Their innocuous looks and endearing names mask their true power. These gadgets are designed to help identify and prevent security woes, but what if they fall into the wrong hands?
Can seemingly innocuous objects that feign the appearance of regular USB sticks, charging cables or children’s toys be co-opted as tools to aid and abet an actual hack? Or is this just the stuff of TV shows?
There are a bunch of popular geeky gadgets with endearing names that provide valuable functionality for hobbyist hackers and security professionals alike. However, many such bits of kit can be likened to double-edged swords – they can assist both in testing an organization’s security and breaching its defenses. Some of them pack a surprisingly hefty punch and could morph from useful tools to potent weapons if misused by individuals with malicious intent.
This could eventually be a cause for worry, including because I’ve personally witnessed numerous companies grapple with implementing appropriate protections due to a lack of awareness regarding potential risks. One such example is the use of unknown external devices on corporate systems – especially those that often don’t raise suspicion, such as USB drives. Which brings us to the first pair of gadgets that can ultimately trigger security headaches:
Ducky and Bunny
Despite resembling run-of-the-mill flash drives, Hak5’s USB Rubber Ducky and Bash Bunny are, in fact, USB attack platforms that come with some serious capabilities. Originally designed to aid penetration testers and other security professionals in automating their tasks, these plug-and-play gadgets can wreak havoc in mere minutes.
The Rubber Ducky, for example, can mimic the actions of a human interface device (HID), such as a keyboard or mouse, and trick the system into accepting its inputs as trusted. This means it can be used to execute malicious commands in order to harvest login credentials, financial information, proprietary company data or other sensitive information.
By posing as a keyboard, it can instruct the computer to visit a malware-laden website or executing malicious payloads – as if done by a hacker sitting at the desk. All it takes is to pre-load the ducky with a sequence of keystrokes that perform specific actions on the system.
All scripting functionalities available in the Rubber Ducky can also be found in the Bash Bunny. Potential risks associated with the Bash Bunny are, therefore, not dissimilar from those involving the Rubber Ducky and include the installation of malicious software and information theft.
That said, the Bash Bunny still ups the ante further. It retains the Rubber Ducky’s ability to masquerade as a trusted HID device, but builds on it by adding features such as administrative privilege escalation and direct data exfiltration using MicroSD card storage. It is also optimized for better performance.
To top it off, even common thumbnail drives can be co-opted for malicious ends by being converted into USB Rubber Ducky- and Bash Bunny-style devices.
Flipper Zero
Flipper Zero is a bit of a Swiss army knife of hacking that has been turning heads thanks to its wide range of features and technologies packed into a compact form factor. The palm-sized device lends itself well to pranks, hobbyist hacking and some penetration testing, especially when the security of wireless devices and access control systems needs to be tested. There’s also a lot of free third-party firmware that can further enhance its functionality.
On the other hand, Flipper Zero’s ability to interact with various wireless communication protocols and devices may allow attackers to gain unauthorized access to restricted areas or sensitive systems. By combining functionalities such as RFID emulation, NFC capabilities, infrared (IR) communication, Bluetooth, and General Purpose Input/Output (GPIO) control, among others, it allows people to interact with and manipulate various types of electronic systems.
For example, since the gadget can also transmit and receive IR signals, it could be used to control IR devices like TVs or air conditioners. More worryingly, the gadget can be used to clone RFID-enabled access cards or tags – unless those are properly secured against cloning, attackers could use Flipper Zero to gain entry to locations secured by RFID-controlled locks. Flipper Zero can also mimic USB keyboards and execute pre-configured rubber ducky scripts to automate tasks and perform or facilitate specific actions within a target environment, such as extracting sensitive data.
As cute as it may be, then, Flipper Zero has copped a lot of flak due to concerns that it can be used to aid and abet crimes, notably car theft given its ability to clone key fobs (though, to be fair, this is not without some serious limitations). It has, therefore, come under scrutiny from various governments, with Canada mulling an outright ban and Brazil seizing incoming shipments of the product at one point.
The O.MG cable appears as unremarkable as your regular smartphone charging cable. Developed by a security researcher who calls himself “MG” online, the cable was created as a proof-of-concept to demonstrate the potential security risks associated with USB peripherals.
Indeed, the cables harbor a plethora of capabilities that allow their misuse for various malicious actions. They can operate similarly to the USB Rubber Ducky and Bash Bunny, executing pre-configured code and functioning as a keylogger that make them suitable for data exfiltration and remote command execution.
Indeed, O.MG cables include a Wi-Fi access point and can be controlled from an attacker-controlled device via a web interface. The cables are equipped with connectors that are compatible with all major types of devices and can be plugged into, and configured for, devices running Windows, macOS, Android and iOS. Oh my God.
Staying safe
While these tools have been used in various demonstrations, there don’t seem to be any reports of them being actually used in real-world attacks. Even so, it’s prudent to apply a combination of technical controls, organizational policies and employee awareness training in order to help your organization stay safe from potentially risky gadgets.
For example:
Organizations should restrict the use of external devices like USB drives and other peripheral devices and enforce policies that require all external devices to be approved before being connected to corporate systems.
Physical security measures are just as important so that unauthorized individuals can’t gain physical access to corporate systems and devices and can’t tamper with them.
It’s also crucial to organize regular security awareness training for employees and educate them about the risks associated with USB-based attacks, including being wary of plugging in random USB drives.
Use security solutions that can detect and thwart malicious activity initiated by rogue gadgets and offer device control features that allow admins to specify which types of devices are allowed to connect to corporate systems.
Make sure autorun and auto-play features are disabled on all systems to prevent malicious payloads from being automatically executed when external devices are connected.
In some situations, USB data blockers, also known as USB condoms, may come in handy, as they strip a USB port of its data-transferring capabilities and turn it into charge-only.
by Daniel Cunha Barbosa
Comments