AusCERT 2017 - You are the universal attack vector
- 30 May, 2017 10:39
Photo by: Rhea Naidoo
That was the premise of Darren Kitchen and Shannon Morse’s opening keynote at this year’s AusCERT conference. Attended by over 700 delegates from nine countries, they held the audience in their thrall as they discussed how the intersection of convenience and trust has enabled threat actors to break into systems and access data.
Morse and Kitchen are the co-hosts of Hak5, which they say is the world’s longest running infosec podcast.
“Everybody loves trust,” said Morse. “And the other thing everybody loves and wants to take advantage of is convenience”.
Morse and Kitchen decided to take advantage of this at the recent RSA Conference held in San Francisco. This is one of the largest security events in the world with over 45,000 attendees and hundreds of vendors. They did a sneaky USB drop, placing 100 of Hak5’s Rubber Ducky USB devices.
The Rubber Ducky is a USB device developed by Kitchen that demonstrates how trust and convenience are the tools of the hacker trade. Although it looks like a normal USB thumb-drive, the Rubber Ducky pretends to be a keyboard when connected to a computer. It emulates the Human Interface Device profile for USB devices. That means is can be programmed to type commands when connected to a computer.
In a video demonstration, Kitchen showed how, in just 15 seconds, it was possible to connect a Rubber Ducky into an unlocked computer in a bank and transfer funds completely undetected.
To the operating system, which is hard coded to automatically trust keyboards, it looks like someone has plugged in a keyboard and is typing. But the Rubber Ducky is executing commands programmed by its owner.
And with USB drives being so convenient, it plays on the user’s desire to use a device that works easily.
Morse walked through the RSA Conference, depositing Rubber Duckys in attendee swag bags, at booths giving away thumb drives and other drops. The stats on how many devices were plugged in were staggering – and remember, this was at a conference filled with infosec professionals.
Of the 100 drives they deposited, there were 162 executions from 62 unique IP addresses. Drives were plugged in from five different countries over a 65-day period. The payload on the devices was not damaging – it simply directed people to a website with some advice on safe USB flash drive use.
When I spoke with Kitchen after the keynote address, he mentioned his revelation of this USB drop, during his AusCERT keynote, was the first the conference organisers knew of the prank.
This lead Morse and Kitchen to what they called the “danger of ubiquity”. As flash drives have fallen in price and become more reliable, they are still an ideal threat vector.
Despite warnings and “best practice” guides that instruct users to encrypt drives, not plug in strange devices and to treat these devices with a low level of trust, they continue to be a major weapon for cyber-criminals.
Of course, machine-to-machine trust isn’t the hacker’s only weapon. Social engineering, where human trust relationships are exploited, is also part of the threat actor’s arsenal.
Kitchen said “We learned this as kids, to manipulate our parents. It’s like a hard-coded human attack”.
It isn’t a question of intelligence added Morse. It’s that we are conditioned to behave in specific ways and it’s possible for those conditioned responses to be used against us.
“It means we need to change the way we think,” added Morse.
One of the challenges is that any of the systems we use, particularly on smartphones and tablets, are locked down and we have been trained to think they know best. And because humans rely on these devices and trust them, they can be manipulated through the trust and convenience we expect from technology today.
“It’s about telling the right lie,” said Kitchen.
Kitchen and Hak5 have not rested on his laurels. Following the success of the Rubber Ducky, he has expanded his product portfolio with the Bash Bunny (https://wiki.bashbunny.com/#!index.md). Unlike the Rubber Ducky, which lies through using the HID interface to a computer, the Bash Bunny can emulate other interfaces such as wireless networks, gigabit Ethernet, serial and flash storage.
In other words, it’s better at lying and exploiting the bridge between trust and convenience.