The Worse and Worst of BadUSB

A BadUSB attack is what it says it is. It’s an attack that uses an altered USB to create an interface to a computer, device, or network that unauthorized users or hackers can take advantage of.  Among hackers, such a pre-programmed, often malicious, USB is referred to as a Rubber Ducky.

The good thing about a USB is that you can usually just plug it in to the device you want to use it on and it will, more or less, automatically work. This ease of operation is what actually enables a BadUSB attack. If a bad actor has previously programmed a USB, they can take advantage of this and make the USB load what it wants onto an unsuspecting device. It’s the information loaded in the firmware of any plugged in device that tells a computer what is being attached. A mouse will tell the computer to begin the mouse setup program, a speaker calls up the speaker setup program and so on. Any USB can be programmed to appear to the computer as another device.

In most cases, hackers want the USB to appear as a keyboard. If the computer believes the USB is a keyboard, it will then accept anything typed in by it. Often, a pre-written command is typed in as soon as the computer accepts that what has been plugged in is a keyboard. This typed in command could be something like telling the computer to go to a certain website and download a backdoor. This will give the hacker control of the device. And before you think that this is only a domain for experienced code writers, you should know that the code for numerous BadUSB attacks is free to everyone online. As of this writing, 74 BadUSB codes have been deposited on the GitHub website. Anyone can find a program that suits their purposes.

But what if messing with code is not for you? No problem. You can buy pre-programmed USBs online. Here’s one that sells for about $60. As the ad says, “imagine plugging in a seemingly innocent USB drive into a computer and installing backdoors, exfiltrating documents, or capturing credentials.”

Some of the more expensive models can do a lot more, but many of these ready-to-go USBs can do the following:

  • Go to a certain website and download malware or ransomware.
  • Pull up a website with code that puts a “backdoor” into your system, giving hackers the entrance they need to manipulate accounts or commit other types of fraud.
  • Launch an app or a reverse-shell program, allowing the hacker to track the keystrokes you enter so they can steal usernames, passwords, and other critical details.
  • Delete, add, or steal files.
  • Change server settings to route your online banking customers to a malicious site that steals their information.

In fact, the type of BadUSB attack launched is only limited by the hacker’s imagination.

Attacks have been used to map air-gapped computers in a network, rewrite the boot program, deliver malware through phone chargers, bypass USB password protection and, in the USB Killer attack, send out an electrical surge that will destroy the device it is attached to. Believe it or not, you can buy a USB programmed to produce this surge attack online for about $50.

BadUSB attacks have an unusually high success rate. There is only one problem. The bad actors have to have physical access to the device being attacked. The infected USB does need to be inserted after all. They can do this themselves, convince or hire someone to do this for them, or hope someone will find an intentionally abandoned USB and place it into a computer or device on a network. This last technique is known as a USB Drop Attack.

Drop attacks can be especially deadly. Often, the person finding the device will be curious about what’s on it. There may be a file on it that has a provocative name. Clicking the file will install malware on the device which will give remote access to a hacker. Of course, some attacks will do much more. The infamous Stuxnet attack began with a USB found in a parking lot. It resulted in destroying over 1000 air-gapped centrifuges which set back the Iran nuclear program.

What many people aren’t aware of is that the “worst breach of U.S. military computers in history” occurred shortly after the Stuxnet attack. And how did it happen? You guessed it.  A USB flash drive infected by a foreign intelligence agency was left in the parking lot of a Department of Defense facility at a base in the Middle East. The attack was attributed to Russian hackers most likely working for the Russian government.

The problem with a drop attack is that the USB may not be picked up or may be picked up by the wrong person. It also often requires access to the vicinity of the targeted company or an individual who works at the company. It is not clear how many USBs were dropped in the parking lot to begin the Stuxnet attack but it was certainly more than one. For this reason, some hacking groups have used a different approach. They have targeted company employees with packages or ‘gifts’ that included an infected USB. In January, it was found that the financial hacking group, FIN7, was targeting specific employees in the transportation, insurance, and defense industries in an attempt to compromise their networks. They did this by sending them packages through the U.S. Postal Service or UPS. These packages contained letters which were engineered to look like they came from Amazon or the U.S. Department of Health & Human Services. The ones emulating a package from Amazon also contained a gift card. I have not seen copies of the letter but my guess is that they parallel a similar attack by the group when they pretended to be from Best Buy. These victims were told that they could select their gift from the list on the enclosed USB.

The most recent attack appears to be ransomware-related. FIN7 is noted for its financially based hacks so being able to get into a network, encrypt its files, and ask for a ransom would match their modus operandi.

It also used to be common for companies to hand out free USB sticks at conferences so that interested people could see pictures and videos of their products. Although this sounded like a good marketing idea, a number of these drives were found, unknown to those who distributed them, infected with malware which was used to begin cyber attacks.

Despite the inherent dangers built into USBs, they continue to be an effective vector for hackers to exploit. The main reason for this is human biology. Studies have found that humans, being the curious creatures they are, will more than likely try to see what’s on a USB drive that they find or receive. The BadUSB attack has many vectors but they all rely on someone plugging them into an endpoint. Thus, sophisticated endpoint protection is a must for every company or organization.

A somewhat costly way to prevent curious employees or nefarious actors from compromising a corporate network is to install USB blockers on all machines connected to a network. The best way to show how this works is in the following short video.

True, the blocker could itself be infected or the key removed, but not without some effort.

Software, running in the background, can detect the ‘unhumanly’ fast typing speeds of a BadUSB emulated keyboard and shut down the attack. However, there is no reason why attackers couldn’t learn what an acceptable typing speed was.

So BadUSB attacks will remain in the hacker arsenal and will likely be responsible for major cybersecurity incidents in the future. It’s simply too good of an idea for hackers or nation-states to give up on.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s