Jump to content


Photo

[Question] Defences Against the Ducky?


  • Please log in to reply
35 replies to this topic

#21 moonlit

moonlit

    Hak5 Junkie

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,207 posts
  • Gender:Male
  • Location:irc://England:6667

Posted 16 April 2010 - 11:55 AM

QUOTE (jdogherman @ Fri, 16 Apr 2010 13:31:18 +0000) <{POST_SNAPBACK}>
There should be a way to limit HID devices save for a approved devices.

That is really what we are exploiting the inherit trust provided to HID devices by the system.
If this takes off (like U3 options) Im sure there will be a fix for it.


If I was any better at coding, I'd have an answer to that by now. I know it's possible to write a HID blacklist/whitelist but since I don't know enough about it I'm finding it a little tricky.

#22 Paul Stoffregen

Paul Stoffregen

    Hak5 Fan ++

  • Active Members
  • PipPipPipPip
  • 74 posts
  • Location:Oregon, USA

Posted 16 April 2010 - 01:22 PM

QUOTE (moonlit @ Fri, 16 Apr 2010 09:55:03 +0000) <{POST_SNAPBACK}>
I know it's possible to write a HID blacklist/whitelist but since I don't know enough about it I'm finding it a little tricky.


It may be possible (eg, udev rules on modern linux), but that won't be very effective.

Everything the host (PC, Mac, etc) can know about the USB device is under the device's control. In Teensy (and virtually all microcontrollers with USB), code produces all that data. For example, if you use Arduino/Teensyduino, this code is automatically built into the executable image:

CODE
#define VENDOR_ID 0x16C0
#define PRODUCT_ID 0x0482

static uint8_t PROGMEM device_descriptor[] = {
18, // bLength
1, // bDescriptorType
0x00, 0x02, // bcdUSB
0, // bDeviceClass
0, // bDeviceSubClass
0, // bDeviceProtocol
ENDPOINT0_SIZE, // bMaxPacketSize0
LSB(VENDOR_ID), MSB(VENDOR_ID), // idVendor
LSB(PRODUCT_ID), MSB(PRODUCT_ID), // idProduct
0x00, 0x01, // bcdDevice


It's pretty trivial, even if you have no programming skill, to just find these files, named "usb.c" and "usb_private.h" and edit the USB descriptor data to anything you want.

Less trivial, but not very difficult if you know C, would be changing the code which transmits this data. Instead of reading it from a static array in memory, certain numbers like vendor id, product id, bcdDevice could be created at random, or tried from a list of known common keyboards, or any other algorithm you can craft.

Also possible, but definitely not trivial, would be making use of the detach capability. Most USB devices have a resistor soldered to one of the data lines, which is how the PC knows the device is present. There isn't a physical switch in the connector, it's that resistor which signals a device is plugged in. In the AVR USB chip on Teensy, that resistor is under software control. In fact, every time you reprogram Teensy, that resistor is disconnected and then reconnected, which is to your PC looks like the old device was physically unplugged, and then moments later a completely new device (implementing the ability to download your new code) gets connected. After your code cownload, the same thing happens again. That's how you can so easily try new USB devices with Teensy.... every time you reboot your code, your machine believes the device was physically unplugged and then a new device gets plugged in.

With the detach capability under your code's control, if you don't get the desired results, you could just detach and try again (maybe much later... the PC can't tell you're still physically present), perhaps with new randomly generated ID numbers or some other strategy.

A whitelist/blacklist defense just doesn't have any trustable data available.

Ultimately, blind trust in HID keyboards is the weakness. Perhaps a solution would might involve a one-time authorization process for a new keyboard? But who do you trust for user input to authorize a new keyboard? The USB HID mouse?!?

And if an attacker has physical access, what's to stop them from momentarily unplugging the trusted keyboard and using another machine to capture all its USB descriptors? For example, my "ID 05AC:0220 Apple, Inc. Aluminum Keyboard" returns an empty field for the optional USB serial number. Even if it did have a serial number, it's right there to read and copy.

USB HID doesn't have any challenge/response authentication, so all trusted data could be easily captured. Perhaps public key signature capability to prove a device's unique identity would give you something useful to trust the device hasn't been copied. It seems pretty unlikely keyboards will get that class of hardware anyday soon!


Security is difficult.... much harder than just designing working USB devices.

Edited by Paul Stoffregen, 16 April 2010 - 01:27 PM.


#23 1n5aN1aC

1n5aN1aC

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 42 posts
  • Gender:Male
  • Location:OR

Posted 16 April 2010 - 02:34 PM

QUOTE
Security is difficult.... much harder than just designing working USB devices.


Ain't that the truth!

And really, if you design a system where you have to allow each device manually, who cares? You just click "Allow" Besides, most users are still clueless.
Games don't make people violent, lag does!
I don't suffer from insanity. I enjoy every minute of it!
Capt'n! Teh spelcheckr kinna taake tis abuse!
"Daddy, what does FORMATTING DRIVE C mean?"

#24 moonlit

moonlit

    Hak5 Junkie

  • Active Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,207 posts
  • Gender:Male
  • Location:irc://England:6667

Posted 16 April 2010 - 03:55 PM

http://www.hak5.org/...showtopic=16255

#25 1n5aN1aC

1n5aN1aC

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 42 posts
  • Gender:Male
  • Location:OR

Posted 16 April 2010 - 07:05 PM

In my opinion, the question ultimately becomes: is there any identifying factor that the teensy shows/give off/whatever that we can see as the operating system? If there is no identifying factors, (under hardware details for example) then there is no real defense that is not very VERY inconvenient to the end user.)
Games don't make people violent, lag does!
I don't suffer from insanity. I enjoy every minute of it!
Capt'n! Teh spelcheckr kinna taake tis abuse!
"Daddy, what does FORMATTING DRIVE C mean?"

#26 shadowpwner

shadowpwner

    Hak5 Fan

  • Active Members
  • PipPip
  • 25 posts

Posted 17 April 2010 - 07:34 PM

QUOTE (will-wtf @ Fri, 16 Apr 2010 06:43:54 +0000) <{POST_SNAPBACK}>

This would definately work! At college all the USB ports at college are disabled to prevent some crap about virii..
Don't know whether anyone here has a clue how they managed it?


BIOS.
http://www.geekinter...-usb-ports.html

#27 GrilledTuna

GrilledTuna

    Newbie

  • Members
  • 1 posts

Posted 29 September 2011 - 01:35 AM

Its kinda funny to think about defenses when we're talking about physical access to something.

I mean once you have physical access to a computer...GAME OVER. Sure its nice that ducky can do things super fast but in a couple minutes, anything can be done to a computer.

So just put your computer in a giant safe and lock it before you leave ;)
of course if someone can open the safe...

#28 Darren Kitchen

Darren Kitchen

    Hak5 Junkie

  • Root Admin
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,808 posts
  • Gender:Male
  • Location:San Francisco, CA

Posted 29 September 2011 - 01:54 AM

I've given it a lot of thought and the best I can figure is that modern operating systems need to fundamentally change the way they deal with USB devices, HIDs in particular. An OS should never trust a keyboard, mouse, hell even a joystick (what if someone ducky'd your flight sim and made you do a barrel roll into a mountain?!?!?!)

The way I see it the best an OS can do to combat this vector of attack is to implement a CAPTCHA. Insert an untrusted keyboard? No problem. Let's just sandbox that sucker until we get some validation. Popup a window with 4 characters and a soft keyboard and ask the user to use the mouse to validate. Of course this isn't without it's own set of problems (how do you validate the mouse, and which came first - the chicken or the egg?)

Vendor and device ID is easily spoofed so securely pairing a host and input device is hopeless. Even if MAC level identification was implemented we've seen how trivial that has been to overcome in the WiFi world.

I don't think there is a perfect solution and truthfully I believe the I/O attack vector will be with us for quite some time...until ultimately the concept of a PC is redefined.
Posted ImagePosted ImagePosted Image

#29 OccamIsTheMan

OccamIsTheMan

    Newbie

  • Members
  • 2 posts

Posted 03 June 2012 - 01:53 PM

I realize this is an old post, but couldn't we avoid the issues of spoofing, etc. altogether? Spoofing occurs upon insertion. It's impossible to insert a malicious device if there's no port to plug it into, right?

1. Set up your system the way you want it, including USB configuration.
2. Fill all unused ports with tiny flash drives. You can find them at office supply stores for a few dollars.
Posted Image
3. Configure the system so that if any device is removed, (i) a flag is set that will notify the user that device was removed (ideally forcing a call to IT security), and (ii) adding additional devices is disabled entirely until the user authenticates or whatever other process is necessary to verify only trusted devices are attached.

To verify that the flash drives haven't been swapped out for malicious devices, you could store an encrypted file on the drive that the user can decrypt to verify it's the right drive. I suppose you could add a malicious device by tapping it into the keyboard cable while it's plugged in or something. That's a hell of a lot harder than plugging into an open USB port or swapping a device out, though; plus it would leave visible evidence of the attack. (And you might be able to defeat it by monitoring the real-time current draw on the USB port, anyway.) The attacker could reboot and possibly boot from USB, but if full-disk encryption is used it wouldn't matter. With Linux you can keep /boot on a flash drive and have the box's internal drive have no MBR, so Evil Maid attacks are impossible.

Is there something else I'm missing or is this a simple solution to this problem that doesn't require epoxying or otherwise destroying unused ports?

Edited by OccamIsTheMan, 03 June 2012 - 02:17 PM.


#30 midnitesnake

midnitesnake

    Hak5 Ninja

  • Ducky Moderators
  • PipPipPipPipPipPipPip
  • 814 posts
  • Gender:Male
  • Location:Earth
  • Interests:Ducky, Pineapple

Posted 16 February 2013 - 02:09 PM

The best full length description of defences is from Iron Geek's Plug and Prey Paper, which covers Windows 7+ Group Policy and Linux udev

 

http://www.irongeek....ous-usb-devices

 

There is currently, no method of prevent this on OSX except Device Control Software; which is easily bypassed


Edited by midnitesnake, 16 February 2013 - 02:14 PM.

DuckyDecode: http://code.google.c.../ducky-decode/

Ducky Definitive Guide: http://goo.gl/XGIw1k


#31 ApacheTech Consultancy

ApacheTech Consultancy

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 131 posts
  • Gender:Male
  • Location:Chester, Cheshire, UK.
  • Interests:Web Development & SEO, Programming, Electrical Engineering, Social Engineering, Prototyping, Cryptography, Black Hat Exploitation, White Hat Ethical Hacking.

Posted 16 February 2013 - 04:12 PM

The best way to protect the company as a whole is by promoting a culture of safe practice. The organisation should produce an IT Security Policy by which users of its network must comply. The policy should set standards for proper password usage, management of confidential data, prohibition of personal, unauthorised software and various other restrictions and guidelines; including the need to lock computers when they're not in use and log out of systems whenever possible.

 

Staff should be trained in Social Engineering Awareness. They should be shown, first hand, the power of the USB-RD and the havoc they can cause, even if you leave your screen unlocked for ten seconds while you get the printout from the printer 10ft away. CLAiT users of computers are the most vulnerable. Fast typers, yes, but not very often fast thinkers when it comes to their own, and by proxy, the company's information security.

 

The policy should be enforceable by the standard disciplinary procedures of the organisation and it should be made aware that a breach of the policy will be considered as gross misconduct, with possible legal repercussions for serious breaches. Information security should become a culture of safety and security within the workplace and should be built in to the organisation’s behavioural safety policy. The policy should be part and parcel of the everyday life of employees and customers and should become second nature. Information Security is not just a way of securing data and protecting the organisation from attack; it is also a method for keeping the organisation, the workplace, its employees and customers safe.

The Health & Safety officer and Head of Security should, at the very least, be able to pass information on to the relevant IT staff if a breach is suspected. Staff should feel comfortable talking to either of these people, as well as the IT staff if they think their computer has been compromised. The computer should be isolated (I've often thought of having a switch on network ports so you can turn the network access off without unplugging the cable), and should be re-imaged as soon as possible.

Deterrence is one way of dealing with things, but sticking USB pens in spare slots or epoxying the ports is a short-term and drastic approach, when a similar investment will protect the company in a much broader and long-term sense.


usb-rd.gif | lan-tap.gif | uk-tour.gif

 

"Oh Bother!", said Pooh, and shakily lowered the bloodied axe. Piglet lay spatchcock on the bed; his cold, glazed eyes staring lifelessly at his own blood on the ceiling.

#32 ApacheTech Consultancy

ApacheTech Consultancy

    Hak5 Zombie

  • Active Members
  • PipPipPipPipPip
  • 131 posts
  • Gender:Male
  • Location:Chester, Cheshire, UK.
  • Interests:Web Development & SEO, Programming, Electrical Engineering, Social Engineering, Prototyping, Cryptography, Black Hat Exploitation, White Hat Ethical Hacking.

Posted 16 February 2013 - 04:43 PM

For more technical policies, you may wish to consider:
 

  • Windows SteadyState, or a relevant alternative, will protect against backdoor attacks like StickyKeys, Magnifier, UtilMan.
  • Screensavers set to 1 minute that they need to reauthenticate to carry on.
  • Wired Ethernet access to the network should be controlled via a proxy server, so if a rogue device is plugged in, they won't have internet or intranet access.
  • The intranet is usually the most vulnerable node. The internet will have proxies, firewalls and various other monitors that will protect against the vast majority of attacks. Consider the intranet and the extranet as extensions of the internet and protect them thusly.
  • Whilst group policies will protect a vast range of attacks, individual policies should be included as well. Too many times I've seen an AD with purely group policies employed. It can take a while in this case to lock down individual users.
  • Much like defensive programming, assume all data is unsafe and corrupt. Assume all thrid party sources are attacks and assume all users are vulnerable.

Other generic advice:

  • Don't bombard your staff or restrict them too greatly as this will lead to them resenting the restrictions and finding ways around them.
  • Personal devices should be logged with IT staff and whitelisted on the MAC table before they are connceted to the network. This includes charging mobile phones from USB ports.

More drastic advice:

  • THIS IS NOT RECOMMENDED: The fastest way to affectively lock down a Windows PC is to infect it with malware then cut its connection to the network. You can actually use this technique to vaccinate computers by placing malware on the network with no harmful payload. This will restrict access to the registry, stop the task manager, command prompt, and various other restrictions without doing anything actually harmul to the computer. White Hat "malware" is available which helps reinforce Group Policies on a per machine basis. Software such as Windows SteadyState will re-image the computer and wipe the malware as soon as it is rebooted.

 


Edited by ApacheTech, 16 February 2013 - 04:52 PM.

usb-rd.gif | lan-tap.gif | uk-tour.gif

 

"Oh Bother!", said Pooh, and shakily lowered the bloodied axe. Piglet lay spatchcock on the bed; his cold, glazed eyes staring lifelessly at his own blood on the ceiling.

#33 fmotta

fmotta

    Newbie

  • Members
  • 1 posts

Posted 06 May 2013 - 04:27 PM

Defense against the Duck arts can be tough!!!

 

Ok - I had to say that - now I will read the post more :)



#34 Stevie

Stevie

    Hak5 Fan +

  • Active Members
  • PipPipPip
  • 55 posts

Posted 09 September 2013 - 04:05 PM

For more technical policies, you may wish to consider:
 

  • Windows SteadyState, or a relevant alternative, will protect against backdoor attacks like StickyKeys, Magnifier, UtilMan.
  • Screensavers set to 1 minute that they need to reauthenticate to carry on.
  • Wired Ethernet access to the network should be controlled via a proxy server, so if a rogue device is plugged in, they won't have internet or intranet access.
  • The intranet is usually the most vulnerable node. The internet will have proxies, firewalls and various other monitors that will protect against the vast majority of attacks. Consider the intranet and the extranet as extensions of the internet and protect them thusly.
  • Whilst group policies will protect a vast range of attacks, individual policies should be included as well. Too many times I've seen an AD with purely group policies employed. It can take a while in this case to lock down individual users.
  • Much like defensive programming, assume all data is unsafe and corrupt. Assume all thrid party sources are attacks and assume all users are vulnerable.

Other generic advice:

  • Don't bombard your staff or restrict them too greatly as this will lead to them resenting the restrictions and finding ways around them.
  • Personal devices should be logged with IT staff and whitelisted on the MAC table before they are connceted to the network. This includes charging mobile phones from USB ports.

More drastic advice:

  • THIS IS NOT RECOMMENDED: The fastest way to affectively lock down a Windows PC is to infect it with malware then cut its connection to the network. You can actually use this technique to vaccinate computers by placing malware on the network with no harmful payload. This will restrict access to the registry, stop the task manager, command prompt, and various other restrictions without doing anything actually harmul to the computer. White Hat "malware" is available which helps reinforce Group Policies on a per machine basis. Software such as Windows SteadyState will re-image the computer and wipe the malware as soon as it is rebooted.

 

 

And this is the problem.  Some policies, although sound fine and good, aren't workable.  Like the 1 minute screen saver madness.  We tried this, which I've never agreed with, and it's unworkable.  People do sit and read at times on their screen, or compare figures on screen to print outs.  The screen saver kicking in every 1 min was driving people nuts and just isn't productive.  Same with draconian group policies which even prevent us, the IT staff from fixing a problem in 5mins, having to spend 20 mins instead, fighting with group policy.

 

I don't have a ducky to test, but I wonder if Lumension would work to block this.  It's what we use to restrict access to USB ports.  You can plug a USB stick in, but it won't let you write to it because Lumension requires it be encrypted first with the Lumension encryption.



#35 midnitesnake

midnitesnake

    Hak5 Ninja

  • Ducky Moderators
  • PipPipPipPipPipPipPip
  • 814 posts
  • Gender:Male
  • Location:Earth
  • Interests:Ducky, Pineapple

Posted 09 September 2013 - 04:22 PM

 

And this is the problem.  Some policies, although sound fine and good, aren't workable.  Like the 1 minute screen saver madness.  We tried this, which I've never agreed with, and it's unworkable.  People do sit and read at times on their screen, or compare figures on screen to print outs.  The screen saver kicking in every 1 min was driving people nuts and just isn't productive.  Same with draconian group policies which even prevent us, the IT staff from fixing a problem in 5mins, having to spend 20 mins instead, fighting with group policy.

 

I don't have a ducky to test, but I wonder if Lumension would work to block this.  It's what we use to restrict access to USB ports.  You can plug a USB stick in, but it won't let you write to it because Lumension requires it be encrypted first with the Lumension encryption.

 

Agree with you on the 1 minute screensaver issue. 

 

Lumension is ok, it can block the Ducky in its default setting.

 

But the Ducky has a secret (not so secret) weapon to bypass DLP solutions like Lumension :)  I know they panicked and re-wrote some of their software just over a year ago.  I havnt had chance to assess all their solutions / new products / new versions, so it may com down to configuration.

 

So I just want to take this opportunity to say "Hi Lumension, McAffee, Sophos, Symantec! I know your watching me ..... I'm still waiting for that second date!"


DuckyDecode: http://code.google.c.../ducky-decode/

Ducky Definitive Guide: http://goo.gl/XGIw1k


#36 c0dered

c0dered

    Newbie

  • Members
  • 2 posts

Posted 09 February 2014 - 04:01 AM

Depending on the company where you work or home etc. 

1. Disabling all unused USB ports.

2. Loging off whenever you are not at PC.
3. There could be managed some USB filtering, tho I don't think it exists atm, some app could check if there are two HIDS connected refuse any HID connection anymore don't recognize it etc.

BUT, if someone has physical access with longer time he doesnt need ducky and there is no protection that could stop him. Besides for everyone that has a company and reads this, there is no 100% protection, even a locked computer in the basement can be hacked. Biggest security that a company can implement is by educating its employees, security hardens technically but weakens socialy, social engineering becomes biggest threat in different segments ofc.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users