#BHUSA2016 – Researcher explained how to hack any PC with a found USB drive

Pierluigi Paganini August 04, 2016

At Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.

Giving a look at the titles of the presentations in the agenda of the Black Hat USA Conference 2016 I noticed an interesting topic proofed by the security expert Elie Bursztein, the dangers related to a found USB drive.

We all know that a found USB drive in a parking work could be a privileged vector of serious threats for any user, but the number of victims is still high due to the lack of awareness.

I reached Elie Bursztein, who gave me a preview of his interesting study on the subject. The expert  dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.

“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” explained Bursztein.

Bursztein demonstrated that a smart attacker can camouflage a malicious USB drive outfitted with a Teensy development board that could be used to hack a target’s computer in a few seconds.

48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.

Bursztein used an HTML file (a document titled “final exam” or “spring break pictures,”) with phone-home capabilities, but he did not use remote access tools or any other spyware.

Double-clicking the HTML file users were connected to an email survey.

68 percent of survey recipients explained that they have opened the document to find the owner of the USB drive and return the device, meanwhile 18 percent confessed to have opened the content due to their curiosity.

Bursztein illustrated the dangers of the attacks leveraging of USB drives, he explained how to create a malicious device to use in such kind of attacks

At the Black Hat he demonstrated how to create a malicious USB drive with HID (human interface device) that would allow an attacker to control his PC or Mac.

The overall cost of the malicious USB drive is $40, its main components are a Teensy 3.2 board and a USB connector. The malicious code used by the researcher is a reverse TCP shell that connects back to a server chosen by the attacker.

What are malicious USB keys and how to create a realistic one?

“HID spoofing keys use specialized hardware to fool a computer into believing that the USB key is a keyboard. This fake keyboard injects keystrokes as soon as the device is plugged into the computer. The keystrokes are a set of commands that compromise the victim’s computer.

As we will see later in the post (spoiler alert!), with a bit of work and ingenuity, we will create a HID device that spawns a reverse TCP shell that will give us full remote control over the victim’s computer.” wrote Bursztein.

“0-day: Those rumored keys are likely to use custom hardware that exploits a vulnerability in a USB driver to get direct control of a computer as soon as it is plugged in. AFAIK, none of those have been publicly discussed.”

FOUND USB drive

The USB drive used by the researcher was able to work even when the victim’s PC is not connected to the Internet and makes use of a scripting language to avoid detection.

“Similarly, the payload needs to account for the fact that the victim’s computer might not be connected to the Internet when the key is plugged in. This forces us to not rely on downloading anything and ensuring our payload retries to connect periodically. Finally, we don’t know what AV or firewall the computer is running, which makes relying on a scripting language to establish the outbound connection our best option to avoid detection” added Bursztein. 

The attack chain is composed of the following steps:

  • The key is recognized by the target OS and the USB driver loaded.
  • The payload performs an OS fingerprinting to determine the target platform and execute the proper commands.
  • The reverse shell is executed on the target machine.

Bursztein highlighted that the biggest problem when creating this kind of USB drive is to fit the necessary code on the Teensy device.

Bursztein confirmed that his study is a working progress work, in the future versions, he will add a GSM/Wifi module and fake storage space to improve exfiltration capabilities. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – found USB stick, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment