Computers of all major brands blindly trust the devices connected to the USB ports.
If a device announce itself as a keyboard or a USB mouse, the computer believes him and accepts all commands.
This simple trick is used used by the researcher Samy Kankar, that send the keystrokes and mouse clicks to install a backdoor.
The demo is realized on a Mac, but the method can be modified to run on Windows and Linux systems:
Specifically, when you normally plug in a mouse or keyboard into a machine, no authorization is required to begin using them. The devices can simply begin typing and clicking. We exploit this fact by sending arbitrary keystrokes meant to launch specific applications (via Spotlight/Alfred/Quicksilver), permanently evade a local firewall (Little Snitch), install a reverse shell in crontab, and even modify DNS settings without any additional permissions. While this example is on OS X, it is easily extendable to Windows and *nix.
How to protect yourself?
As for the USBdriveby hack, you can actually pretty easily protect yourself just by locking your computer, but it’s not so much USBdriveby that’s scary as it is all the other things out there that are like it but better. Hacks designed by thieves and cybercriminals that don’t share their plans in YouTube or wear microcontrollers around their necks (cool hack but that’s nerdy as shit, bro). It’s a scary world out there, so just be careful where you leave that laptop and what you plug into it.
Never leave your computer alone! ;-)
- OpenSSL Security Advisory, 3rd May 2016: Patch, Patch ASAP!
- Tor in a company network: how to detect and block it?
- Mazar BOT campaign in Denmark and Italy
- BadLock: let's take stock of situation!
- The Panama Papers Leak – What You Need To Know
- Frederike Kaltheuner @ #IJF16: understanding predictive privacy harms