Interesting security stuff: Why Adam Savage Won't Trust USB Keys
Yesterday I found and watched the YouTube video Why Adam Savage Won't Trust USB Keys and I thought this was fascinating. Remembering some
microcontroller stuff I once tinkered with, I thought I might try to mimic the USB stick behavior with a microcontroller I had lying about. And lo and behold, I got it working so that I could
start a PowerShell session in Admin mode and execute a script when plugging it in and it didn't take me long to do so.
So I knew about HID and that a microcontroller could mimic this, thus I searched for that and found that CircuitPython would be the easiest way
due to it having a HID Library. So I downloaded the latest version of CircuitPython .U2f for the microcontroller and of the HID library in the library bundle.
I only copied the adafruit_hid library onto the micro controller. I used Thonny as IDE.
I looked at some samples and in the end I came up with the following sample script as code.py:
import time
import board
import usb_hid
from adafruit_hid.keyboard import Keyboard
from adafruit_hid.keycode import Keycode
from adafruit_hid.keyboard_layout_us import KeyboardLayoutUS
kbd = Keyboard(usb_hid.devices)
layout = KeyboardLayoutUS(kbd)
kbd = Keyboard(usb_hid.devices)
time.sleep(2.0)
kbd.send(Keycode.WINDOWS, Keycode.R)
time.sleep(0.1)
layout.write('powershell -command "Start-Process PowerShell -Verb RunAs" \n')
time.sleep(1.5)
kbd.send(Keycode.LEFT_ARROW)
time.sleep(0.1)
kbd.send(Keycode.ENTER)
time.sleep(1.5)
layout.write('Write-Host "You have been hacked" \n')
time.sleep(0.5)
I did do some more PowerShell scripting at first, like the zipping of files they showed in the demo. But just as in the demo, I also got some red PowerShell errors in my script. I did notice
that when I watched the video, so funny to see, but I guess you need to know about PowerShell to notice that.
To have more access, I added starting PowerShell in admin mode, but then I got a popup with the
question if I would allow changes on my system. With keys I could allow this with the left arrow selecting the allow button and then pressing enter, so I added that to the script. Also if you don't
get a popup, doing left arrow and enter actions in a PowerShell window will not interfere with what follows and that is important.
I added some sleep time between actions to smoothen the operation. I also got strange behavior when I tested without having Thonny open, when starting clean. I figured out that this was due to that CircuitPython
by default has the file system exposed as USB drive and then Windows will show a popup about this and this removes the focus on the PowerShell window. Also this happend as I didn't
had the initial sleep action added to the script yet. So to solve this I added a boot.py file with the following instruction:
import storage
storage.disable_usb_drive()
I choose to only add a Write-Host script in the end, as it is only a proof of concept. But it is clear that such a method could potentially do any action a user can do on their computer.
There are limitations however (assuming no funerablities can be used), key strokes are typed in the active window that has focus, so removing focus from the window intended to be written to, will
mess up things. Everything must go as expected or there could be failure. Also there is no feedback only one way traffic of key strokes, although you can think of using wifi or bluetooth to control when and what actions are typed (or mouse actions)
the attacker must then be able to see the screen. So I guess this method it is quite error prone, but this still can be a viable way in. I really think it is a great way of selling security,
as it is impressive to see this in action.
So what about some mitigation? I didn't like that the script could open an admin PowerShell, so I found that there is a setting for that. This is in
User Account Control settings.
I didn't had it disabled as being my own admin, but the current level isn't enough to stop this kind of attack. You will need a security policy so that even an admin needs to "Prompt for credentials". So
I set the registry setting ConsentPromptBehaviorAdmin to 1 and now the admin mode attack is stopped. But this setting is for my situation, your situation could be different, and an attack can still focus on the non admin PowerShell,
as that has a better chance of not getting unexpected popup behavior. The following could be used to set this in the registry, altough there are multiple ways of making these settings, but I must say, it is a pretty annoying popup,
more so than the previous consent popup.
# Get the current value
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name ConsentPromptBehaviorAdmin
# Set the value (be sure to check the official documentation, don't just execute these kind of set commands ;-)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name ConsentPromptBehaviorAdmin -Value 1
To stop Windows key + R there are possibilities to disable all shortcuts or specified ones using policies. I added some PowerShell commands below and this worked fine for me (after reboot), no more
Windows key + R, but still available as a right click on the Windows menu icon in the task bar. No guarantee that this makes it fully secure, as such a rogue device might find other ways
to do things, remember the device can type and mouse move as the user can, this is just blocking the easy way in.
# Get the current value if it exists
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name DisabledHotkeys
# If there is a current value, add R to this value and use that instead of R in the underlying command. Again, don't just execute these kind of set commands ;-)
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" -Name DisabledHotkeys -Value R
Have fun playing around with this... and I hope you learned something, I know I did.
Just a side note: from the comments on the YouTube video I found that the device used is called USB Rubber Ducky so search for that if you want to find out more.
I guess the usage of such a stick can be quite different from what is shown in the video, as a hacker can also use scripts themselves using such a tool, they can access these even if USB storage is blocked.
So remember that I only focused on the usage behavior they showed in the video. Also the Rubber Ducky seems to be much faster at typing than using this python library.
And another side note: if you think this is scary, what about a rouge AI Agent that can type and does get feedback and can change behavior accordingly?