USB Attack Vectors Move Beyond Flash Drives

Wednesday, January 05, 2011

Dan Dieterle


You have all heard about the dangers that USB drives can pose. In 2008, the US Military suspended the use of USB drives after a large worm attack hit military systems.

Iran’s Nuclear power plant was hit with Stuxnet, supposedly from a USB drive. And following the recent Wikileaks disaster, the military is banning all removable devices from systems connected to SPIRNET, the government’s secret network:

Maj. Gen. Richard Webber, commander of Air Force Network Operations, issued the Dec. 3 “Cyber Control Order” — obtained by Danger Room — which directs airmen to “immediately cease use of removable media on all systems, servers, and stand alone machines residing on SIPRNET,” the Defense Department’s secret network. Similar directives have gone out to the military’s other branches.

So no more CD’s, DVD’s or thumb drives will be allowed near these machines.

Then there is always the threat of malicious hardware. For years the government has been worried about counterfeit electronic hardware mainly from Chinese manufactures that have built in backdoors.

Earlier this year millions of dollars of counterfeit Cisco equipment was confiscated that was to be sold to Marines in Iraq:

Ashoor purchased counterfeit Cisco Gigabit Interface Converters (GBICs) from an online vendor in China with the intention of selling them to the U.S. Department of Defense for use by Marine Corps personnel operating in Iraq, the DOJ said. The computer network for which the GBICs were intended is used by the Marine Corps to transmit troop movements, relay intelligence and maintain security for a military base west of Fallujah, Iraq, the DOJ said.

So security experts have been on the lookout for USB drives and even counterfeit routers, but what about an innocent looking USB keyboard, or mouse? How much attention would that garner?

Adrian Crenshaw (Security Specialist and Speaker) has shown from his recent work with the Arduino “Teensy” programmable keystroke device that almost any USB device, including keyboards, mice, and the innocent desktop toy could be used as an attack vector.

Adrian (also known as “Irongeek”) created the tool for professional security pen testers, but it has really shown how USB attacks can and will move way beyond “Autorun.inf” infectors.


The Teensy programmable keystroke device is made from PJRC’s Teensy USB Development Board.

The computer does not see the Teensy device as a USB drive or another accessory, but as a human interface device (a keyboard). The Teensy circuit board can be inserted inside a keyboard or mouse and can be set to activate when a certain key is pressed or a certain condition is met.

So, for example, if the “Scroll Lock” or “Caps Lock” key is pressed, the teensy could send the commands to copy all the data from a certain directory.

The Teensy can also be set to activate via timer or whatever the pentester desires. And antivirus would not detect it as it would seem to be just standard keyboard input.

Also, the inside of the mouse or keyboard leaves amble room for the miniature teensy and whatever else the pentester may want to use. Inside a standard mouse case, Adrian was able to insert a Teensy device, a USB hub and flash memory.

With this type of setup, he could have the teensy device issue commands to run a script from the flash drive or even copy data from the system to flash storage. (View Adrian’s video on YouTube)

I believe that with the Teensy programmable keystroke device, we are really looking at a new generation of intelligent malicious hardware that will be limited only by the imagination of the attacker.

Cross-posted from Cyber Arms

Possibly Related Articles:
Removable Media Hardware USB Attack Vector Teensy Devices
Post Rating I Like this!
shawn merdinger For more info on the counterfeit Cisco gear issue, please see:

"Chisco: Welcome to the Hunan Network"
Dan Dieterle Shawn, thanks for the link, great information!
Keith Howell You can actually do far more than emulate a HID device.

Take a look at the 'LUFA' library at the following URL:
Dan Dieterle Keith, I checked out the LUFA site. Trying to wrap my head around the information there.

If I am reading it right, does it mean that you could create a device that could emulate a joystick, Midi, audio, printer host, etc?
Pete Herzog Thanks for posting this! A few years ago I helped a company lock down Win XP against all such unknowns by whitelisting apps, resources, and what they could do. Now I can see it was still crude and more elegant solutions exist now but it was effective against any outside command via USB, drive, and even wireless keyboard so it no doubt could be done against these hardware hacks as well. Now I do it for family computers so I don't have to worry much about their propensity to download and share via different medium. Unfortunately, we couldn't get it to work on Vista or 7 so the client didn't upgrade and stayed with XP. Once driver support runs out for XP we'll have a problem though. So will others. I'm posting hoping that others see we need good, elegant solutions to whitelist and least-privilege apps, services, processes, and all the ways they can interact and where for Win 7 and beyond.
Dan Dieterle Peter thanks so much for the info. It would seem that home systems are targeted, so locking them down is a very good idea indeed.

I wholeheartedly agree. There are some very talented white hat programmers in the community. Creating a gui whitelist/ least-privelage security app would be great!

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.