Full Report
Last Saturday, at Defcon 24, we gave a talk entitled “Universal Serial aBUSe: Remote Physical Access Attacks” about some research we had performed into USB attacks. The talk was part of a research theme we’ve been pursuing related to hardware bypasses of software security. We decided to look into these sorts of attacks after noting their use in real world attacks. For example, you have “Apex predators” such as the NSA’s extensive use of sophisticated hardware implants, most notably for this work, the COTTONMOUTH devices. On the other end of the scale, we noticed real world criminals in the UK and ZA making use of unsophisticated hardware devices, such as hardware keyloggers, drive imagers and physical VPN devices and successfully making off with millions. This led us to hypothesise that there’s probably a large series of possible attacks in between these two extremes. We also noted that there’s not many decent defences against these sorts of attacks, it’s 2016, and the only decent defence against decent hardware keyloggers is still to “manually inspect all USB ports” (assuming this stuff is even visible).
Analysis Summary
# Tool/Technique: Universal Serial aBUSe (USaBUSe)
## Overview
USaBUSe is a research project and associated hardware/software framework that extends the capabilities of traditional "Rubber Ducky" style HID attacks by establishing a **bi-directional, remote binary channel over a dedicated WiFi network**, independent of the host system's network. This allows for remote trigger capability, stealthier communication (avoiding host network monitoring), and reduced payload fragility by shifting heavy lifting to the hardware.
## Technical Details
- Type: Tool / Framework (Hardware implantation leveraging HID emulation)
- Platform: Primarily demonstrated targeting **Windows**, with noted limitations for Linux/OS X due to unprivileged user access to Generic HID interfaces.
- Capabilities: Acts as a malicious USB device (HID), executes initial payload via keystrokes, establishes a remote WiFi channel using an integrated ESP8266, performs remote actions, and includes anti-forensics features like a mouse jiggler.
- First Seen: Research presented at Defcon 24 (August 2016).
## MITRE ATT&CK Mapping
The core mechanism relies on HID manipulation to initiate actions and establish persistence/command and control remotely.
- **TA0004 - Privilege Escalation**
- **T1056.001 - Input Capture: Keylogging** (Used during initial payload delivery phase, though the tool itself *delivers* keystrokes, not typically captures them via the HID interface)
- **T1056.002 - Input Capture: Mouse/Touch Input** (Tool utilizes this for the anti-screensaver feature)
- **TA0011 - Command and Control**
- **T1090 - Proxy**
- *(Implied: By using its own WiFi channel, it acts as an independent C2 bridge)*
- **TA0005 - Defense Evasion**
- **T1564.003 - Hide Artifacts: Hidden Files and Directories** (Achieved by keeping heavy lifting on the hardware, less on host)
- **T1562.001 - Disable or Modify Tools** (Potential if C2 operations affect local services)
*Note: As a hardware implant, the initial stage maps closely to **T1546.007 - Bootkit: Firmware Modification/Infection** or **T1190 - Exploit Public-Facing Application** if the execution relies on exploiting initial USB connection handling, although the paper focuses on HID emulation.*
## Functionality
### Core Capabilities
- **HID Emulation:** Mimics a standard keyboard/mouse to automatically type malicious payloads upon connection/trigger.
- **Remote Triggering:** Allows the operator to initiate the attack execution remotely via WiFi, removing the need for physical presence after deployment.
- **Bi-directional Binary Channel:** Establishes a dedicated wireless communications path independent of the host network for robust remote access and exfiltration.
- **Payload Optimization:** Delivers typed payloads quickly (visible for $<4$ seconds, hidden within $12$ seconds).
### Advanced Features
- **Stealthy C2:** Communication does not use the host system's network stack, avoiding detection by host-based NIDS/monitoring.
- **Device Disguise:** Reports itself as an innocuous USB device, making it harder for standard checks to identify it as a network adapter.
- **Mouse Jiggler:** Includes functionality to prevent screensavers from activating by injecting background mouse movement that is not visibly perceptible to the user.
- **Keyboard Layout Handling:** Implements specific adjustments (e.g., using `char[]` and `.Replace()`) in the typed payload generation logic to accommodate differences between international keyboard layouts when executing commands (like PowerShell).
## Indicators of Compromise
The provided text focuses on the *tool's mechanism* rather than a specific instance's IOCs for a deployed infection.
- File Hashes: N/A (The core attack relies on pre-compiled hardware firmware).
- File Names: N/A (Focus is on hardware functionality, not persistent host files).
- Registry Keys: N/A (Specific registry inspection (`\\??\` vs `\\?\`) noted for path handling on different Windows versions, not a general IOC).
- Network Indicators: N/A (The network channel is established dynamically via the integrated ESP8266 over WiFi; C2 IPs/domains are determined by the operator).
- Behavioral Indicators:
- Appearance of an unexpected HID device immediately followed by rapid, automated keystroke activity.
- Injections of imperceptible mouse movement events when the system should be idle.
- Host machine communications on the operator's private WiFi channel that cannot be attributed to legitimate local devices.
## Associated Threat Actors
The research was conducted by **SensePost** (Dominic White) and presented at Defcon 24.
- Mentioned in the context of sophisticated hardware implants: **NSA** (e.g., COTTONMOUTH).
- Mentioned in the context of unsophisticated hardware usage: **Real-world criminals (UK/ZA)**.
## Detection Methods
The article highlights the difficulty in detection, as standard methods are insufficient against hardware layers.
- Signature-based detection: Likely ineffective against the custom firmware residing on the hardware.
- Behavioral detection: Detecting unusual HID activity sequences or the lack of screen timeout are key targets.
- YARA rules: N/A (The attack runs on embedded hardware firmware).
## Mitigation Strategies
Mitigation focuses heavily on physical security and advanced hardware inspection, acknowledging the gap in software defenses.
- **Physical Inspection:** Manually inspecting all USB ports for unauthorized or unfamiliar devices (noted as the *only decent defense* against physical hardware keyloggers).
- **Port Control:** Restricting or disabling unused USB ports where feasible.
- **Supply Chain Security:** Rigorous vetting of hardware components introduced into sensitive environments.
- **Host Monitoring:** Monitoring for process behaviors associated with rapid shell command execution immediately following a new USB device attachment.
## Related Tools/Techniques
The tool builds upon and contrasts with several prior and contemporary projects:
- **Rubber Ducky** (Hak5)
- **PHUKD** (Adrian Crenshaw)
- **TURNIPSCHOOL** (NSA Playset)
- **USBDriveBy** (Samy)
- **Kautilya** (Nikhil)
- **Iron-HID** (Seunghun Han)