Jump to content

How to audit USB attached device doesn't contain malware


ice-d

Recommended Posts

I bought a couple of the "Malicious Cable Detector by O.MG" connectors, and would also like to know what a good process could be done (if possible) to validate that a usb attached device, such as a keyboard, mouse or wifi adapter doesn't contain malware of some kind or an exploit.

Sorry if this is a repeat question on an existing topic. My current hypothesis is that I may need to setup a test bench of some kind and run X Y and Z tools... help please?

Link to comment
Share on other sites

Keyboards, mice, and WiFi adapters don't contain the logic necessary to store malware. Yes, it's possible to make such devices, but simply don't plug in unknown USB devices and disable USB mass storage as is commonly recommended. Disabling USB ports in firmware completely and only using Bluetooth would be even better. 

Link to comment
Share on other sites

Just to point out the obvious: the Malicious Cable Detector is for auditing cables

As for auditing a random electronic, there is no easy answer there. People have entire careers doing this. Comparing against a known good version is generally the easiest starting point. 

Link to comment
Share on other sites

Thank you for the very helpful information. This releaves a lot of anxiety about this particular area of security.  appreciate you guys taking the time to answer my question.
My worry was that a usb keyboard acquired on Amazon, could potentially log keystrokes and then send this to a remote attacker.

I was leaning in the direction of a test bench of some kind, and using usbcap or something to capture traffic from the questionable device.

My hypothesis, is that the piece that would make this challenging, is that the malicious activity would only happen if it were triggered in some way, remotely or by local activity. Not just naively running some code when powered on. Hence, why people have a full career in the subject, likely.

Link to comment
Share on other sites

Yeah it’s tricky. Monitoring the data lines will work for some of the less stealth devices. But with OMG Cables, you wouldn’t see anything on the data lines. That’s because the implant doesn’t touch the data lines until a payload is initiated.
 

Even when the OMG is doing keylogging, it’s doing completely passive sniffing so you won’t see anything on the data lines to indicate a problem. Whereas most keyloggers act as a proxy, which means they become active USB devices and are very easy to see on the data lines. 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...