Bit Scrubber — USB Sanitization Kiosk

Problem and Idea:

In 2015, researchers from the University of Illinois, the University of Michigan, and Google asked at question. How many people will pick up random flash drives off the ground and plug them in?

As it turns out, just about all of them.

Of the 300 flash drives they dropped, they found that 98% of them were plugged into a computer. Furthermore, in nearly half of the cases (45%), the unsuspecting users not only picked up the flash drive, but also opened files on the device. Finally, if that’s not bad enough, over half of the flash drives were connected in just 7 hours or less.

Now, think of the implications of this at a Fortune 100 company protecting sensitive data or in an “air-gapped” industrial environment. If even a small fraction of those users took the bait and plugged in a device dropped by a malicious actor (significantly less than our 98% above), you still suddenly have dozens of new infections across your network (in supposedly “locked down” environments). If can’t even stop users from plugging in a flash drive, how can we expect to stop dedicated nation-states?

Enter the Bit Scrubber: A scalable, low cost, kiosk-style USB Sanitization device designed to be deployed in a corporate environment. Ideally, you’d put them all over the business/factory and create a policy where any USB drive has to be scanned before it can be used. Additionally, from a visibility perspective, the scans provide the security department with a nice audit trial of files and USB info which can be used to track down infections.

USB + Sanitizer = Happy Security Department

Physical Device:

Hardware (~$150 at retail price):

• Raspberry Pi 3 ($35): https://www.amazon.com/gp/product/B01CD5VC92/
• MicroSD Card ($20): https://www.amazon.com/Samsung-Select-Memory-MB-ME32DA-AM/dp/B01DOB6Y5Q/
• 7 in. Touchscreen ($60): https://www.element14.com/community/docs/DOC-78156/l/raspberry-pi-7-touchscreen-display
• Touchscreen/Pi Casing ($28): https://www.amazon.com/gp/product/B01HKWAJ6K/

Putting all these together, you essentially have a mini touchscreen “kiosk” device that can now be easily deployed at, for example, the office breakroom.

Software ($0ish):

• Resin.io Platform (https://resin.io/) (completely free at small scale, insanely cheap as you scale)
• ResinOS
• Python / Tkinter (app interface)
• Docker with Debian Image
• Laikaboss by Lockheed Martin (https://github.com/lmco/laikaboss)

This is where the always amazing Resin.io comes in. Asset/Fleet Management can be a pretty hard problem, but thankfully the Resin platform takes care of all the hard stuff for you as well as provides a nice dashboard to handle everything. Basically, the process works as follows:

1. Download and install their supervisor OS on your sd card for the pi. Once you plug in the sd card and power on the pi, the supervisor constantly checks for new updates.
2. Create your repository on Github and connect it with Resin.io (they have instructions on how to do this on their site, it’s a pretty simple process).
3. Every time you run get push resin master from your repo, Resin’s servers automatically build the latest version of your docker container and instantly deploy the update to every connected device around the world. It’s really that simple!

I have put together a sample Docker.template file and README to get you started with deploying a GUI app over Resin to a Raspberry Pi touchscreen here: https://github.com/ION28/rpi3-debian-desktop

For the display, using Python and Tkinter, I built a simple GUI interface for the device that lets the users either just scan and remove specific, identified malware on the USB or wipe the drive completely.

With Laikaboss and YARA, I can quickly scan the USBs for any malware or suspicious looking files without taking too much time. Laikaboss handles the scanning (and can even do cool things like explode and search .zips!) while applying the pre-written YARA signatures. YARA is already a pretty popular approach to fingerprinting/identifying malware, so there are plenty of great rulesets/detections out there for popular malware. Additionally, you can, of course, write your own rules.

Web Platform:

From a business case, you’d probably end up having this device report directly into your ELK Stack or Splunk instance, but for this project, I built a small dashboard to visualize scans and control the devices. It’s a simple web site located at https://ion28.me if you want to check it out.

Basically, after each scan, the devices POST the scan data (containing scan metadata, results, and the malicious files) back up to the server. Then, analysts can search, look at specific scans, and more to analyze the collected data.

Results:

Below is a collection of scans/gifs/pictures/etc of the final results of the project.

Scan and Results:

Scanning and removing any malware from a USB

Below is the json for what a single entry in a scan file would look like. Notice the flags key that contains a list of all the rules that were triggered by the specific file. We also get several potentially useful properties such as hash, size, and file name. In addition, Laikaboss can provide several more properties too, so you could tailor the program to collect exactly what you needed/are able to store.

{
    "flags": [
      "yr:EquationGroup_Toolset_Apr17_GetAdmin_LSADUMP_ModifyPrivilege_Implant",
      "yr:apt_equation_exploitlib_mutexes"
    ],
    "objectHash": "997ba8c988340a1c644cf9a5f67e4177",
    "contentType": [],
    "fileType": [
      "pe"
    ],
    "buffer": null,
    "objectSize": 26624,
    "filename": "/media/usb0/EquationGroupLeak-master/equation_drug/DuplicateToken_Implant.dll",
    "ephID": "",
    "uniqID": "",
    "parent": "",
    "parent_order": -1,
    "sourceModule": "",
    "source": "CLI",
    "depth": 0,
    "order": 0,
    "rootUID": "2d9791e5-ad38-4eb4-b855-dc221bf64fcf",
    "origRootUID": "",
    "Level": null
  }

Full scan example here: https://ion28.me/api/scans/CfUhpGRUggDJoqKns97x4VLMDPIIQKvs.json

In addition, since the devices are authenticated to the web server, we also can retrieve other metadata about the scan such as:

{
    "scanTime": "2017-06-01 00:40:04",
    "boxName": "Floor 3 - Marketing",
    "siteName": "The Byte Factory",
    "siteAddress": "600 Arch St, Philadelphia, PA 19106, USA",
    "usbInfo": {
      "volumeLabel": "IAmTotallySafe",
      "vendor": "ADATA",
      "serial": "25B1530020170346",
      "size": "14.45 GB",
      "formatType": "vfat",
    }
}

Overview of the Web Platform:

From the web site, users can:

• Search and download previous scans’ json
• View scan information and download copies of the detected malware
• View, configure, and control deployed Bit Scrubbers (ie finding their IP address or rebooting the device)
• Upload new YARA signatures

Demonstration of the Bit Scrubber Web Platform

And finally, below is my final project poster detailing various parts of the devices as well as the next steps for me personally.

Final Project Poster

At this point, I am not currently open-sourcing the full project code, but if you are interested in taking a look at/using the actual source code, please email me at ion28 [at] metactf [dot] com. Feel free to comment or email me with any thoughts or suggestions!