Categories: HackingSecurity

29C3 Chaos Communication Congress.What do USB memory sticks say?

The Chaos Communication Congress is an annual meeting of international hackers organized by the Chaos Computer Club (CCC), one of the world’s biggest hackers organizations.

The CCC group, that describes itself as

“a galactic community of life forms, independent of age, sex, race or societal orientation, which strives across borders for freedom of information….”,

is known for its effort in the fight for transparency in government operate, freedom of information, and the human right to communication, recognizing a free access to computers and technological infrastructure all over the world.

The congress is always an interesting event, the occasion to meet in person the most eclectic and talented hackers that discuss on technical and political issues.

After this brief introduction, let’s dive into the fray, during this year edition of the congress 29C3, the 29th, the hacker Travis Goodspeed has demonstrated how much powerful could be USB memory sticks, wrongly considered passive devices harmless and dangerous only as a vehicle of infection for malware. Travis is a well know hacker, at last Black Hat information security conference in Las Vegas he won one of the Pwnie Awards, the equivalent of the Oscars for security sector.

Many experts consider these devices simple storage media and are convinced to know everything on their real capabilities, but Travis Goodspeed has demonstrated the contrary.

The hacker explained that USB devices represent an open door in our systems and if opportunely managed they could allow a huge quantity of applications to access to the principal functions of any device, for example it is possible to access to file stored in the host drives while the USB stick is connected.

“We think of USB memory sticks as block devices, but in reality they are computers that use a network to talk to a host”, “These devices can send any data they want.” Goodspeed said.

Goodspeed has designed a development board dubbed Facedancer11 that can be used to emulate any USB device, the author provided the following description:

“The Facedancer11 is the fifteenth hardware revision of the GoodFET, owing its heritage to the GoodFET41 and Facedancer10. Unlike the general-purpose GoodFET boards, the only purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host. The board is functionally identical to the Facedancer10, correcting only minor errata.”

An USB memory stick can be used for fingerprinting purpose discovering the category of device is connected and exploiting related vulnerabilities, the researcher reminds that various OSs access with different mode to the USB memory stick’s MBR. An USB memory sticks can be instructed to analyze this way to access to the MBR providing information on OS version to the attacker.

“When the MBR is read nine times [typical behavior for Windows OSs], it’s probably not my laptop”, said Goodspeed.

The board is a precious tool to examine a computer’s communications on USB, an attacker can then build USB devices that target specific vulnerabilities in the host computer.

With the necessary programming, a USB memory stick can, therefore, return different content to a Windows PC than it does to a Linux computer. A further evolution is to program the USB to return different content depending on the OS of host machine, a possibility very useful in hacking context. Let’s image to an USB device that is able to recognize our machine in a meeting and when is passed to another individual’s pc it could retrieve a malware that exploit a zero day vulnerability … cool!

Goodspeed also added that it is able to understand “user’s intention” during the USB connection, the hacker explained that when detecting a USB memory stick, Windows OSs write the access date to the storage device by default. If the PC doesn’t write the access date, it is possible that user’s is trying to duplicate USB memory for forensics purposes, in this cases in fact it’s crucial to leave unmodified the devices storage.

In this specific case, according Goodspeed, it is possible to program an USB memory stick in such a way that it will self-destruct when someone tries to copy it for forensic purposes.

“As long as a forensics expert doesn’t know that he’s dealing with a special USB memory stick, you’ve won”

I’ve found very interesting the observation of the hackers, every object that surround us has infinite potentiality that could be explored and that could be used to discover or to adapt their behaviours in various circumstances.
That’s why I always remind the importance of hacker‘s role in today private business and cyber warfare contexts.

Pierluigi Paganini

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New Atrium Health data breach impacts 585,000 individuals

Atrium Health disclosed a data breach affecting 585,000 individuals to the HHS, potentially linked to…

2 hours ago

U.S. CISA adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds CyberPanel flaw to its Known Exploited Vulnerabilities catalog.…

11 hours ago

Hundred of CISCO switches impacted by bootloader flaw

A bootloader vulnerability in Cisco NX-OS affects 100+ switches, allowing attackers to bypass image signature…

22 hours ago

Burnout in SOCs: How AI Can Help Analysts Focus on High-Value Tasks<gwmw style="display:none;"></gwmw>

SOC analysts, vital to cybersecurity, face burnout due to exhausting workloads, risking their well-being and…

1 day ago

Operation Destabilise dismantled Russian money laundering networks

Operation Destabilise: The U.K. National Crime Agency disrupted Russian money laundering networks tied to organized…

1 day ago

Russia-linked APT Secret Blizzard spotted using infrastructure of other threat actors

Russia-linked APT group Secret Blizzard has used the tools and infrastructure of at least 6…

2 days ago

This website uses cookies.