SoylentNews is people
SoylentNews
Submission Preview
Check Your Halloween Candy For Malicious Payloads
Story automatically generated by StoryBot Version 0.2.2 rel Testing.
Storybot ('Arthur T Knackerbracket') has been converted to Python3
Note: This is the complete story and will need further editing. It may also be covered
by Copyright and thus should be acknowledged and quoted rather than printed in its entirety.
FeedSource: [hackaday]
Time: 2019-10-28 20:16:59 UTC
Original URL: https://hackaday.com/2019/10/28/check-your-halloween-candy-for-malicious-payloads/ [hackaday.com] using UTF-8 encoding.
Title: Check Your Halloween Candy For Malicious Payloads
--- --- --- --- --- --- --- Entire Story Below --- --- --- --- --- --- ---
Check Your Halloween Candy For Malicious Payloads
Arthur T Knackerbracket has found the following story [hackaday.com]:
There’s long been much handwringing around Halloween around the prospect of pins, needles and razor blades being hidden in candy and passed out to children. On the very rare occasion this does happen, the outcome is normally little more than some superficial cuts. However, for 2019, [MG] has developed an altogether different surreptitious payload to be delivered to trick or treaters [twitter.com].
Consisting of a small USB device named DemonSeed, it’s a HID attack gadget in the genre of the BadUSB devices [hackaday.com] we’ve seen previously. When plugged in, the unit emulates a USB keyboard and can be programmed to enter whatever keystrokes are necessary to take over the machine or exfiltrate data. Files are available on Github for those looking to replicate the device. [github.com]
The trick here is in the delivery. [MG] has produced a large quantity of these small devices, packaging them in anti-static wrappers. The wrappers contain a note instructing children to insert them into their parent’s work computers to access “game codes”, and to share them with their friends while hiding them from adults.
The idea of children brazenly plugging hostile USB devices into important computers is enough to make any IT manager’s head spin, though we suspect [MG] doesn’t actually intend to deploy these devices in anger. It serves as a great warning about the potential danger of such an attack, however. Stay sharp, and keep your office door locked this October 31st!
Quick dirty solution to most HID attacks is to perform a test for each new keyboard/mouse that is plugged in.
For example, we can require it to enter a randomly generated string of characters, or navigate a “puzzle”. Before it can be used for anything else. (The OS informs the user of what needs to be typed/clicked in. Ie a rubber ducky doesn’t know it.)
Then the device will be added to the OS’s list of “trusted devices”, since devices typically have serial numbers, manufacturer part numbers, etc to identify them with. Meaning that you don’t need to perform this test for devices that has already passed it.
Ie, a USB “thumb drive” looking device can’t get passed our test, therefor it can’t perform its attack.
In the end, IT security 101, Don’t just blindly trust a new device.
This is similar to bluetooth pairing — makes sense, and probably cuts a vast majority of malware devices out of the loop. If you plug in a USB drive and it’s asking you to type a pairing key into it, most people would be puzzled at the very least.
It wouldn’t stop compromised keyboards (i’ve wondered what would happen if someone bought a bunch of cheap keyboards, then carefully opened / compromised them, and returned them to the store / amazon… slow going, but guaranteed compromising of a random computer).
Yes, Bluetooth devices largely do this already, so why not do the same for USB.
It isn’t hard, and it vastly increases the security.
Though, making a rubber ducky as a keyboard, and then “waiting” for the user to authenticate it, is though a trickier problem. But at least we got rid of the USB rubber ducky problem.
2fa for a mouse would be such a nuisance to the average user, people would complain until it was patched out or an option that defaults to off.
Frankly speaking, it would likely be as trivial as “click this button to authenticate the device”, but it is just in a random place. And too many clicks elsewhere would make the OS dismiss the device as untrustworthy.
It would likely only take a couple of seconds more most users, and it is a one time affair for each device.
And don’t forget that in Windows, you already have to make a single click to dismiss the “This device is ready” notification.
[zee]’s argument that a user can’t do what they all have to and already do isn’t that convincing to me.
Then don’t frame it as a security measure.
“It looks like you plugged a mouse in. To make sure that it is compatible with MS Windows, please click the ‘use this mouse’ button.”
Alternate phrasing: “to make sure it works”, “to ensure it is properly installed”.
While the popup is open, disallow clicking on anything else (except maybe a “don’t use this mouse” button). Maybe have a visible countdown, which ends by disabling the mouse.
“In the end, IT security 101, Don’t just blindly trust a new device.” True enough but most 8 year old trick or treaters aren’t IT Engineers (and usually their parents aren’t either.)
My statement were in regards to OS design, not about the user.
The OS itself shouldn’t just trust a new random human interface device and allow it to input whatever it desires.
Now, this isn’t the case when it comes to most OSes, but seeing a change for the better here would be nice.
Well I can’t argue with you there this is a security hole, but as of today this halloween hack is a good method of attack, the only thing worse would be giving out USB killers.
Not a bad idea however, I’ve had a few usb keyboards that don’t have anything unique about them but the USB port they are plugged in before. Seems some cheap keyboards at least just have the same hardware and firmware all the way down even in different cases. (How true that is, hard to know. Also possible I missed read something as I wasn’t actually looking for that just verifying they all worked before passing them on to a computing charity,)
So it wouldn’t work that well as they can just pretend to be common devices and keep cycling through the list till they hit one you have trusted – at least if they don’t have true unique ID’s just make/model/hid type descriptors
best simple solution I can think of is to just not having the now ubiquitous port available on your machine directly. A simple hardware cable modification to change the ports on the computer to anything else with enough pins as an adapter would work (so of course you keep your adapter cable with you). But one step better would be to have the ports but only have them live if you unlock the usb ports manually – either with a software command to enable them or a physical key type system.
Seems like overkill to me all the way around as direct physical access to the machine being required means the risk is low. No child of mine would get anywhere near my important computers hardware, these days who doesn’t have a computer for the young/technically challenged members of the family/house to use.
Of course if you need to be that paranoid about somebody else plugging unsafe devices into your computer then by all means live with the slight inconveniences. I like the Idea of HID pin checking. Just not sure it actually solves the problem at all the way the keyboards are made..
Yes, manufacturers being lazy and not adding serial numbers to their products would be a problem.
Though, the list of trusted devices shouldn’t be universal. Ie, there is no golden key. (since then all rubber duckies would just use that.)
So instead, the list would be made on each individual computer. It is simply the bluetooth paring idea, but for USB devices.
So scanning through a list of “common” devices would be fairly futile. And the OS could then just inform the user that the device acts suspiciously. (in case the user didn’t consider the endless pling/plongs the OS would make as a direct result from the repeated attempts at gaining access.)
After all, a lot of computers see 1 keyboard in their whole life….. (ie, the list of trusted keyboards would have 1 entry.)
“The idea of children brazenly plugging hostile USB devices into important computers is enough to make any IT manager’s head spin, though we suspect [MG] doesn’t actually intend to deploy these devices in anger. It serves as a great warning about the potential danger of such an attack, however. Stay sharp, and keep your office door locked this October 31st!”
My office was in a very secured building. Only children allowed belonged to the CEO (his company). Only hardware allowed is what IT provided. Now if we had centrifuges downstairs, I’d be worried, but otherwise there’s something to be said about a controlled environment.
By using our website and services, you expressly agree to the placement of our performance, functionality and advertising cookies. Learn more [hackaday.io]
-- submitted from IRC
