USBKill turns thumb drives into computer kill switches

original article 

A coder that goes by the online handle “Hephaestos” has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer in which it’s plugged in.

USBkill, as the programmer dubbed it, “waits for a change on your USB ports, then immediately kills your computer.”

The device would be useful “in case the police comes busting in, or steals your laptop from you when you are at a public library (as with Ross [Ulbricht]),” Hephaestos explained. 

Using a cord to attach the USB key to one’s wrist will assure that the USB is removed instantly with a quick tug upon the arrest of the user or the seizure of the computer. 

Of course, if the user doesn’t use full disk encryption in the first place, the device becomes useless.

Hephaestos says that USBkill is still in the early stages, but that it works, and works well.


Hacking 4G USB modems and SIM Card via SMS


A group of experts managed to uncover USB modem vulnerabilities that allow a potential attacker to gain full control of the connected system.

A team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks at the PacSec and Chaos Computer Club conferences in Tokyo and Hamburg.

The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov.

The experts discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.

The researchers also demonstrated that exploiting the flaws they were able to access subscriber accounts on carrier portals, simply by sending a binary SMS, they are able to lock SIM cards and sniff and decrypt device traffic.

The researchers analyzed six USB modems running 30 separate firmware and discovered that just 10% of the software tested was resilient to the attacks.

“First, we identified the gear. The documentation and search engines helped us with that. In some cases Google was even more useful: it gave us the password for Telnet access. However, for external communications we need http, not Telnet. Just connect the modem to a computer and manage it as a separate network node with web applications. It gives you the opportunity to launch an attack via a browser (CSRF, XSS, RCE). This way you will force the modem to give out a lot of useful information about itself.” states the blog post published by the researchers.


The team used Google to find publicly available telnet access credentials via Google, but they needed http access in order to sniff communications.

The attack technique was very ingenious, once connected the 4g USB modems to their computers, the researchers were able to run several browser-based attacks, including cross-site request forgery, cross-site scripting and remote code execution attacks. The attacks allowed researchers to retrieve several information like the international mobile subscriber identities, the interface types, firmware versions, the universal integrated circuit cards, international mobile station equipment identities and software versions, device names, WI-Fi statuses and more.


In a more scaring attack scenario the researchers installed a bootkit on the targeted device, to do this they installed a USB keyboard driver, which causes the computer to identify the modem as an input device. At this point using a pseudo keyboard to issue the command the attacker were able to reboot the system from an external disk or the from the modem itself. Then they served and installed a bootkit that allows them to remotely control the device as showed in the following video PoC.

[an error occurred while processing this directive]

The experts highlighted the dangerous impact of the vulnerabilities in 4g USB modem on the industrial sector, for example, in all those processes that are using machine-to-machine (M2M) communications. SCADA and ATM are just a few samples of systems that use the technology.

M2M applications are very common in several critical infrastructure installations, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.

” It is not only the matter of security for trendy smartphones that we use to read news feed in social networks. Multiple critical infrastructures including industrial control systems (SCADA) also implement digital mobile communication based on the GSM standard. Another example from everyday life is having your money stolen from bank accounts. No one would like to become a victim of that. Yet you might have seen small antenna on ATMs. Yes, it is also GSM.” continues the post.

The researchers also run SIM attacks that was slightly less effective, they succeeded to exploit nearly the 20 percent of the 100 SIM cards they used. The success rate depends on the capability to brute-force the data encryption standard (DES) keys protecting the SIMs.

“To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over,” states the post. “The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.”


To run brute-force attack on partially known 3DES key they spent nearly 10 days, once the DES or 3DES is broken, the experts were able to issue commands to toolkit applications (TAR).

“Then we may easily issue commands to well-known TARs and manage them; e.g. Card Manager allows installing a Java application to the SIM.

Another curious TAR is a file system that stores TMSI (Temporary Mobile Subscriber Identity) and Kc (Ciphering Key). We may perform the following actions via a binary SMS:

decrypt subscriber traffic without using brute force attacks on DES,
spoof a subscriber’s identity (receive his/her calls and SMS),
track a subscriber’s whereabouts, cause DOS by entering 3 wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection.


Transforming USB sticks into undetectable malicious devices

Original Article


Two researchers Brandon Wilson and Adam Caudill released their attack code to reprogram USB sticks and use them as an undetectable hacking instrument.
Recently, two independent researchers, Brandon Wilson and Adam Caudill, have released the code which can reprogram, benign USB devices turning them in malicious components.

The experts published the code on the Github raising the question related to the real level of security of USB devices, the BadUSB research was approached in detail during the Black Hat conference when security experts demonstrated the risks related to an undetectable menace carried via USB.

Security experts explained that USB devices can be used to compromise personal computers in a potential new type of attacks that could not be detected with all actual security protections.

Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered that bad actors could exploit this new class of attacks loading malicious software low-cost computer chips that control the functions of USB devices.

The researchers from SR Labs, which presented the attack scheme during the Black Hat conference this summer, point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code.

Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

Nohl explained that his team has written malicious code and deployed it into USBcontrol chips used in thumb drives and smartphones, at this point it is sufficient that victims connect the USB device to a computer to trigger the execution of malicious software.

Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.

Antivirus software are not able to detect malicious firmware that controls USB devices, the code inserted with this method can be used for many purposes, including spy on communications, data tampering and log keystrokes.

But while Karsten Nohl decided to not disclose the attack code, Brandon Wilson and Adam Caudill made public their source code to solicit the IT industry to adopt necessary measures for securing USB firmware from malicious manipulation.

“The security of these devices is completely compromised.” “The security of these devices is completely compromised,” Wilson said. “You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive.”
“We’re just taking advantage of the USB protocol,” Wilson said. “This drive is a reprogrammable computer that allows you to do all sorts of things. It allows you to be any device, and up until now, most developers had hard-coded them to behave in specific ways. The firmware on a flash drive makes it behave like a flash drive.”

After Black Hat, Wilson said he bought numerous drives and tested them and were able to take advantage of existing tools used to update firmware to get their code to overwrite the firmware on the Phison device. At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC.

“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”

This kind of attack is very insidious, it is necessary that the device manufacturers will improve the level of security for their devices, avoiding for example the unauthorized firmware overwriting using digitally signed code for the USB device firmware.

“The fact that we were so easily able to change the firmware is an easy fix. The manufacturers could implement code-signing, but they don’t do that at all” Wilson said. “That needs to change. And even if they do add code-signing, you still have the other aspect which is that the computer cannot trust what you’re plugging into it. To truly fix the problem, it has to be fixed on the host.” “When you have a firmware image, you want to protect it in some way. You want a checksum, or something that the drive uses to validate that something is coming across correctly,” Wilson added. “There’s nothing like that. There needs to be something. Code signing is one approach to take for now. But to really shut it down long term, the host needs to be aware that when you plug in a device you don’t trust, it has to be given an option not to trust it. Because once you plug it in, it’s done.”

Resuming, threat actors could exploit USB as an attack vector simply by reprogramming USB peripherals, so it is crucial to implement protection from such malicious reprogramming.


Once reprogrammed, any USB devices could be used for various malicious purposes, including:

emulates a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
spoofs a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Unfortunately, no effective defenses from USB attacks are possible in this moment, antivirus cannot access the firmware running on USB devices and behavioral detection very hard to implement.

Pierluigi Paganini

(Security Affairs – hacking, USB)

Criminals Control, Cash Out Bank’s ATM Machines

Kelly Jackson Higgins February 13, 2014

New, sophisticated ATM heist used a malware-laden USB stick to hijack the machine — one arrest is made

In what could be a sign of what’s ahead in ATM fraud, a highly sophisticated and well-funded criminal gang targeted an overseas bank and commandeered at least four of its ATM machines with malware-rigged USB sticks in order to empty them of cash.
Tillmann Werner, a researcher for CrowdStrike, says the organized crime group cracked open the ATM machines and plugged in the USB stick containing a DLL exploit payload. The payload reconfigured the ATM system such that the attackers control it and allowed money mules to steal all of the cash stored in those machines. There has been a single arrest so far — a money mule — and the attacks may possibly have incurred millions of dollars in losses. These attacks are expected against other banks as well, he says.

“They crack the ATM open and plug in the USB drive. It’s risky, but nevertheless, it works,” Werner says.
Werner declined to name the victim bank or the brand of ATM machines it runs. The attacks still appear to be under way, he says. “The fact that such a sophisticated group is operating right now is the most important fact. Another thing that’s interesting is banks in Germany potentially have the same issue, although we haven’t seen an attack like that in Germany so far,” Werner says.

The attackers physically took apart the ATM machines and inserted a USB stick with a malicious DLL installer into the printer port, giving them control of the ATM’s Windows XP-based operating system. When a network connection is interrupted to the ATM, it automatically reboots, doing so from the malicious USB. The installer program collects information from the ATM system and also contains a log file for the attackers.
“It’s a DLL injection file attack into the running process [of the ATM], and then you have code running in that process, and they can do what they want,” Werner says.

One member of the gang in the heist was caught when he went to one of the ATMs to cash out. The cash-out works like this: An attacker types in a 12-digit code that then displays the malicious menu on the ATM screen. He answers a challenge question, and then calls one of his accomplices for a response code, which he inputs to dispense the cash from the ATM. The entire transaction of emptying the ATM takes a few short minutes.
Unlike the ATM Ploutus malware that was discovered last year that targeted bank customers during their ATM transactions, this attack goes after the bank’s cash in the ATMs. “It’s not related to Ploutus,” he says, which is “child’s play” compared with this new, more advanced method that steals from the bank itself.

“Attacks against ATMs mostly have been skimming attacks,” he says. “With this attack, you can empty a whole ATM and make a lot of money … It definitely takes a mafia-like organization to pull off such an attack.”
The victim bank discovered the heist when its ATMs prematurely went empty of cash. “It doesn’t leave any [other] traces,” Werner says. The only clue is that the balance in the machine declines — the theft transaction isn’t detected.

There are ways to prevent such an attack, but with ATMs not built with software security in mind, it’s tough to defend against it today. “You have to secure the PC, but that’s easier said than done,” Werner says. The best bet is to add a boot password to the system, which would prevent this attack, or to encrypt the ATM’s hard drive.
The attack could work on banks in the U.S. as well, he says. The attackers have different versions of the malware for different banks, he says. “It has nothing to do with the banking system. They’re going after the machine that spits out the money,” he says. “Maybe they’re not attacking U.S. ATMs because they use less cash in their ATMs.”