Jump to content

[Question] Defences Against the Ducky?


Recommended Posts

Its kinda funny to think about defenses when we're talking about physical access to something.

I mean once you have physical access to a computer...GAME OVER. Sure its nice that ducky can do things super fast but in a couple minutes, anything can be done to a computer.

So just put your computer in a giant safe and lock it before you leave ;)

of course if someone can open the safe...

Link to comment
Share on other sites

I've given it a lot of thought and the best I can figure is that modern operating systems need to fundamentally change the way they deal with USB devices, HIDs in particular. An OS should never trust a keyboard, mouse, hell even a joystick (what if someone ducky'd your flight sim and made you do a barrel roll into a mountain?!?!?!)

The way I see it the best an OS can do to combat this vector of attack is to implement a CAPTCHA. Insert an untrusted keyboard? No problem. Let's just sandbox that sucker until we get some validation. Popup a window with 4 characters and a soft keyboard and ask the user to use the mouse to validate. Of course this isn't without it's own set of problems (how do you validate the mouse, and which came first - the chicken or the egg?)

Vendor and device ID is easily spoofed so securely pairing a host and input device is hopeless. Even if MAC level identification was implemented we've seen how trivial that has been to overcome in the WiFi world.

I don't think there is a perfect solution and truthfully I believe the I/O attack vector will be with us for quite some time...until ultimately the concept of a PC is redefined.

Link to comment
Share on other sites

  • 8 months later...

I realize this is an old post, but couldn't we avoid the issues of spoofing, etc. altogether? Spoofing occurs upon insertion. It's impossible to insert a malicious device if there's no port to plug it into, right?

1. Set up your system the way you want it, including USB configuration.

2. Fill all unused ports with tiny flash drives. You can find them at office supply stores for a few dollars.

lacie-moskeyto-flash-drive.jpg

3. Configure the system so that if any device is removed, (i) a flag is set that will notify the user that device was removed (ideally forcing a call to IT security), and (ii) adding additional devices is disabled entirely until the user authenticates or whatever other process is necessary to verify only trusted devices are attached.

To verify that the flash drives haven't been swapped out for malicious devices, you could store an encrypted file on the drive that the user can decrypt to verify it's the right drive. I suppose you could add a malicious device by tapping it into the keyboard cable while it's plugged in or something. That's a hell of a lot harder than plugging into an open USB port or swapping a device out, though; plus it would leave visible evidence of the attack. (And you might be able to defeat it by monitoring the real-time current draw on the USB port, anyway.) The attacker could reboot and possibly boot from USB, but if full-disk encryption is used it wouldn't matter. With Linux you can keep /boot on a flash drive and have the box's internal drive have no MBR, so Evil Maid attacks are impossible.

Is there something else I'm missing or is this a simple solution to this problem that doesn't require epoxying or otherwise destroying unused ports?

Edited by OccamIsTheMan
Link to comment
Share on other sites

  • 8 months later...

The best full length description of defences is from Iron Geek's Plug and Prey Paper, which covers Windows 7+ Group Policy and Linux udev

http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices

There is currently, no method of prevent this on OSX except Device Control Software; which is easily bypassed

Edited by midnitesnake
Link to comment
Share on other sites

The best way to protect the company as a whole is by promoting a culture of safe practice. The organisation should produce an IT Security Policy by which users of its network must comply. The policy should set standards for proper password usage, management of confidential data, prohibition of personal, unauthorised software and various other restrictions and guidelines; including the need to lock computers when they're not in use and log out of systems whenever possible.

Staff should be trained in Social Engineering Awareness. They should be shown, first hand, the power of the USB-RD and the havoc they can cause, even if you leave your screen unlocked for ten seconds while you get the printout from the printer 10ft away. CLAiT users of computers are the most vulnerable. Fast typers, yes, but not very often fast thinkers when it comes to their own, and by proxy, the company's information security.

The policy should be enforceable by the standard disciplinary procedures of the organisation and it should be made aware that a breach of the policy will be considered as gross misconduct, with possible legal repercussions for serious breaches. Information security should become a culture of safety and security within the workplace and should be built in to the organisation’s behavioural safety policy. The policy should be part and parcel of the everyday life of employees and customers and should become second nature. Information Security is not just a way of securing data and protecting the organisation from attack; it is also a method for keeping the organisation, the workplace, its employees and customers safe.

The Health & Safety officer and Head of Security should, at the very least, be able to pass information on to the relevant IT staff if a breach is suspected. Staff should feel comfortable talking to either of these people, as well as the IT staff if they think their computer has been compromised. The computer should be isolated (I've often thought of having a switch on network ports so you can turn the network access off without unplugging the cable), and should be re-imaged as soon as possible.

Deterrence is one way of dealing with things, but sticking USB pens in spare slots or epoxying the ports is a short-term and drastic approach, when a similar investment will protect the company in a much broader and long-term sense.

Link to comment
Share on other sites

For more technical policies, you may wish to consider:

  • Windows SteadyState, or a relevant alternative, will protect against backdoor attacks like StickyKeys, Magnifier, UtilMan.
  • Screensavers set to 1 minute that they need to reauthenticate to carry on.
  • Wired Ethernet access to the network should be controlled via a proxy server, so if a rogue device is plugged in, they won't have internet or intranet access.
  • The intranet is usually the most vulnerable node. The internet will have proxies, firewalls and various other monitors that will protect against the vast majority of attacks. Consider the intranet and the extranet as extensions of the internet and protect them thusly.
  • Whilst group policies will protect a vast range of attacks, individual policies should be included as well. Too many times I've seen an AD with purely group policies employed. It can take a while in this case to lock down individual users.
  • Much like defensive programming, assume all data is unsafe and corrupt. Assume all thrid party sources are attacks and assume all users are vulnerable.

Other generic advice:

  • Don't bombard your staff or restrict them too greatly as this will lead to them resenting the restrictions and finding ways around them.
  • Personal devices should be logged with IT staff and whitelisted on the MAC table before they are connceted to the network. This includes charging mobile phones from USB ports.

More drastic advice:

  • THIS IS NOT RECOMMENDED: The fastest way to affectively lock down a Windows PC is to infect it with malware then cut its connection to the network. You can actually use this technique to vaccinate computers by placing malware on the network with no harmful payload. This will restrict access to the registry, stop the task manager, command prompt, and various other restrictions without doing anything actually harmul to the computer. White Hat "malware" is available which helps reinforce Group Policies on a per machine basis. Software such as Windows SteadyState will re-image the computer and wipe the malware as soon as it is rebooted.
Edited by ApacheTech
Link to comment
Share on other sites

  • 2 months later...
  • 4 months later...

For more technical policies, you may wish to consider:

  • Windows SteadyState, or a relevant alternative, will protect against backdoor attacks like StickyKeys, Magnifier, UtilMan.
  • Screensavers set to 1 minute that they need to reauthenticate to carry on.
  • Wired Ethernet access to the network should be controlled via a proxy server, so if a rogue device is plugged in, they won't have internet or intranet access.
  • The intranet is usually the most vulnerable node. The internet will have proxies, firewalls and various other monitors that will protect against the vast majority of attacks. Consider the intranet and the extranet as extensions of the internet and protect them thusly.
  • Whilst group policies will protect a vast range of attacks, individual policies should be included as well. Too many times I've seen an AD with purely group policies employed. It can take a while in this case to lock down individual users.
  • Much like defensive programming, assume all data is unsafe and corrupt. Assume all thrid party sources are attacks and assume all users are vulnerable.

Other generic advice:

  • Don't bombard your staff or restrict them too greatly as this will lead to them resenting the restrictions and finding ways around them.
  • Personal devices should be logged with IT staff and whitelisted on the MAC table before they are connceted to the network. This includes charging mobile phones from USB ports.

More drastic advice:

  • THIS IS NOT RECOMMENDED: The fastest way to affectively lock down a Windows PC is to infect it with malware then cut its connection to the network. You can actually use this technique to vaccinate computers by placing malware on the network with no harmful payload. This will restrict access to the registry, stop the task manager, command prompt, and various other restrictions without doing anything actually harmul to the computer. White Hat "malware" is available which helps reinforce Group Policies on a per machine basis. Software such as Windows SteadyState will re-image the computer and wipe the malware as soon as it is rebooted.

And this is the problem. Some policies, although sound fine and good, aren't workable. Like the 1 minute screen saver madness. We tried this, which I've never agreed with, and it's unworkable. People do sit and read at times on their screen, or compare figures on screen to print outs. The screen saver kicking in every 1 min was driving people nuts and just isn't productive. Same with draconian group policies which even prevent us, the IT staff from fixing a problem in 5mins, having to spend 20 mins instead, fighting with group policy.

I don't have a ducky to test, but I wonder if Lumension would work to block this. It's what we use to restrict access to USB ports. You can plug a USB stick in, but it won't let you write to it because Lumension requires it be encrypted first with the Lumension encryption.

Link to comment
Share on other sites

And this is the problem. Some policies, although sound fine and good, aren't workable. Like the 1 minute screen saver madness. We tried this, which I've never agreed with, and it's unworkable. People do sit and read at times on their screen, or compare figures on screen to print outs. The screen saver kicking in every 1 min was driving people nuts and just isn't productive. Same with draconian group policies which even prevent us, the IT staff from fixing a problem in 5mins, having to spend 20 mins instead, fighting with group policy.

I don't have a ducky to test, but I wonder if Lumension would work to block this. It's what we use to restrict access to USB ports. You can plug a USB stick in, but it won't let you write to it because Lumension requires it be encrypted first with the Lumension encryption.

Agree with you on the 1 minute screensaver issue.

Lumension is ok, it can block the Ducky in its default setting.

But the Ducky has a secret (not so secret) weapon to bypass DLP solutions like Lumension :) I know they panicked and re-wrote some of their software just over a year ago. I havnt had chance to assess all their solutions / new products / new versions, so it may com down to configuration.

So I just want to take this opportunity to say "Hi Lumension, McAffee, Sophos, Symantec! I know your watching me ..... I'm still waiting for that second date!"

Link to comment
Share on other sites

  • 4 months later...

Depending on the company where you work or home etc.

1. Disabling all unused USB ports.

2. Loging off whenever you are not at PC.
3. There could be managed some USB filtering, tho I don't think it exists atm, some app could check if there are two HIDS connected refuse any HID connection anymore don't recognize it etc.

BUT, if someone has physical access with longer time he doesnt need ducky and there is no protection that could stop him. Besides for everyone that has a company and reads this, there is no 100% protection, even a locked computer in the basement can be hacked. Biggest security that a company can implement is by educating its employees, security hardens technically but weakens socialy, social engineering becomes biggest threat in different segments ofc.

Link to comment
Share on other sites

  • 6 months later...

The best way I can think of to defend against a ducky attack would be to have a piece of software constantly monitoring what devices are plugged into the computer. The idea is that you effectively create a filtering program that detects the devices and checks for a unique address. Kind of like MAC Address filtering on wireless routers etc.

As well as this, you could possibly deny any devices plugged into a USB port before they can be mounted onto the computer as a hard disk, keyboard etc.

I know that ages ago there was a leak of Microsoft COFEE and that some developers created an application called DECAF, which looked for traces on USB's, CD's etc. for the trace signatures of COFEE. My idea is that you could create something like this which speculates against all USB devices, and unless you enter in the correct password, you can't use a USB device. Let me know what you think.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...