There is little doubt that the number and complexity of client-side attacks have steadily increased over the last years. We have seen the rise of truly imaginative attacks blending sophisticated exploits with social engineering and creative methods of deployment.
Arguably one of the most progressive attack platforms has been the use of USB media devices and drives as a launching point for attacks. While the use of USB drives as a medium for delivering malicious code is nothing new, we now see the emergence of a new spin to this tried-and-tested method.
In the Beginning: Attacks were Without Form
USB drives have become ubiquitous with daily computer use. They have become so inexpensive and commonplace that they are commonly handed out by vendors or included "free" as enticement when purchasing products.
As the use of USB drives became more common, so has their role in the transmission of malicious code.
Originally the attack was to simply put infected files on a USB storage device and hope that a weary user would click it to initiate the malicious code.
This type of attack quickly morphed into more sophisticated methods as drive enhancements came out with embedded firmware to emulate CD-ROM drives.
While several types of these drives exist, the most widely known is the U3 drive. U3 drives have a small portion of the drive as firmware that emulates an ISO 9660 CD-ROM drive. The business purpose for this functionality was to take advantage of the Microsoft Windows Autorun functionality that automatically executed commands stored in the autorun.inf file typically found on the root directory of CD-ROMs.
Patterns Begin to Form
Attackers quickly discovered that they could use the Autorun functionality to their advantage, and an assortment of custom firmware and attack strategies were developed for certain USB drives. These types of modified drives, which are commonly known as "USB switchblades" or "USB Hacksaws," are easily made.
Because Microsoft operating systems prior to Vista and XP Service Pack 3 would automatically execute commands in the autorun.inf file, an attacker could potentially compromise a system simply by having the USB drive inserted into a target system. Attackers could use social engineering or surreptitious physical access to get the USB drive into a target machine.
This type of attack has enjoyed several years of success and is still a viable method today. Many different variations and methods of this attack are possible and have been widely documented. As the severity and potential impact from this type of attack became more widely known, security vendors started making tools that would detect USB hacksaw attacks. While this attack can still slip under some security monitoring tools, most modern versions of the Microsoft operating system have been patched against this type of attack and there is significant awareness of it.
Evil Has a New Face
A new evolution to the USB attack arsenal is emerging. While the USB Hacksaw attacks are easily detected by most antivirus software and primarily work only against systems running the Windows operating system, the new evolution is cross-platform and significantly more difficult to detect. Enter the "Teensy"!
So what is a Teensy? The Teensy is a small USB microcontroller development board based off the wildly popular Arduino family. These microcontrollers are small, measuring approximately ¾" wide by 1-¼" long and less than ¼" thick. The devices are easily programmed in a derivative language of C++, cost less than $20, and can easily be connected to computers via USB ports. What makes microcontroller attacks such as the Teensy such an effective platform for delivering malicious code isn't just its small size and low cost; it's also the ease in which custom attacks can be developed and its capability to work on virtually all operating systems and platforms.
Many attacks are possible with the Teensy, but one specific method stands out and has gotten the attention of a growing number of security researchers. Adrian Crenshaw, an IT security expert known as "IronGeek" in the IT Security community, has created a custom code library for the Teensy device that enables it to replicate the functionality of a typical Human Interface Device (HID) such as a keyboard or mouse. Adrian calls these the "PhukD" libraries and makes them available free on his site. Adrian developed these libraries to help draw attention to the potential and risks associated with connecting microcontrollers to a computer posing as a legitimate USB device.
The use of a Teensy microcontroller to emulate a HID device may seem benign on the surface until you consider it from an attacker's point of view.
The Teensy device gives an attacker a number of advantages over normal USB drives:
- No user intervention is required. A maliciously programmed Teensy does not require any form of user intervention once it is plugged in to a target system. While most USB attacks rely on autorun.inf being executed or the user being duped into executing a malicious program, the Teensy has no such limitations. Once connected to a system, the Teensy will run its code instantly or wait until a certain condition is met.
- It is multi-platform. Because the Teensy can be configured to emulate a keyboard and does not require the installation of special software to function, it is operating system[nd]independent and easily adapted to work on Macintosh, Linux, and most other operating systems with the same degree of effectiveness. The Teensy can be configured to look for characteristics of a system it is plugged into such as the Apple key on a Mac or pressing Ctrl+Alt+Del on a Windows machine and adapt accordingly.
- There are several components to the Teensy attack that make it difficult to detect. First off, when a Teensy device is connected to a system, the computer simply sees it as a keyboard. Because most systems will allow one or multiple keyboards to be connected the actions and commands run from the Teensy are simply interpreted as the user typing commands. As such the commands executed with the same privileges as the logged on user. This also makes attacks from a Teensy device difficult to detect from a forensic or repudiation standpoint.
- Because file access, executed commands, and all activity is running under the permissions of the logged-in user, it is difficult for a reviewer of the system to conclude anything other than the inappropriate activity was performed by the logged-in user. Even a forensic analysis of the system would point back to the logged in-user being the culprit of any elicit activity. As an example, let's say that a Teensy device is temporarily connected to Mr. Bob's workstation and is configured to craft emails to an external Gmail account and attach sensitive spreadsheet documents. The emails, file access, activity, and logs would all indicate that the actions were performed by Mr. Bob. A forensic review of the box would also conclude the activity was Mr. Bob unless the analysis knew to look for a Teensy or similar HID type of attack.
- Another element that makes a Teensy device attack difficult to detect is the fact that it doesn't fit the mold that most antivirus and malware detection software follow to detect malicious code. The Teensy does not typically store any executable code; instead it relies on sophisticated collections of command lines to perform the intended actions. Because the Teensy is not registered as a drive when connected to a USB port, antivirus software does not attempt to perform a scan of it or its code.
- It is highly customizable. The Teensy can be configured to target a wide range of systems and users, or be customized for a specific purpose. When a Teensy device is used in orchestration with other forms of penetration techniques, there is virtually an unlimited number of uses it can perform.
Redemption: Saved from Evil
So with all the new security headaches that the Teensy and similar devices will bring to security professionals and the organizations they protect, there is still light at the end of the tunnel. There are some proactive mitigation steps that can be done to limit the impact from this form of attack.
The Teensy's inherent capability to skirt under the radar of most antivirus and detection software is also its greatest weakness. The Teensy typically does not contain any storage on the device that is system accessible nor does it register as a drive. While this makes it difficult to detect, it also makes it dependent on the logged-in user having access rights to execute files needed for microcontroller Teensy to run.
Currently, the Teensy requires files such as cmd.exe and iexplorer.exe to be on the system and executable. In a corporate environment, the use of GPOs can be an effective method for limiting access to these files and assist in mitigating the risks from a Teensy based attack.
Another mitigating control is to lock down or disable the USB ports to only known good devices. While this is relatively easy, there are some caveats that need to be considered. Many applications and Windows registry hacks enable system administrators to disable the "UsbStor" registry settings under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\". This allows administrators to disable the function of USB storage devices from being connected to the system, but does not protect against a microcontroller Teensy attack. The proper way to mitigate the risk is to enumerate the specific devices needed by the system in a "whitelist" policy and use the list to create a custom GPO allowing only those whitelisted devices.
While this can become an administrative burden in a larger organization, it is a fairly effective method for limiting the exposure to these types of attack. An excellent write up on how to configure custom GPOs to mitigate Teensy types of attacks can be found on Adrian CrenShaw's IronGeek website here.
What the Future Holds: Purgatory??
So what does the future hold? The use of microcontrollers and devices like the Teensy represents the next evolution in the race between IT security and the tools that attempt to circumvent it. It seems clear that the use of microcontrollers such as the Teensy as attack platforms is just in its infancy, and we will see significant growth and changes in this area in the coming years.
I read once that "In order to defend against a threat, we must first understand it." This next evolution of USB-based attacks will challenge IT security professionals to better understand the inner workings of USB attacks and develop crafty solutions for mitigating the threats.