Jump to content

Securing Your Fortress From Infiltration By Rubber Ducks.


redxine
 Share

Recommended Posts

Haven't seen too many threads about protecting against rogue USB devices, or anything about testing to see if an USB device is "safe", as mentioned in the letter in episode 1023.

I got thinking of protecting against evil rubber duckies and realised that mass storage isn’t the problem. While it’s relatively simple to prevent FUSE from mounting mass storage automatically, the thing we want is to prevent the “mass storage device” from sending HID events.

Perhaps setting up a cheap and old box (or perhaps even a little RaspberryPi) with the usbhid module blacklisted (sudo modprobe -r usbhid) to plug a device to check into. A wireshark/usb dump can be done over ssh, et al to inspect the true intentions of the device. It’s a simple way to check for vendor ID, etc. and since it only requires runlevel 3, mouse and keyboard events/attacks can be rendered useless with a repurposed getty input (perhaps just an inkey program that redirects to a file to figure out what said evil rubberducky is up to).

I smell some utilities for testing for rubber ducks for *nix boxes in the future :P

I might test some of these concepts later, but I'll need to get my paws on a duck first.

Link to comment
Share on other sites

You should also check out int0x80's talk on Anti-Forensics. He sets up some scripts to automatically delete the usb drives when they show up. There might be something in his checksum that would prevent the driver from firing if it's not in the whitelist.

Link to comment
Share on other sites

Super Glue in the USB ports would work lol.

Damn it, i was going to say that lol.

or just break the ones your not useing and glue in the keyboard and mouse.

If your really strict on the security (for a buisness or w/e) dont have them mounted to the case, and have the keyboard and mouse attached internally. All depends on your setup and what your employee's need. I like a physical security approach over a software approach. A guy using a flash drive is alot less suspicious than a guy with bolt cutters, or digging around behind his computer.

Link to comment
Share on other sites

Damn it, i was going to say that lol.

or just break the ones your not useing and glue in the keyboard and mouse.

If your really strict on the security (for a buisness or w/e) dont have them mounted to the case, and have the keyboard and mouse attached internally. All depends on your setup and what your employee's need. I like a physical security approach over a software approach. A guy using a flash drive is alot less suspicious than a guy with bolt cutters, or digging around behind his computer.

True, but there's many instances when controlled media is a necessity, keyboards and mice break, etc.

Link to comment
Share on other sites

Well, there are dongles for USB to PS2 devices, so technically, you could go in over the older mouse and usb ports. I haven't actually tried this, but I have a feeling it would work. I have a few dongles around the house somewhere and picked up a ducky from Darren at Derbycon last year. If I can find the damn things I will give it a shot and post back, but feel free to try it yourself, see if it works.

By the way, they look like this: http://www.google.com/products/catalog?hl=en&newwindow=1&safe=off&q=usb+to+ps2+adapter&gs_sm=e&gs_upl=701l3885l0l5263l12l12l1l0l0l0l71l673l11l11l0&um=1&ie=UTF-8&tbm=shop&cid=11507205293035878945&sa=X&ei=004yT_fPAejZ0QG-u5GLCA&ved=0CIABEPICMAQ and come with some mice when you by them.

Link to comment
Share on other sites

That relies on the actual hardware - the controller in USB keyboards and mice can sense the PS/2 handshake and adjust the protocol. So it'd have to be a burned-in feature of the duck's hardware or of a Teensy.

Pretty sure IronGeek's version on the Teensy, has the ability to mimic different hardware, change vendor ID's if needed, and make it look like different types of devices. I'm not sure if it works over PS/2 though, but his is a bit more programmable than the Ducky and might be able to do it.

Link to comment
Share on other sites

There are third party software that you could use to disable the USB ports, as well as you could modify the following registry key.

"Warning : Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk. If a USB storage device is already installed on the computer"

set the Start value in the following registry key to 4:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

When you do so, the USB storage device does not work when the user connects the device to the computer.

To set the Start value, follow these

steps:1. Click Start, and then click Run.

2. In the Open box, type regedit, and then click OK.

3. Locate, and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

4. In the right pane, double-click Start.

5. In the Value data box, type 4, click Hexadecimal (if it is not already

selected), and then click OK.

6. Quit Registry Editor and restart the system.

Link to comment
Share on other sites

But USB mass storage isn't the problem (unless it's a windows box with autorun, a vulnerability in explorer, etc.) - it's emulated HID. However since USB keyboards and mice are so commonplace today this is a difficult vector to defend. Perhaps having a whitelist for certain manufacturers of keyboards/mice (although this could probably be annoying for end users, so would the banning of USB devices entirely). You could put this off to physical security, which is really what it comes down to, but it wouldn't hurt to hinder the exploit with even a little bit of work.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...