Charge!: Why you shouldn't trust that power bank

appears ready to rock that's over to you guys um you are going to absolutely love this presentation it's called charge with an exclamation point things are always better when you put an exclamation point at the start why you shouldn't trust that power bank so over to you guys thank you scott let me show you my

slides okay welcome to our talk charge with an exclamation point as scott said why you shouldn't trust that power bank by me mauro castles and luis angel mendoza from dc5411 before we start we would like to make the a really brief introduction on our subs on what is this talk about my name is maguro castres i'm the founder of bca and dc5411 and i love public speaking i spoke at defcon uh the texas cyber summit rosa brazil dragon jar colombia and a lot of other events and our dc is mostly focused on social engineering and hardware hacking and we really love mixing both of them even so it might seem a little bit strange or a little bit not too compatible

between them and this talk is going to be given by me and my partner luis who is going to introduce himself now thank you hi my name i is from colombia i am an electronic in kenya working at the birmingham cyber art a member of pc 5411 iv and speaker and dragon and this concrete and harvard hacking dealers okay and the objective of this talk is to explain but usb attacks and i know that you might have heard a lot about this a lot about usb and most of the times you probably heard this uh using a classic approach the usb stick the bad usb memory stick which is uh the classical way of doing it it's

the most common way but we're not tampering with different kind of hardware so in this case in this particular case we are trying to do a bad usb attack using a power bank a power charger a portable charger with obviously a usb interface so we will show all the process from the list of materials to how to assemble it and how does it works we have uh we have drafted a plan on how we want to do this uh this is the power bank we are using as a base for starting this project as you may see this seems like a pretty straightforward pretty common power bank that it's a pretty common off-the-shelf hardware you

can get it almost of any shot for really at a really cheap value this looks pretty normal right well we will explain you why you shouldn't trust this power bank in particular let's start with the drafting of the plan that i told you before we wanted to do three things particularly we wanted to adulterate an existing power bank a function in power bank to include a hardware hack that is capable of acting like a remotely managed bad usb it should maintain the original appearance of the product at all times so it should be a perfect counterfeit it should be able to even trained eyes so this final artifact must be able to run a metasploit payload

or a custom payload we aim it at first at a mere exploit generic payload that should give the access that should give the attacker a full access and we have an additional parameter just because we like suffering that the product must alert the attacker and success so we never the charger was able to spot a victim was able to find a victim should reach out to us and say hey i found it this is where the hardware hacking magic uh comes in into play and my partner luis is going to explain you all the blueprints the materials needed why we have chosen them and how they interact with each other so please lewis go ahead

material arduino micro lenovo volta regulator standard cable and

believe me the patience is the most important part of all this list quality piece compared in the original device all components are cheap and easy to acquire they add virtually no way to eat daily it appears and touch the divided written is original push but had a piece interest which is over just a comment here as you may have seen there's a lot of spare space in this power power bank that's because we have uh used a big power bank and we stripped its parts we turned them away and fitted inside a smaller power bank so it should work if it definitely should work for charging but you are buying a big one and inside it

has parts of another smaller one that's why we have so much spare space now luis is going to explain you how does this works so when connecting the cell phone to the power bank it tests a set my tesis messages the attacker tailing heat data the dividing is awaiting for input the c module at a sender a receiver having a single phone number while listening the attacker once activated the arduino world and the human interface divided triggering the add mechanics pistol malicious apk activated it and lose a meta fertilization so basically what you are doing when you are connecting the cell phone your victim self onto the bad usb charger is activating all uh a series of

mechanisms that my friend louise had and generated here and you're basically connecting an internal cell phone and a keyboard to your own cell phone so this internal cell phone this module the sim 800 gsm sends the alert sms that i spoke about before saying hey i got a victim and the attacker says okay the attacker can either call just drop in a call you know normal phone call to the to touch him start sim or he can drop a message an sms message so the module will receive them and will parse it for the arduino leonardo this arduino leonardo works likes a keyboard and then interprets the pilot processes it and says okay if you say so i will do so and

execute as whatever pilot you have loaded inside in the picture we can see a test messages indicating that the id the dividing is already unquery for input easy graphic you can see the configuration code for the power one

either one you can see the code for the do load and the my work right in this case we have just hard coded an internal url for testing as you may see 10 10 10 66 application which is application in spanish dot apk but you can obviously in a real world scenario you can obviously use a public ip address of your command and control server or whatever side you have online as you may see i note that the lie and the reflection might not be the best in this one but what we wanted to show is the union among the red plastic and the black plastic as you may see the device shows no signs

of tampering and even trinidas can be fooled here there are virtually no static differences with the original version and seasons it is an adulteration and not a counterfeit properly said it contains proper packaging and serial numbers and even the register your device online functions will still allegedly work for sure and let me explain here the difference between adulteration and counterfeit what we are doing is an adulteration we are taking an existing hardware we are taking someone else hard work modifying it we apply some hardware hacking boost inside and then we ship it we package it and we ship it but the counterfeit itself it's the act of knocking off of ripping off another person's hard work from scratch

or on a lesser level on with the trying to imitate it from scratch in this case we're already taking a fully down product and changing it for our malicious needs aside from its core functionality which is obviously charging or powering other device the other secondary functions like the led display will still work and it will show the corresponding remaining percentage of battery charge as we can see here 69 percent it looks good it works flawlessly because it there's not so much to do you want only to charge devices and it charges so let's be honest here only with these pictures only having these pictures or only having this item perfectly packaged in with the manual sun

its plastics and everything else will you be able to detect that this one is a falsification or a counterfeit or a adulteration your package is ready let's see the final result as you may see there's plenty of space almost 75 percent of the space inside this device is only a 25 of the space used here is for the original purpose of this device for charging and you might ask okay what can this power one do can we play with them yes what you can do with this is to have a remotely activated usb that uses sms or phone calls for command and control you can run any bundled payload obviously metasploit and interpreter are always so they are compatible

you can use custom pilots too as long as they are compatible with android since it's our main target we managed to affect uh androids but not only uh the common ones also the modifier custom images like me from xiaomi and some other popular open source roms and we are currently developing a totally different product for ios with the same objective in mind but obviously based on many ios features not only security features but common features it's a little bit harder right now um i think that one of the most interesting parts of this is when you weaponize domestic hardware you should have in mind the nature of that hardware what you're going what's the main purpose what you're going to do

with that hardware an a portable charger is something that by nature is going to be shared but it's going to be carried on to many places so it's a really good attack vector since you can compromise a lot of phones in a really short time span and two fun facts that we came across it's that our only limit is the available empty space that any device has inside so if you keep it minimalist you will have a lot of chances of succeeding on almost any domestic hardware so you can almost weaponize any hardware you have at home with the proper tools and proper space management now we'll show you a demo but before i would like to make some clarifications

this is a lab demo and we call it a slippy demo all the inputs absolutely all the inputs and activities have a really high ear delays due to heavy use of sleeps and delays between commands this is done on purpose so attendees have a better view and understanding of the process in real life scenarios we are facing uh a problem with this since it takes only a few seconds to launch everything and it's almost impossible to pause and to keep explaining it so this is why we don't need this way so don't try this at home and actually cell phones were hard but during this demonstration it wasn't unproposed okay let me allow me a second to share

this video this is our initial setup we have two phones so you might ask why the phone on the left is the one you set for the attacker the attacker will have to interact with the command and control you remember their phone calls and sms be at this phone on the left the phone in the middle in the center is the victim it is currently connected to the charger to the infected charger and the laptop will be our listener for meter pressure or metasploit as you may see we are still waiting for a connection which one on the charger is still disconnected now we are going to connect it the screen lights up as you may see

because it is charging so it works on the expected way you connect the charge you expect it to start charging it will take some time to vote but whenever that happens we'll receive a message right there right there we have a message from this number we'll unlock the screen just to see the process it's still loading this the loading process the loading small screen is not interrupted now we have to call it and you have to to make two conditions in order to start the payload the caller should be in a white list so that no one else calls that number a telemarketer or anyone else and you should be sent to the voice message inbox

when you are sent to the voice message inbox you are automatically launching the payload right now as you may see it have unlocked the phone it will try to download the malicious apk now as you have seen before in the south code we are using uh an internal ip address for an internal command control fake server we have downloaded a dc5411 apk which is uh in this case a generic malicious interpreter pilot it's not something customized or something specifically grafted for this talk uh it will take advantage of the already opened chrome session will try to reach the downloads folder and execute this application it should try to parse the permissions menu where the application asks which

permissions you shouldn't be granting it and if you are okay with that and will automatically accept those permissions and launch the application this in a real case scenario takes only a few seconds but in this case we are obviously putting a lot of delays and sleeps in between it will search in the downloaded folders i said before it will start interacting with the phone the permissions as you may see it tries to grab all the permissions in the system and once this is done we will obviously hit our metasploit handler or metasploit session the point is is that we are launching the most generic attack of all the most well known attack of all and

you can obviously really customize this or tailor it to your own needs so you can really take this as a base as a departing point on building a more dangerous solution on something that fits in your pocket is the end of the demo

now give me a second we'll just relaunch the presentation okay now i know what you are going to say so i have built an appendix for for sharing with you some short comments on fake hardware and how our counter failing we like to play a game every time we present one of our prototype studies spot the imposter and i want to share it with you today you may say nice talk about this seems to be an isolated case or a very particular situation uh i'm i'm a person who has by philosophy to do not trust power bank so i won't fall for it okay that's that's acceptable too but it isn't an isolated case uh we are faking hardware just for fun

but there's people that is faking hardware systematically for profit alternate or counterfeit hardware is becoming a trending entry point for organized criminal rings which aside from falsification itself engage in other kinds of chained attacks for example recently uh this last year counterfeit cisco switches were discovered deployed in production i'm going to tell you the story of this cisco incident in a in a few slides but before let's play a short game that's what i spoke to you before the spot imposter this is one of our prototypes called evil genius it's a template but usb keyboard which acts as a remote keylogger so it sends everything you type in that keyboard via any open wi-fi you might find nearby

this is going to be open source so take a look at this keyword again you may see that there's no evidence of tampering no evidence of external modifications or any nasty going on this is the original keyboard from a non-stock picture from an e-commerce site again there's virtually no difference this is another of our prototypes that's called sounds legit it's a bad usb speaker so whenever you connect it it will function as a speaker you will be able to hear your music to listen to anything to post cards to whatever but it will steal all your data behind the scenes once you open it you'll find that it comes with certain surprises bundling as you may

see on this this picture this one is the original product from a non-stock picture from a an e-commerce site as you may see there on virtually no difference and now you may say okay that's that's interesting but it's domestic hardware i don't think you will fool an organization with that and yes actually you may be right but again we are doing it for fun and there are groups doing it for profit so i'm going to show you some examples of counterfeit hardware for professional use or that are used in critical environments i will show you this particular and pretty interesting case taken from an investigation lead by f-secure i will show you three switches boards

and the original one is the one in the left the other two are knockoff take a look at this

i will highlight certain differences that i have found but that nevertheless i would have been fooled by because i'm not a trained interest take a look at the cable quality market in blue the first one features features a mesh light cable cover and the others are just like thermo type thermoduct tape something like that if you can take a look at the purple squares you might see that these pieces are on the original one covered naked naked on the second one covered naked covered and on the third one covered covered cover as you can take a look at the green market one you can see difference in the size you can see difference on its layout it's general

layout but you can even see that the original one lacks a screw as you can see in the in the screw hole market in uh like with a bronze color here um a really particular detail i found is that the third one that is a a counterfeit one has cisco as market there in the red circle has cisco laser printed in the board so they printed the trademark and the logo in the board itself now be honest would you be able to distinguish between them to tell them apart it's really really takes a a try and a die to do this now when this was discovered a lot of people started sharing their cases the particular

experiences with counterfeit hardware on reddit and on other forums and some people ended up tailoring a checklist of how to spot a counterfeit cisco switch it turns out to be pretty interesting and pretty funny at the same time because you might want to see this first this one is an original one sorry for the bad quality i couldn't get the original picture in a better one this is the original picture sharing that thread this is a fake one again the original one the fake one in that list that checklist you see people telling counterfeits apart from original by their screws for example saying hey if you receive a cisco switch with rounded up screws they are fake they should be more

square like this is an example and in this particular model they say you know how to tell them apart you have to take a look at the brightness in the port numbers in the front panel you know 1 2 11 13 12 14 23 24 etc look at the fake one this is pretty bright take a look at the original one they are more gray like so they are just little details that people are digging into because little failures by the counterfeiter those little failures are the only thing that might tell them apart which makes this trend actually pretty pretty dangerous for both little organizations more big ones so really take parties hey time to close this talk share our

conclusions and obviously receive your questions options are pretty simple like with any bad usb case always be wary of any new device whether it's usb or not and as you have seen before anyone could be a victim even a senior network engineer who buys a cisco switch from a authorized reseller or from a really trusted source and then when trying to connect this cisco switch this appliance to his infrastructures it finds out he finds out it's a fake one anyone could be a victim we are not everyone not everyone is uh an experienced experienced at hallower engineer and with a few dollars really with a really few dollars really with a really cheap price anyone could build or never buy a

product of this type we haven't really invested a big number in this charter uh again we are doing this for fun so if someone really wants to tackle this thing in a professional way and with a good budget it can be can turn out to be really really interesting whenever possible use prevented measures again by the usb and don't trust our point then trust that consider and forget about trusting that keyboard you really should trust anything you can follow us on twitter and github we are open sourcing on a really slow pace actually but we are trying to open source all of these little uh investigations for the moment sharing on the slides and once we are keeping

um versions that do not blow up our house we're probably going to open source them follow us on github or twitter and our dc uh and github tools so feel free to drop in we always love to share and talk about any topics mostly hardware hacking open source intelligence social engineering but we are open to discussing any crazy idea you may have or you might want to suggest if you have any question feel free to uh to reach us now here or via twitter or github oh thanks for that and i hope you have liked our talk