true, that is spectacularly dumb. (Microsoft-ish even).
Many 'buntu distro clones set up the first users as sudoers. But they STILL need to key in their own password to start sudo tasks.
Simply stumbling upon a machine that is unlocked should NOT be sufficient.
Other Distros require roots password to use sudo in the default configuration.
That he delivered this on a USB may or may not be significant. If he had to type anything its not significant. If merely inserting the USB stick was sufficient, then OS X has some other serious problems.
No, you are mistaken. I've always had this sig.
(Score: 2) by Foobar Bazbot on Sunday December 21 2014, @01:59AM
AIUI, it looks like a USB stick, but acts like a keyboard (i.e. USB HID), automatically entering a preplanned sequence of keystrokes and clicks. So it does activate on insertion, without requiring the user to press any keys, but it also can't do anything you couldn't do with mouse and keyboard. (It can't e.g. unlock a locked computer.)
There's really no absolute defense against this sort of attack that won't also make life difficult if you try plugging in a random USB keyboard, perhaps because your old keyboard died. However, it's easily controlled by the same methods (screensaver locking, requiring password for privilege escalation) used to control direct access, and by a basic awareness of the threat random/untrusted USB devices may pose.
(Score: 3, Insightful) by frojack on Sunday December 21 2014, @03:08AM
If you watch the video, there is one fatal flaw that OS X has that allows this whole thing to work,
and that was the ability to change the DNS servers without entering a password, by using a portion
of the graphical interface which, for some reason, didn't require a password.
So you see, its right back to where we started, possession of the machine, AND root escalation due
to a bug or oversight in the system.
Given possession of the machine it probably would have been easier to boot into single user
recovery mode, and simply install the exploit that way.
No, you are mistaken. I've always had this sig.
(Score: 1) by daver!west!fmc on Sunday December 21 2014, @07:55AM
It's how OS X rolls. Group "admin" isn't quite uid 0, but has write access to /Applications (the usual place for installing first- and third-party Mac apps) and is permitted in /etc/sudoers. I think System Preferences and its pages are aware of the distinction and users in group "admin" don't need to authenticate to change network settings. Users not in group "admin" wanting to make those changes have to first click a lock icon in lower left to make changes, and supply a user name and password for a user in group "admin".
His USB delivery vehicle is posing as USB keyboard and USB mouse, so it does all the UI manipulation including typing.
(Score: 2) by frojack on Sunday December 21 2014, @09:02PM
It's how OS X rolls.
So broken by design.
Anything that can play back keystrokes can own the machine given a few seconds of possession without any password.
Good to know, Better to avoid.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Monday December 22 2014, @01:01PM
pwning root might be a bit harder (not much just alias sudo etc), but in this day and age, pwning the user is more than good enough to do what most attackers want to do.
[1] Could jiggle the mouse every X minutes between going home time to midnight to prevent the screensaver from ever triggering. If you can squeeze a cheap microphone/accelerometer in to help detect inactivity that's even better.
(Score: 2) by frojack on Monday December 22 2014, @08:25PM
Then linux is broken too. The USB stuff can pretend to be a mouse[1] and keyboard, and pwn the user.
Not any Linux I am aware of. They all require a password before allowing changes to system settings.
I've obviously not tried every single distro out there, but every one I've tried requires a password to change system settings, either root, or the users' password (who must be a member of wheel or admin).
No, you are mistaken. I've always had this sig.
(Score: 1) by neleai on Sunday December 21 2014, @10:01AM
Apple's initial out-of-box setup script sets that first user up as an "Admin" user,
If true, that is spectacularly dumb. (Microsoft-ish even).
Many 'buntu distro clones set up the first users as sudoers. But they STILL need to key in their own password to start sudo tasks.
Simply stumbling upon a machine that is unlocked should NOT be sufficient.
Which is dumb as one expects from ubuntu.
It provides zero protection when one stumbles on machine. Attacker just adds
Or alias sudo to keylogger to get password that makes him root.
There are jokes like following FAQ:
(Score: 0) by Anonymous Coward on Monday December 22 2014, @01:11AM
i guess it might work if your root password was 'test'
otherwise i don't get the joke
also, who in their right mind uses ubuntu for a server?
(Score: 0) by Anonymous Coward on Saturday December 20 2014, @04:11PM
What?
(Score: 0) by Anonymous Coward on Saturday December 20 2014, @04:39PM
What next? who would have thought it would be so easy to own an unlocked box? i could make 2 million rubber duckies, mail them to strangers, and i bet all of them plug it in to see what is on the usb. a fool and his money, err, unlocked, unattended computers are soon parted.
(Score: 0) by Anonymous Coward on Sunday December 21 2014, @05:50AM
People already mail malicious .doc files to others, and they actually open them!
All one has to do is find some business someone is doing business with, spoof their name on your email to them, and you are almost guaranteed a successful infection.
Businesses know how risky it is for someone to be willy-nilly open .doc files, yet they still send them to people. Now these are businesses who would never present themselves to their customer in a soiled suit, but yet they seem to think nothing of sending them file formats which are known to be risky to the recipient.
They might as well send me a prophylactic with their business communication... and expect me to determine whether or not it is soiled. it is received in the same frame of mind.