How To Be A Hardware Criminal: HID Attacks Made With Spit And Tape

correct hello thank you for coming here I'm meadow Ellis I'm very happy to be here quite guarded that I can do crowd surfing but I will have to manage somehow how to be a habit who know its speed and type oh I was told to stand here I have to hold first of all who's meadow and what is she doing here so this probably cannot read it but this is my business card I mean basically I don't like titles so I'm taking a making on the all the titles that people put on the business cards I would say I'm not a hacker I don't call myself a hacker because I think hackers have people from

movies from early 90s that were hacking stubborn I know I'm just like a hardware security engineer I may have to stop calling my said my said engineer because there was some shitstorm on Twitter that the engineers may be protected I don't have a degree in engineering I just I'm just calling myself an engineer before coming here you might have seen a recently added are talking besides nothing about the green part local do we don't have the green padlock anymore but we still have the problem also the talk earlier this year in heats about hardware hacking and how we have to when we are hardware hackers we have to go deeper into how those things work but

I'm just putting boxes together and I also did that first have a batch for besides London this year if you go to metal that city you will see how it works the blog post about the batch is coming it's just taking me way too long if you want to contact me catch me on Twitter or go to other City the instructions there how to how to talk to me so what's gonna happen today I will speak about the problem that I'm trying to solve that we are trying to solve criminals and skates what's the difference how to how to spot one and not be burned under under the nose of the others then maybe a demo if it works

he doesn't seem to oh we don't sometime maybe a demo in the middle but the top is not about hardware today there may be a different talk about that the hardware and then the top is more about what surrounds that in the hunt the hardware and then what can we do about it how can we solve this problem what can we do about what can we do about hammer aluminum's so the problem that we have and this is not only hardware but so predominantly software is that there are a lot of skate obviously script kiddies outside out there who are bombarding us with a lot of nodes they can be criminals because their activity there

there their activities can be made criminal but because they are using no the kinks they should be easy to detect and the problem is that the because we know what they're using we shouldn't be caring about it to building automation to detect that and trying to find those who are a bit different and this is I'm saying this on every table have opportunity to talk to present hackers are not criminals so this is this this media perception that hackers breached database 3 some personal data criminals not happens all right we are against criminals we are not against hackers criminals and of our other problem of our of our industries so the skills and they do the thing is

that you should be able to detect them and stop caring about them in terms of in the networking world for example you spin up a VM open a port 80 look at the logs like 5 seconds later you see a lot of singing at that all right hacking attempts of PHP myadmin I mean those are not hacking at them this is just millions of scanners out there where the snooping on halls and if you are using phpMyAdmin I mean that you shouldn't be basically but those are the basic that shouldn't be that we shouldn't be caring about and we had was live in the in the hardware space the same problem exists that people buy stuff that's online that

in terms of what I'm talking about today that will be rubber ducky all right it works okay in many companies it would work this type of attack would work but at the same time because you know that it exists you can buy a rubber ducky and try to find a way of detector and because it's out there right it's something that something that should be easy to detect because we know how it works but there is also a different problem and this those are our enemies right the criminals will not go online and buy stuff and just use it they will try to invent something different and the problem here is that the criminal world of the the offline from the world

is poking into the computers information security right and they're using their methods of of play applying them to information security which means for example that they will not go online with this you probably cannot see this is our this is a shot come mr. robot what they did there they were doing the stuff only in one place right they were talking about this that the way I'm going on the forums and criminals are doing the same they didn't watch mr. robot is just how they work how they operate this is cultural this is not something that they event it now they they will not go on Twitter and now something or go with Twitter and ask about something

they have not even go to dark with poems and asked about something because this is not how they operate but we sometimes more often than not we rely on the information that we can find on the internet and you can sometimes pretend that problem doesn't exist because we cannot find anything on the internet and then you attack we look at the dark web there's there's no trace of it or anyone asking about this right that doesn't mean it doesn't exist it just means that they they are not searching / they are posting about they're not sending it they are just doing this for themselves and this is like just because you can't see it doesn't mean it's not there it's

I think partially is like saying that most criminals or men and the thing is that maybe women are not being caught all right so in my world what I do day today I'm trying to be aware that there is something maybe something out there that I don't know about and just because I no one else found it doesn't mean it doesn't exist so this brings me slowly to what I did order for the demo and why I focus on us V so USB doesn't have any security and the problem would USB is that probably is that this is something that means ever develop the very long time ago and obviously when they started doing this I

mean the first of seven version of USB was surrounded by in 1992 or fee this protocol this method of communication wasn't designed and security in mind because I will imagine in 1990 to 1995 no one knows anything about it we didn't have Arduino who didn't have raspberry PI's rubber duckies all those things that we can now plug into the USB and the world that wasn't the threat model back there right so it just didn't happen now now we have us be free I mean what I'm saying now is actually more than ten years ago but we this USB free standard is not now being modest it's now more widespread but the problem is that it doesn't matter to my perspective

at all because what you can do I don't know if there is a keyword manufactured in nineteen idea that that's using USB but maybe I I couldn't find that began as the first USB keyboard out there but you can still use a keyboard from 1999 plug it into your USB 3 port is gonna work just the same and so from from from not from a few weeks ago us before was officially released and he was before has even more situating included in them I don't know views before will support legacy devices like USB 1.1 2-0 by hope if it won't but if it does this is how much is gonna matter for us right if the

legacy protocols will be still supported in in the new the new standards of USB it won't matter that they are secure because this backwards legacy compatibility you struggle you have to say that now obviously this is important anything and for for us to work on new secure security improvements or USB but as slow as USB to zero exists the problem will be there obviously you can have security over USB like you can have higher tokens all right so how hard we talk is a secure they use this broke and maybe not broken up in secure protocol to to you to do security over all right but this requires working above side so have hard we have software and this one entity low

group of entity that's controlling that with the things like that the key words there's no way you can change them because there's so much stuff out there that's using humans b20 and lower when all the USB protocols if you stop supporting them people will just go to the streets right we can't it can't stop supporting and aquatarium now USB is not something easy to exploit all right because USB oh you cannot see this unfortunately anyway I was hoping for a better resolution here USB is not easy to exploit because you need you don't need some specialized hardware well at least you need something to analyze the per core barrel or whatever I will show you later why alright what this is the

case but everything everything happens very fast so what you cannot see here I maybe I can do is actually we am lying I'm not lying number 97,000 because this is high-speed this is post in protocol of USB USB keyboard in this case in the first half a second or less you get three hundred thousand transactions or packets being being exchanged between two devices two devices now if you are doing something crazy like I was doing something crazy there's no way there's no software that can help you to analyze how it works you have to go line by line and check what's happening all right but at the same time so in this case for example my point is here this

is the this is the exchange when the the house that the PC is asking for data from the from the keyboard asking what it is the keyboard is responding that is gonna send 18 bytes this is a define descriptor this is compatible with USB 1.1 and my packet side is 8 bytes this whole server all right if you work with USB you obviously allow this if you don't work and first look at this like how can I do this in my case because again I was doing something crazy or weird I had to dump the data as it was being passed between the USB host and my keyboard open a text file and scroll and

scroll and scroll and try to find where it is what I'm looking for now what I did and I have to I really have to point this out come on legs no I really have to point out that what I did and what I will be doing with my with my device is that it's nothing new I remember I was being asked okay it's going to crash when I was submitting the stock to virus conferences I was getting responses that this is just another hid attack this is this just another USB attack there's nothing new in it but essentially it doesn't matter if it works if if you can achieve your goal if you can I don't

know [Music] if you can own a company using a simple device like a keyboard it doesn't matter that just another another attack now the thing about the thing about my laptop is that it crashed right sorry about that [Music]

[Music]

what I did here is Nabeel and if you look at those those are the things that came to my mind what I wanted to say what is something similar looks similar out there that can that can be easily exploded so we have body will being have been out there for six years rubber ducky started in maybe 2010 2011 does that make sure the injector by Luca from 2017 and OMG cable from mg and even before that I think there were some teensy projects based on that based on the plugging something into your USB port and pretending keyboard I think from 2004 so obviously this is nothing new the problem or maybe not the problem but the thing about those and many other

web solutions is that they out there right which means again you can buy it get it from somewhere to find out how they work and try to protect yourself against them all right then those devices and seminars shouldn't be a problem because you can automate the detection of them to some extent those two glass items the face dancer is the something that allows you to get into the middle of us each other's actions so you plug it in to your house you plug it into your device like a keyboard and you can inject packets you can sniff packets and I'm not using that something similar on my on my keyboard similar devices there also there will be also hi whisper which

allow you to do something similar again so there are things out there that you can use right now to analyze how those devices work and they have they're not expensive always here so again this shouldn't be a problem so I think I think I'm coming to the demo part see if it works looks like it works okay so what what I did what I did for my keyboard so this is just normal standard-issue corporate keyboard all right there's nothing fancy about it it just works the thing about this keyboard is that it actually connects connects to it does let you change the screens what it has inside which I will show you in a moment

it has a Wi-Fi client so this keyboard is now connected to my endpoint in Azure over Wi-Fi over my actually stuttering over over over my phone down to Azul going to Apache there's a proxy pass there's a Perl script on the other end and this is the result of the personal it's only thinking so it's nothing hands it back if I press a key on the keyboard you will see those zeros it probably cannot see but if you could see that's a here so this is zero zero zero zero zero a those are key keyboard scan codes that the USB device is sending from comics after the house my device sits in between the keyboard and the

house so the keyboard still works because if I press something obviously the keys will be saying but it's also sending those keys out which means I have achieved my goal because this is the remote control that was the remote children that I was looking for all right and this is something original in the way that it's not out there I will be nursing about this I will probably be doing another talk about talk about this so it will be out there but at the moment if this was a criminal device you probably wouldn't be able to detect them now you wouldn't be able to detect it because can I show you this okay I cannot show I cannot show you this

because the USB analyzer on the on windows is crashing what I'm trying to connect but this device takes all the data from the from the keyboard and it's passing through to the house which means it's also passing all the configuration data and identification data so would USB every USB identifies itself with the PID PID strings which is defined in the B manufacturer and the product there so string describing what it is and so whatever you use my device on it will just take those strings and pass it through so if you look and try to see what's connected to your to the pure endpoint to your host so you just see a normal cable right so this is just

passing that and back later but back and forth but that wouldn't be enough so I went further and I can do it so in wife general this is my endpoint in in Azure what I can do I can send the keys from sparks the keyboard back to the given that will be that will then be pressed on the house so what I will do

[Music]

so I have sent a string to through my agile endpoint and this string which is actually just a get request was sent back to the keyboard and keyboard pressed if you can see hello besides waves all right that's probably what what what simplify what without both are those keystrokes [Music] so what I'm doing here I'm just sending the keyboard scan codes back to the the keyboard press shift with ease Shift + H with ease and so on and so forth so now with my unique original keyboard I have two-way communication and obviously pressing key while pressing keys and saying hello wouldn't be that part of the trolley but as you probably know if you can press keys you can do

anything so let me see in this works it didn't but you are probably and what I was going to do it would pop up windows calculator because that's what everyone is doing so basically what this script was supposed to be doing let me try this again why do you work because I'll does probably a typo so again with my standard looking Hebert I have two-way communication between this device and somewhere out all right so I can because I can pop a calculator which is basically pressing window windows are typing CLC and pressing enter so six keystrokes obviously I can upload any payload I want all right so I'm happy that works I wasn't expecting that

so now I can go back and tell you about what's inside if I can swap my screens again presents so what what a criminal what criminals are doing they are using some ingenuity some dexterity I would say there's ink our tools to cut PCBs for example because they don't fit into the kingdom all right this is not something that you'd see normal see no you see this cuz something that being read that's being a commander like when you're designing or making creating something come hard well no one tells you to cut PCB in half right using dremel that's that's that's not standard but obviously if it works if you achieve the goal that's what they will do

alright so those four components some wires of RAM I worked as your go-to let's encrypt obviously because the communication is going over HTTP and everyone is using less including criminals Apache and pear and some spit and some type the water actually and the spit and type there was some hot glue so I had those two PCBs to PCBs on the left and right hand side to fit them into this hole that when I started this that was kind of a challenge for when I started doing this when I got accepted for call this conference I didn't know if he's gonna hit in that I just assumed that it was hitting that because when I opened the keyboard I saw like let's so

much roll there like that has to be away so I didn't I wouldn't sure it's gonna work that's why I saw the captain think I started filing things trying to fit them fill them better and if you see what I did to Arduino here so this is the Arduino bit that's on top there I have to have it a bit here because it was a bit too wide to fit in that space again this is not something that you would expect someone when you go into an Arduino like well you haven't gone we know because I have to fit it in there right now so that's the problem and this thing works and now what can we do about

this how can we do anything about this actually if you have an estate of 20,000 and points each of them has a keyboard you have weak physical security because we all do right let's not chop it let's not kid ourselves physical security is always a problem how do you find this one amongst your 20,000 so there are some ways you can you could try you detect that first of them is checking for PID PID PID this is what I know what I said a moment ago that my keyboard my device is passing all the data from the keyboard to the USB and back so obviously no not in this case but not in many cases as well because those strings

are easily changeable like even those devices that III talked about that other devices come might be from my keyboard you can change the PID and V ID and all the strings to whatever you want so detecting anything base of that not gonna work you can measure current right some USB device is joining some current and allegedly not allegedly but you can measure current right but what we do first of all then this misconception of USB everything as the machine is measuring current by itself because if you go to Windows or any other operating system and look at the USB device if you say for example that it's hot it is showing hundred layers that is not true

because what's actually happening part of the setup of the USB device is that the host is asking how much current are you going to draw and the device is responding the gillum's so it's a lie is a text it's just a text exchange between two lecture the two devices so you cannot get how straight from the from the from machine you can measure the current but also I know that you can measure the current all right case this is a POC so this is drawing quite a lot of care and that's why I have to have a powered chopper because surface doesn't have enough doesn't provide enough kind of USB which other devices do but this one doesn't I could

make it so that even drawing the same amount of current as a normal keyboard all right and again if you have twenty thousand keywords in your site I was gonna measure all of them right no you want you can analyze the current now this is something I cannot overcome so analyzing the car means measuring the current in a very high resolution so every device is not is every device is drawing current not in a flat line photo but it changes with what the device is doing alright this is part of the chip whispers stop that they are analyzing the cargo need to the device and braking beside channel braking side channel attacking the hardware crypto all those

all the other vices by measuring current very accurately and trying to find out what the device is doing by looking at the car so in this case I wouldn't be able to compete with that because the pattern will be completely different from the normal keyboard and there's no way I can I can jump over this but again twenty thousand keywords you can't detect one but you won't be able to detect all of them you won't be able to check if all of them are clean or one of them is malicious so this device connects over Wi-Fi normally if I was to implement that I would try to use local Wi-Fi because it's just easier but even

if it's connected to a corporate Wi-Fi it is over HTTPS that's not the problem because this can be downgraded and analyzed it's going to it's only using get requests it's quite hard to detect it because it's all right you will not find you will find later like in three months how it works exactly but at this point you don't know to what to look for it just looks like a no more get request if you know that there's something malicious in your network that will be doing this you can try to find it but if you have twenty thousand endpoints and a lot of stuff is happening in yourself it's very hard to find it but aside from

that this is not connected to my home all right so if I manage to swap a keyboard in in your in your company it means I had someone who was able to do this obviously all right what do I can do if there are for example a cleaner who's coming every now and then I can make them I can give them this phone they will be going about the business and not even touch on the keyboard and the keyboards when in Texas there's a Wi-Fi to connect them you just collect down the data and just disconnect good luck trying to find this collection happening you can obviously measure Wi-Fi you can see there's an odd device but you have

to know that there is something there to look for and it's the same thing USB to that this is really funny because it's true if you can disable USB to is gonna work because you will eliminate all those problems with rubber Ducky's with those keyboards but you cannot decipher you will be USB too because your company in write some USB to like every other company right so USB to that so many devices out there still using USB 2 and lower that realistically you cannot do this if you can find but I I wait you won't be able to but the problem is even bigger because we like to think that we are the this is only happening in our

own bubble information security but the things like eavesdropping like bugs no software bugs but listening devices anyway before war bow and if someone is able to swap a keyboard they don't have to just don't have to do a kilo Gator they can put up a bug in there alright and this leads to certain paranoia that you shouldn't be falling into because you cannot protect yourself against all those things like if again if someone manages to go into your company and do stuff like this they can do many other things and building a bigger taller wall to protect yourself against this is just not going to work so the question is I was cruel the I don't like when the top

is presenting problems and saying we are all screwed now let's go home and do something here I like to present a solution so the question I was cool I don't think we are the problem is here the we cannot realistically prevent this from happening but we can do something around this to try to minimize the the effectiveness first of all attribution is important like I like to sometimes take a make up BIOS attribution attempt because someone is saying for example they have detected a new actor apt and they clearly say what did they do to find out that this attack or whatever was absolutely today's apt if I'm an attacker I see what you did - alright so

in case of those devices like this the first thing I will do I will try to find out what other people are doing to actually see someone but at the same time this is important because we want this to stop we are not law enforcement this is not everyone over we have to defend ourselves somehow we have to do the work if you find something like this we have to try to find out where it came from what it did and then power this skill and see see for example alright this is the job this is what they should be doing you should be helping them so I think it is very important that we not only find those

devices but help law enforcement to try to catch the people who are doing this because infantry this is what you want to happen we want those attacks to stop and now that that brings me to my is a key point of my talk what I wanted to speak about that I wanted have a reason to talk about this how do you prevent this keyboard from destroying your destroying you're in company everyone knows about this I hope everyone knows about this but think about this this will stall or stall and send out all keystrokes alright so if you are not using password manager this you are you know password where there's always some possible password passphrase that you

have to remember if you have multi-factor it doesn't matter all right it's quite rude to say let them seek other targets but we've been talking about multi-factor for very very long time as I still come obviously it's not that easy in current just go into a company and say like come tomorrow multi-factor all right it takes time but this this is where we have to go this will cut all pass phrases but it won't matter all right if they know that your company is using multi-factor even for domain passwords they will not even try to do this because why now obviously the one side of your communications of typing emails your web searches everything else

will get out but you can't do much about this but there's also the other part to do the solution of this problem because you can as you seen you can remotely send the payload to there into the Machine and do something about this do something with it which means you can basically oh the network right your network is my network and somewhat so if you don't know about zero trust and beyond call you reinsure because I obviously don't have time to talk in great detail about how it works but what is those in in in principle is that there's no firewall as such obviously there is a file but not in the way that we will use the thing

for 20 years or more being on the network doesn't give you anything because you have to authenticate yourself with everything else which means you don't have this think about corporate network that allows you to go to places and you have to DPN come outside to your corporate network and then when you are in corporate network only then you can access other stuff there's not no such thing as cope with Network anymore and Starbucks is your corporate network because it doesn't matter anymore where you are you still have to authenticate yourself which means again if I can only network using this keyboard because I can also I could also make it so that it will actually serve a network connection

over USB to their home so I can get onto the network obviously the machine is still owned but only that machine right it has been that all the past ranges are go are gone but it doesn't matter because you still have to use the second factor to authenticate yourself all right so it's kind of I suppose it's kind of weak to talk about multi-factor and zero trust when I'm talking about USB attacks but actually I think this is the point this device in such an environment is completely useless again you will own that one one you'll own that one machine is connected to but so all that stuff's not giving you anything so please do search if you don't know

how the please do search about your trust please decide about beyond called by Google they publish their architecture they they have released are how they are doing this and it's actually pretty II the end is near the end of my talk is near so it's time to wake up in a capella sleep I'm trying to I will try to wrap up what I what I said today and the important things good tomatoes don't talk they are not online they're not on buta I mean they are on Twitter but good girls don't talk about what they do how to work and if you can't find anything about an attack about a method it doesn't mean that no one is doing that

they are just not talking about USB to zero and lower they are a mess but they are here to say and we have to we have to live with that you cannot disable it you cannot remove it from our from our environments we just have to manage it somehow for example zero trust and much faster you have to filter out escapes you have to get rid of rubber ducky owning your company because again repeating myself you should be able to detect it pretty easily there's always a way in and this is again an argument against building bigger taller walls of greater higher walls there will always be a way of getting the data out like you might have

heard like some people were doing experiments of blinking the LEDs on liters 2x with the data but why not right if you only need one domain having password and if it's not admin it's something else your company name and 2019 you can bring that in Morse code using one of the LED somewhere right if you really want to so that how do you stop this obviously you know blow the windows or something like that but there will be another way you cannot stop it you have to agree that this exists and move beyond that all right stop being stop relying on security of your password and stop relying on security of your of your network

don't buy snake oil like many vendors will say especially on EDR on endpoint detection response market they will say that they will protect your endpoints against us be attacks what they actually mean is that they will protect your endpoints against USB drives attacks and nothing else because in many many people when they say USB they mean USB Drive because they are not kind of aware that the keyboard is also USB right and what vendors are doing but all of them but most of them that does not a USB flash drives and that that doesn't solve this this didn't work and we more of devices like this that's why that's why I went and spent six weeks of hard work trying to make it

happen even though it's just another hid attack because we need more of those devices and need to keep putting the pressure on vendors and on operating system manufacturers I don't know who obviously but there are some other people who should be doing this if we keep the pressure and show that the problem really really exists there is a chance that it will change finally and the cover will go away any questions this the path of every oh oh I know you I know you I'm not paying you back so have you lost the trust of everyone in your office did you hear that's the thing I I didn't I can go to talk about about paranoia about

getting into this state of mind that you will have to look up every keyboard in your office every table every on the side of the table or you can't this is not gonna happen because especially with the mnsure device that you can do you can you can create nowadays like listening devices it can be so small it can be hidden absolutely anywhere there's no point in trying to find them because you will you know you will not find them so they answer your question to some extent I don't I just accepting the risk like if someone wants to they will bring me to my home and swap my keyboard I'm not checking my keyboard every time I go back home because this

is just ridiculous all right so yeah no you take this thank you madam