As a part of our effort to educate, assess and train (EAT), we want to highlight a physical host attack technique that is extremely cheap and simple to pull off, and unfortunately yields a significant return for the attacker if successful. The technique is commonly referred to as a "Human Interface Device (HID) attack" or a "USB drive-by". First, an explanation:
The HID attack is a scenario in which an attacker takes a programmable embedded development platform such as the Teensy 3.2 (pictured above), and an associated software package such as Peensy or the Social Engineering Toolkit (SET) and creates a USB device which when plugged into a computer will execute a pre-configured set of keystrokes to drop a malicious payload onto the target computer. The actual payloads that are dropped and executed are highly configurable and this approach will work on Linux, Windows and Mac OS X.
Why is this significant?
- The actual device(s) that are compatible with this technique are extremely cheap
- There are numerous articles written about this technique making it easy to copy
- The initial access payload is on the USB device, thus it isn't downloaded from across the network
- Since this is not a flash memory device (USB Stick) it can easily fool people (even trained people).
Devices are Cheap
The Teensy 3.2 can be purchased for approximately $19-25 USD from the following locations:
At this price it is trivial for an attacker to consider this a throw-away device and blanket an office with multiple Teensy devices.
Numerous Articles Written
Simple Google and YouTube searches return detailed instructions on the multitude of ways to pull this attack off:
Let's briefly discuss the nature of this attack. There are hundreds (or thousands) of websites and pages lurking out on the Internet which can deliver malicious content to your computer (tablet or phone) if you view them with a vulnerable computer. Common terms to describe these types of threats are Drive-By Download or Scareware. In order to be prey to this type of threat, your computer needs to be vulnerable (meaning lagging behind in installing patches) and visit a malicious URL, and sometimes even run a program you are prompted to run. If all those actions occur, you are infected. Now the catch here is that you initiated the action. You most likely didn't mean to be infected but it happened. You have to click that link, type that URL in the address bar and even sometimes download and run that program.
On the other hand, if your computer gets hit with a HID attack, all the attacker (assuming they have direct physical access to your computer and it is unlocked) has to do is plug in their HID attack board to your computer and walk away. The HID attack board requires only 3-5 volts of power, pretends to be a fully functional keyboard (and sometimes even a mouse) and it literally can write bytes to a file and then run that file. It can write the backdoor (malware) right onto your Desktop and run it from there, or it can write a script to a file which can do anything from download the malware later and run it (which is referred to as download & exec), to harm your computer hard drive in any number of ways. In short, the HID attack can do all of the same keyboard and mouse actions you would do if you got infected. The danger here is that it's small, it's fast and it's easily concealed.
Payload is on the USB Device
If an attacker plans on infecting a computer, they can place a pre-configured backdoor (which we commonly refer to as an initial access payload) onto a USB device and insert it into the computer they wish to infect. If that computer has Antivirus (AV) or a Personal Security Product (PSP), it will normally scan the USB flash memory drive upon insertion. If the attacker used a common backdoor like Dark Comet, PoisonIvy or Metasploit Meterpreter, the AV or PSP program will more than likely detect the backdoor and quarantine it (Bear in mind, the chances of detection aren't 100%).
If the attacker uses a Teensy 3.2 and a PowerShell-based payload against a Windows target, the chances are much lower for the AV or PSP program to detect the event.
Can Fool Others
We try to teach our customers to be vigilant, look for things out of place. If a USB stick is inserted into your computer while you step away chances are you will recognize it. This device is going to look new for many people. How many people will react the same way as they would for a strange USB stick? In addition, it is unfortunately also very easy to stash this device out of plain sight.
Last but not least, high security locations typically list devices that are prohibited from usage either in plain sight or as part of an agreement that someone signs to gain access. A programmable keyboard isn't normally considered a restricted device but given how simple it is to pull off a HID attack we would suggest that it should be.
What Should I Do?
As with any introductory article like this, it is important to be concise about what to do. First of all, the basic HID attack requires the computer to be unlocked. So make sure to implement stringent controls for locking your systems after inactivity. Second, we would argue it is useful to simply train your users to be on the lookout (BOLO) for devices like the Teensy, especially if they are discovered being plugged into their computer. Third, if your organization has a security guard, you should train your guard staff to recognize these devices by sight and question the holder of the device. Next, if you have any special areas within your office space where items like Flash Memory or cellphones are prohibited, we suggest adding the Teensy to the list of prohibited devices. The suggested description for the class of device you are prohibiting can be "Any programmable USB HID controller device such as Teensy".
Finally, if you have questions, ask!