Hacker Carpet Bomb, or Never Turn Your Back On A Bad USB

If you haven’t figured it out by now, I think that J.D. is a total rock star.  I know I married him, so I might be a little biased in my assessment of how great he is, but I also have evidence to back it up.  Earlier this month, J.D. gave a presentation at the Triangle ISSA meeting, and did a great job.  The topic?  A “Hacker Carpet Bomb.”  What’s that, you ask?  Pardon me if I can’t help grinning as I tell you about the fun.

Triangle ISSA

For starters, the Triangle ISSA is our local chapter of the Information Systems Security Association.  They meet once a month and provide an avenue for cyber security professionals to get together, interact, and learn from one another.  And when I say “cyber security professionals,” I mean we have representatives from across industries.  We have nerds that protect information in healthcare, communications, finance, government entities, and more!  The common thread is that everyone in the room has a passion to keep their organization (and customers) safe from online threats.  It’s a great organization to check out, even if you’re a casual techie like me.

If you can’t make out his shirt, he Loves Strong Passwords.

Hacker Carpet Bomb

The meat of J.D.’s presentation was all about physical access.  If someone has physical access to your computer, what kind of tricks could they pull, and how long would it take them to do it?

Imagine that someone walks into your office and distracts the receptionist.  While she’s running to the back room to find correct paperwork or a drink, the attacker can use one of these tools to get access to the network and play around with files—all in a matter of seconds.  And it’s not just one thing.  There are a variety of toys to choose from!

USB Rubber Ducky

It may look like a regular flash drive, but it’s built to run like a keyboard.  The computer recognizes the USB device as a keyboard and accepts any preprogrammed keystrokes the tool gives it. This allows the attacker to run scripts, force pin codes, and deposit a payload quickly and efficiently. For demonstration purposes, J.D.’s script downloaded a “You’ve Been Hacked” picture from the internet and set it as the victim computer’s background.

Bad USB

A “Bad USB” is similar to the Rubber Ducky, but is much smaller and cheaper.  It performs very similar operations, but in smaller chunks, like opening up the notepad program and displaying “Hack The Planet” in a recurring loop.  You can find the device to program into your BadUSB here.

Bash Bunny

A Bash Bunny is another USB device similar to the Rubber Ducky and the Bad USB.  However, a Bash Bunny has the ability to carry multiple payloads on a fully functional Unix device.  You can download “Bunny Scripts” that are available as an open source project for your payloads (or, of course, write your own).  J.D. used examples of simple scripts in his presentation, launching a website with one and extracting WiFi passwords with another.

USB Killer

Perhaps the most visually impressive of the attacks in the carpet bomb, a USB killer takes advantage of a power surge vulnerability.  If a computer (or other device with USB ports) is left unprotected, inserting a USB Killer can short out the device, kill the kernel, and leave it essentially brain dead.  For the purposes of his presentation, J.D. plugs this bad boy into a power pack and demonstrates an impressive shower of sparks with the help of a couple of wires.  (The funny thing is, though he’s done this presentation more than once, he always jumps when the sparks fly.  Even though he knows what’s coming.)

WiFi Pineapple

It sounds delicious, but probably not as much fun as you’d think (unless you like digital-flavored fruit).  This little baby is a WiFi auditing tool that looks like legitimate networks.

For the presentation, J.D.’s pineapple “learned” the names of different WiFi networks he had connected to previously and re-broadcast them with “open” security.  With a WiFi Pineapple, you may think you’re connecting to a legitimate source—but you’re not.  Within seconds, he could see who connected to the pineapple and monitor their web traffic.

To protect yourself, don’t connect to networks you don’t recognize, and always encrypt your home network.  (Use a password better than “password” or “12345” for your home network.  Make it tricky so that outsiders can’t crack it on the first try.) Using encryption protects your web traffic and makes it difficult for people like J.D. to decipher what you’re doing.

BarcOwned

We actually saw the guys who researched this concept present on this topic at DEF CON, and it was awesome.

The idea is to modify barcodes to create malicious payloads that get loaded onto a computer through an ordinary barcode scanner (like in your grocery store, or a warehouse).  J.D. scanned a barcode that had been modified to open the calculator app on his laptop, but it can be used for different purposes.  In the talk at DEF CON, the barcode executed reverse shells, which gave a backdoor into the computer connected to the barcode scanner (except it looked like nothing happened from the user’s point of view).  The attacker sneakily acquired full access to a computer, and no one was the wiser.

A lot of these products are for sale from Hak5 Gear, and are used during IT penetration tests to determine just how secure organizations are and where they can improve their security.  However, there is nothing that prevents individuals from owning these tools and playing around with them.

At both presentations, he has a list of disclaimers. Because sometimes, gremlins get into the system.

Of course, if you’re really interested in seeing these tools in action (along with a few more surprises), J.D. also gave this same presentation at BSides Cincinnati.  You can check out his technological witchcraft and wizardry on YouTube.

As always, the Wordsmith does not get paid for any mentions or shout-outs we give in this post. If you like what you read, please subscribe to our e-mail list (we’ll send you an e-mail every time a new post is published). You can also follow us on Facebook and Twitter.