Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

9/8/2010
07:29 AM
Gadi Evron
Gadi Evron
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ownage By USB Keyboard

When was the last time Windows asked you for permission before adding your new hardware -- say, a mouse?

When was the last time Windows asked you for permission before adding your new hardware -- say, a mouse?The first online discussion on compromising a computer using USB that I remember was on the pen-test mailing list a few years ago. Back then, what dominated the discussion was the Autorun method and how it could be used on USB rather than just with CDs.

A few of us (OK, me) also discussed vulnerabilities in drivers and how they could be abused for this same purpose, but most folks were stuck on Autorun and refused to understand what this thread might mean. A few years later, folks were discussing the risk of driver vulnerabilities, which, had a proper risk analysis been performed or history looked at, would have surprised no one.

But there's another USB risk that's beautiful in its simplicity.

A couple of years ago a friend of mine, Elad Raz, spoke of how anyone can develop for USB; simply creating a fake keyboard, which would then be plugged into and compromise the computer (say, by browsing to a malicious site as one example) is very doable and even easy to do.

Another interesting option for compromising a computer using a keyboard is with Notepad. The fake keyboard would open Notepad, type in the new executable code, and run it.

Ah! How is it possible to type Shellcode? Doesn't it require the use of unprintable characters?

Some years back we have seen a perfect example of Shellcode with printables only in Phrack 57, posted by Rix (more info on Wikipedia). Surely such code can be updated, if it hasn't already been updated in private by someone.

I remembered all of this because of another friend sending me the following:

Yawning, you start your work day by opening up Microsoft Word. As you start typing, you notice that your computer is, well, possessed: the CAPS LOCK key switches on and off, random keystrokes get entered into Word, and your cursor moves around erratically and uncontrollably.

Surely, if such a tool can be sold as a game for bored office workers, then a capable attacker can create a similar tool for malicious purposes, without needing to find a vulnerability at ring0 level, compromising the driver.

The difference between a few years ago when my friend and I talked and today is that back then, a development kit would cost a lot of money. Today, if you can shell out $25, you're set.

Follow Gadi Evron on Twitter: http://twitter.com/gadievron.

Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading. Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1936
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
CVE-2021-27904
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
CVE-2021-27901
PUBLISHED: 2021-03-02
An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination. The LG ID is LVE-SMP-210001 (March 2021).
CVE-2021-21321
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...
CVE-2021-21322
PUBLISHED: 2021-03-02
fastify-http-proxy is an npm package which is a fastify plugin for proxying your http requests to another server, with hooks. By crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is `/pub/`, a user expect that accessing...