What is a USB drop attack?
In this attack, we use a program or dedicated hardware to make a computer think that is connected to a standard keyboard but in reality, it is connected to an automated system that sends predetermined keystrokes to the computer. The payload containing the keystrokes at times access the computer’s terminal and do things that may be catastrophic.
The attack is performed by dropping multiple pen-drive with keystroke generating software or a pen-drive shaped dedicated hardware device in the vicinity of your target organization or individual. Humans are inherently curious. This curiosity leads the victim to plug in the pen drive and the hacker gets access to the machine.
To perform a USB drop attack, we need to successfully do the following:
- Connect to the host physically which mostly depends on the curiosity of the victim and the location at which the device was dropped
- Perform USB enumeration to identify the device as a keyboard.
- Send in key-strokes to open command prompt/terminal and then type in more commands to manipulate the computer
How does a USB HID Keyboard work?
Some USB terminology that we need to understand before we proceed
- Universal Serial Bus (USB): A pretty complex serial communication protocol that is supported by modern devices. USB uses 4 wires namely +5V, GND, D+ & D- for transferring data and power
- Human Interface Device (HID): One of the many classes defined by the USB specification. USB keyboards both wired and wireless fall under the HID class.
- USB enumeration: The initial communication that happens when you plug in a device using USB. This communication sets up the correct way to use the device over USB
- Scan codes: A unique hex-decimal number associated with each key on the keyboard. The scan codes for any HID class USB device can be found in the HID Usage Tables
- Modifiers: Non-printable keys that modify the behaviour of other keys. For instance, SHIFT for capitalizing alphabet keys or using special symbols on number keys.
Fun fact: The early USB specifications required a USB cable to be white. No other colours were mentioned.
In my opinion, white cables look dirty after a while. What do you think? Comment you thoughts on this matter below
The USB enumeration process occurs when you connect a keyboard to the computer. During the process, the keyboard identifies itself as an HID class device and informs the computer what data it sends and how it sends the data. When you press a button on the keyboard, a controller in the keyboard detects which key was pressed when you press a button and then sends the appropriate scan code along with a modifier in case a modifier key was pressed as well. In the case of a USB drop attack device, we send a bunch of scan codes to the computer directly.
How do we go about building dedicated hardware?
To build the hardware we require a microcontroller with USB peripheral and work at 5V to avoid regulator circuitry. There are plenty of microcontrollers that satisfy the requirements with Arduino Pro Micro being a potential candidate but I wanted to be a bit adventurous and enter the electronics realm outside of Arduino.
I decided to use a PIC18F2550 after reviewing multiple microcontrollers and designed a schematic for a minimal setup for the PIC18F2550 with 3 LEDs, a test button and pin sockets for connecting an NRF24L01 just in case I wanted to do perform sniffing in the 2.400 to 2.525 GHz part of the electromagnetic spectrum. After completing the schematic, I routed a pen-drive shaped PCB.
The show stopper: SMD components! I do not have the equipment to solder SMD components, therefore I decided to route and use a rectangular PCB with through-hole components instead of my early pen-drive shaped PCB. A pen-drive shaped PCB in an enclosure is bound to attract the victim without suspicion.
Assembling the hardware was an easy task, all I had to do was to wait for the PCB fabrication house to mail me my PCBs, gather all the electronic components, solder them on the PCB and program the PIC18F2550 using a universal programmer.
After building the device, the only thing that remains is to connect to a target computer. Once the device is connected to the computer and the computer completes the USB enumeration process, the payload (a sequence of keystrokes) is sent to the computer to gain access to the terminal and manipulate the computer.
For the purpose of demonstration, the firmware currently types ‘INGAME’ every 2 seconds. INGAME stands for ‘I Now Get A Magnificent Entry’. I hope you liked the acronym 😊. I have also designed a payload that shows Guy Fawkes’ ASCII art on the terminal. This is where I will stop developing the project since moving forward will lead to the generation of a tool of destruction which I definitely do not want to build.
Feel free to get all the files related to this project from GitHub.
I hope you perform a USB Drop Attack on Area 51 someday 😉