Physical Attacks: Identifying Vulnerabilities

In this video, we’re going to be going over some physical attack scenarios. So the first one we go over is USB attacks. So in the first picture here, we have the USB Rubber Ducky. It’s a Arduino device from Hak5. It’s pretty sophisticated. It’s a very clever device, and if you ever watch Mr Robot, you probably saw this type of attack before. So we’re going to get into the USB Rubber Ducky in more detail in a moment, but I do want to bring up USB drop attacks. So a USB drop attack - again, referencing Mr Robot, one of my favourite shows. In one of the episodes, Darlene was trying to get information from the police department.

So she took a bunch of USB drives, put a payload on it, and just scattered it in the police parking lot. So this attack, while that was a little extreme in the TV show, it would be pretty suspicious that a bunch of USB drives are just laying in a parking lot. Typically what will happen is a person will leave a USB drive down, or hopefully someone’s going to notice it, and you could do other things. Like if you really want to entice them, you can put payroll, or Bitcoin wallet, or things like that. Put it on the ground. Typically, these will have some sort of payload.

So when you plug it in, it’ll do something, or it might even look something as simple as a photo, or a PDF, an Excel file, or whatnot. And again, it will have the payload on. So when someone tries to open it, it’ll unleash the payload which can be a number of things. It could be a encryption scenario where now you have ransomware on your network, in your computer. It could be a wipe out your system, a silent connection that connects in and starts snooping on traffic. It could be reverse connection back to someone’s computer and whatnot.

Now, while this is horrible, your antiviruses may pick this up. Hopefully it will pick it up, malicious traffic like that. The more dangerous device would be the USB Rubber Ducky. And again, it was shown in Mr Robot. When it was plugged in and ran Mimecast which created a reverse connection back. And we’re going to take a look at why this is so dangerous. So the USB Rubber Ducky is, again, an Arduino device by Hak5. When you put the case on, it looks like any other USB drive. When it plugs in, it’s recognised as a HID device - a human interface device. In other words, when you plug it into a computer, the computer thinks, oh, this is a keyboard.

It’s a USB keyboard. And because of that, antiviruses normally will not pick this up. It is just going to think, hey, someone plugged a keyboard in, and they’re typing. So this is capable of launching any attack that can be executed by typing on a keyboard, which again, I could plug this in and put a payload that is going to create an administrator account. I could open up ports. I could turn off firewalls. I could disable your antivirus. I could do any number of sophisticated attacks on it because all it’s doing is typing a bunch of commands at a really fast speed, and I don’t have to worry about typos because it’s a script that I’m running.

And speaking of scripting, the way it runs is by a really easy scripting language. So you really don’t need to know a whole lot about computers or programming languages to actually create a pretty powerful script. And in fact, there’s online editors that make it even easier. So the barrier to entry to use something like this is incredibly easy, which also makes it incredibly dangerous. Because any malicious hacker or wannabe malicious hacker doesn’t need to know a whole lot. All they need to know is, well, I’m going to pick this up, I’m going to go this website, and I’m going to find a payload I like and it on there.

And then I’m going to somehow get this on someone’s network, or get someone to plug it in. So this also could be duplicated with a cheap Arduino device. You could buy $20 Arduino devices. It’s not going to look quite like a USB drive unless you kind of play around and modify it, and the scripting language is going to be a little bit harder. But I didn’t want to bring that up, because again, it’s readily available. It’s not an expensive solution for a malicious hacker to use this type of device. So it can be quickly plugged in the computer and have a payload deployed. So different scenarios, or it can be like a USB drop.

Again, I could take this device, I could put Bitcoin wallet, drop it somewhere. And someone plugs it in, and oh, depending on the payload, I could do like a quick payload to create an admin account. All you see is a flash on your screen and done. Or I can even put a long delay in and put a partition where they actually do have a Excel sheet there that they’re looking at, and supposed Bitcoin information on there. Could put bogus ones in there. And I could set a delay on there for, say, 30 minutes. So hopefully they’re going to leave it plugged in their computer for that long and walk away, and when they do it’s going to execute the payload.

So this also could be used in conjunction with social engineering tech. So say, I go to a corporation, I go to the front secretary and go, OK, I got a job interview. My resume got ruined. I’m running late. Could you please plug this into your computer? It’ll take 15 seconds. Could you plug it in and print my resume please? And when she plugs it in, then I can distract her going, oh by the way, do you know - and start directing her attention away from the screen. Do you know where this building is? Do you know how I get here? And that should be enough time for the Rubber Ducky to execute its payload.

So these are all different scenarios that I could use a USB Rubber Ducky specifically, or even just a regular USB drop to create a malicious payload using a USB device. So this is all incredibly dangerous. It can be fairly common. Corrupted USB devices, bad USB devices, stuff like that.