Stories
Slash Boxes
Comments

SoylentNews is people

Check Your Halloween Candy For Malicious Payloads

posted by Fnord666 on Sunday November 03 2019, @08:52PM   Printer-friendly
from the evil-week dept.

"exec" writes:

Arthur T Knackerbracket has found the following story:

There's long been much handwringing around Halloween around the prospect of pins, needles and razor blades being hidden in candy and passed out to children. On the very rare occasion this does happen, the outcome is normally little more than some superficial cuts. However, for 2019, [MG] has developed an altogether different surreptitious payload to be delivered to trick or treaters.

Consisting of a small USB device named DemonSeed, it's a HID attack gadget in the genre of the BadUSB devices we've seen previously. When plugged in, the unit emulates a USB keyboard and can be programmed to enter whatever keystrokes are necessary to take over the machine or exfiltrate data. Files are available on Github for those looking to replicate the device.

The trick here is in the delivery. [MG] has produced a large quantity of these small devices, packaging them in anti-static wrappers. The wrappers contain a note instructing children to insert them into their parent's work computers to access "game codes", and to share them with their friends while hiding them from adults.

The idea of children brazenly plugging hostile USB devices into important computers is enough to make any IT manager's head spin, though we suspect [MG] doesn't actually intend to deploy these devices in anger. It serves as a great warning about the potential danger of such an attack, however. Stay sharp, and keep your office door locked this October 31st!

-- submitted from IRC

Original Submission

 
This discussion has been archived. No new comments can be posted.
Check Your Halloween Candy For Malicious Payloads | Log In/Create an Account | Top | 39 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by All Your Lawn Are Belong To Us on Monday November 04 2019, @07:08PM

    by All Your Lawn Are Belong To Us (6553) on Monday November 04 2019, @07:08PM (#915845) Journal

    How much does a "bad USB" device cost (Jeezus, did TFA really call it that)?

    How many do you think a malicious actor can buy and spread around to get how many nibbles? Maybe CD's at less than $2 each you can invest a couple hundred in and get results.

    Did you know that I can create my own botnet by USB's....... IF YOU PAY FOR THE USB's TO MAKE IT HAPPEN WITH.

    So yeah, nothing but the purest FUD fear mongering is what we have here except for isolated (and very targeted) spearfishes. Unless someone reliable actually documents an attack that was successful.

    Are we not above this kind of story? Or maybe not. Or maybe it's lunch. Yeah. And a nice cup of tea. That sounds more likely.

    --
    This sig for rent.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2