USB Attacks Going Commercial?
In the public hacking world, so far we have mostly seen USB technology
from security vendors... not the attackers side.
A few years ago we had discussions on pen-test
(http://archives.neohapsis.com/archives/sf/pentest/2004-06/thread.html#2),
and later bugtraq and FD on these risks, following an article in 2600 and
a post from me
(http://archives.neohapsis.com/archives/sf/pentest/2004-06/thread.html#2) on
the Risks Digest. On pen-test, Harlan Carvey and others also followed up.
Since then there have been multiple threads everywhere. This was not new
back then, either, imo.
Back then I mainly addressed the risk of *driver attacks* -
http://archives.neohapsis.com/archives/sf/pentest/2004-06/0002.html (now
more acknowledged since blackhat 2005 and blackhat 2006 presentations on
the subject appeared), and didn't get much attention. Hackers did not know
USB technology that well and most did not see what the heck drivers had to
do with it.
What did come up were the risks of *autorun technology* (which is a
simple solution to making USB devices execute code). These were not as
easy as they first appeared, and did not work if WIndows XP's screen saver
was active. Still, things were interesting and my fav quote of: the
janitor is the richest person in the organization, got some interest.
Today, with several USB buffer overflow discovered (mostly in the Linux
kernel) and driver attacks getting more attention, I came across the
following blog entry by Xavier Ashe:
http://blog.xavier.ashe.com/blog/_archives/2006/9/10/2314043.html
In his blog he discusses a USB autorun technology which is actually an
hacking tool, combined with a password stealing program/script, and how
the actual attack works despite of old issues with autorun. It exploits
the U3 technology, as he explains:
-----
"In this segment we'll overview a few of Microsoft Window's security
weaknesses and show how to build a custom USB key that will retrieve vital
information from a target computer, necessary for auditing password
strength. A major flaw in the way Windows stores password information is
the use of the legacy LM, or LAN Manager hash. While this hash is based on
DES encryption it is vulnerable to time-memory trade-off attacks due to
it's poor implementation. Our custom USB key uses new U3 technology to
automatically and invisibly retrieve these weak hashes within seconds of
being inserted into the target computer. From here the LM hashes can be
tested against a set of rainbow tables using the popular rainbowcrack
software and audited for password strength. We will also cover password
best practices and prevention methods for this type of attack.
The beauty of our custom password hash retrieving USB key comes from it's
unique use of U3 technology. U3 is relatively new USB flash drive
technology developed by U3 LLC in cooperation with Sandisk and
M-Systems. More information about U3 can be found at the website
http://www.u3.com
It basically uses a portion of the flash drive's memory as a virtual
CD-ROM drive. This allows the Windows autorun feature to work properly,
enabling us to run programs as soon as the drive is inserted into a
computer. The autorun feature does not work properly on standard USB flash
drives so a U3 enabled USB flash drive is required to make this work."
-----
Further, he points to an article at hak.5 on how to set it up:
http://www.hak5.org/forums/viewtopic.php?p=31505
People used to glue USB ports when security was paramount, today that is
no longer an option and other solutions from different vendors have been
created. I don't like the buzz and hype around this subject, as important
as it might be. It is just one of many different threats that corporate
security should include in its design. Let's not all make people take off
their shoes to prevent them using shoes in attacks
(http://blogs.securiteam.com/index.php/archives/553), but rather secure
things right?
Gadi.