Pretty much everyone is familiar with the most common ways that organizations are breached, weak passwords, misconfigured systems, social engineering, etc., but on a recent engagement we decided to do something a little bit unconventional. In terms of attack vectors, our client had placed only one restriction on us, we could not physically go inside their facilities. So gaining physical access and plugging into the network access was off limits, but what if we could get them to plug in something for us?
We decided to order some USB desktop toys, add some extra “features”, and send the devices to unsuspecting employees at our target. The first step was finding things that people would be likely to plug in. We looked at all kinds of USB devices and eventually decided on three that we felt had a higher likelihood of getting plugged in (a drink warmer, a mini refrigerator, and a plasma ball). Once the devices arrived in the mail, we quickly voided any warranty they had and opened them up so see what kind of space we had to work with. The following image shows the drink warmer.
As you can see, there was a decent amount of room to work with which was good because we had two PCBs and some short lengths of wire to fit inside of them. The first PCB was a USB hub that had its case and plugs removed to maximize the amount of free space available.
The second PCB is actually a Teensy 2.0 project board. If you aren’t familiar with the Teensy, what you need to know is that it is a small form factor, microcontroller, capable of emulating a keyboard (or mouse). The offensive security implications range from malicious keyboard input to keystroke capturing, but I wont go into more depth in this post. More information can be found at the Teensy web site.
After laying everything out to ensure it would fit well, we needed some malicious code for the Teensy to execute upon being plugged in. Not having experience with the Teensy, or hardware hacking in general, I received a helping hand from Coldfusion. The code he created for the Teensy is available below.
The fake keyboard attack requires the computer to be unlocked, however if someone is watching the computer when the attack gets executed, it is pretty obvious that something sketchy is going on. One particularly nice thing about the above code is that it actually contains some logic to see if the computer is unattended before executing. This is accomplished by turning on Caps Lock and checking if it still on after a few minutes. The logic behind this is that if Caps Lock has not been disabled, the computer is likely unattended. Once executed the code emulates a keyboard and types the necessary commands to send a Meterpreter shell back to us using Invoke-Shellcode. After a few test runs, we were ready to put everything together.
The first thing we had to do was replace the USB cable. The original one only supplied power to the device, however for our purposes, a data connection needed to be present. After that the Teensy needed to be soldered onto the hub. The following pictures show these two steps.
After everything was connected we did some tests to make sure everything was getting power, and the device itself still functioned as intended. Finally, we places all of the components into the case and held everything in place with some good old fashioned hot glue.
After that we were ready to ship the devices and wait for the magic to happen. This assessment occurred near Valentine’s Day so we included that in our pretext by adding a note from a “secret admirer” in the package. The packages were sent and after a few days we got our first shell back, from that point it was business as usual.
What can you take away from this? If you are an attacker, this is a good example of thinking outside the box, and doing what is necessary to compromise your target. For the defenders out there, there are some technical controls that could mitigate an attack like this, but realistically, users need to be better educated on security practices. Explain the risks associated with plugging in an unknown device such as this, or even a thumb drive. Users are often the primary targets in attacks, which also makes them the first line of defense. An educated user can be a great asset in the daily fight of security.
