Getting Owned: The USB Keystroke Injection Attack
Editor's Note: If you like this article, you may also be interested in Brad Bowers' related piece, The Evolution of Evil: Changes in the Use of USB Devices as Delivery Mechanisms for Malicious Code.
What do you get when you put very technically proficient people in charge of building customer loyalty? In this case, you get the perfect marketing toolan undetectable, AV- and platform-apathetic method of programmatically interacting with the host OS.
Fortunately, Hyundai is using its technical prowess only for good. Put this technology in a malicious hacker's hands, and you have a rather innovative way to create some chaos.
This article starts with an innocent looking package that arrived in the mail. Included in the package was a small key-like device that was designed to fit into the USB slot of any modern desktop/laptop (see Figure 1). This could be a Mac, a Windows-based PC, or even a Linux box.
Once inserted, the USB device would cause the computer to launch an Internet browser that would automagically go to http://www.welcomemyhyundai.com.
Figure 1 Hyundai key
Let's look at this from two angles: the marketing perspective and the security perspective.
First, from a marketing point of view, this device is a perfect solution to provide an enhanced method of driving traffic to your product line. It is unique, technologically sexy, AV- and OS-apathetic, and cheap to develop and mass produce.
Imagine the marketing potential. In this case, Hyundai used the device to open a website meant to drive consumer loyalty. Other potentials could include opening a PDF file, downloading an image or document, displaying a popup or banner ad, a web-based "phone home" that the device was used, and so on.
If we take this one step farther, the device could also be used as a unique identifier or login device. For example, imagine being able to hand out a USB device that would automatically log a user into a website or desktop application using an automated process that embeds a unique identifier directly into the URL (i.e., https://www.site.com?uid=12345)and not have to worry about an AV product, a policybased disabled autorun or an anti-USB policy getting in the way. This is a marketer's dream!
Now, let's see a second perspective to the way this type of device can be used: the "paranoid" security world view. Imagine a device that can cause the host computer to visit a website, launch an application, run any number of commands via the command prompt or establish a remote shellall without AV software interfering or an anti-USB policy getting in the way.
Simply plug the device into a USB port, or socially engineer someone to do it for you, and the goal is accomplished.
If we put on our malicious hacker hats for a moment, let's consider the potential for harm:
- Direct a web browser to a malicious website that contains code that installs a backdoor.
- Create an administrator account on the device.
- Download and execute a reverse-shell program.
- Delete, upload, update, or create files.
- Obtain local sensitive data and upload it to a remote attacker.
- Update local domain name server settings to redirect all Internet traffic to a remote attacker.
The true potential of this attack vector is unlimited and is up to the imagination and creativity of the attacker.