AirGap Hacking - Malware infiltration via USB HID driver and data exfiltration via near ultrasound

By

This is my favourite piece of work that I published and presented in conference a few years ago. Here is the original demo video from my Youtube channel - 

https://www.youtube.com/watch?v=a0kpUNOfoQM&t=5s (with subtitles, no audio)

Or you may visit my interview by an online media in which I explained how it works briefly -

https://www.youtube.com/watch?v=pZwwuHwmyhM&feature=youtu.be

In this demonstration, the computer on the left is the victims's machine with no network connectivity. Here we refer to it as an airgap computer. Moreover, USB drive is disabled and our best friend, antivirus, is enabled on this locked down machine. It is a common setup in certain environment such as OT network and highly secure financial trading system, with the assumption that the isolated machine cannot be hacked. However, there has been high profile malware attack on such environment including utilities plant and closed financial network. In real life scenarios the targeted machine may not be even securely locked down. Our objective is to steal data from this computer over an airgap covert channel, and the computer on the right is a hacker controlled computer, which can be the hacker's machine, any computer infected with malware or any device created for this purchase such as a fake sensor or spy gadget.

To plant our malware onto the victim's machine, we use a USB development board and program it as USB keyboard. Teensy is one of the inexpensive options that can be used. I have tried out Teensy 2.0 and 3.2 and find that v3.2 would be much easier owing to the fact that v2.0 has very limited RAM which poses serious challenge even for a light payload, as even if you manage to fit the payload into the flash it is still tricky to "steal" space from the flash memory to load your payload piece by piece into the RAM (I have another video showing how to do so). Teensy also provides Arduino plugin to ease programming and development work, which is much user friendly than using Make file. There are newer versions being released continuously and you may add external storage, just check out the official website.

Once the device is plugged in, a command line window is called out, and a PowerShell payload is printed out in the format of hexadecimal representation (Base64 encoding may be used instead and size can be reduced) of a zip file containing our malware by the device via the USB HID driver which will not be blocked by a USB storage blocking policy. Just note that you may consider breaking the payload up into multiple pieces and join the strings back together as a work around just like what I did in the video if you find that your string is too long to be printed out. The PowerShell script is then executed to create the binary file, extract the file content, and execute the malware.

The malicious code I created is a keylogger, which will modulate the captured data into near ultrasound wave and broadcast it using the built-in computer speaker. A computer or device nearby can then pick up the sound wave using a standard microphone and demodulate it back into digital data. I have tested on multiple computers and devices with built-in speakers and microphones, and find that most commodity hardware is capable of doing very high frequencies. To find a lower but still inaudible frequency to most people, I started from 20KHz and work back to a lower frequency that I used in the video, and even with a lower frequency, most people may not be suspecting any problem given the low awareness of such kind of attack. However, there are limitations of this kind of attack, including limited range of transmission and high error rate, and robust error correction code may significantly increase the size of the payload.

Again cybersecurity is a problem of trust. If you do not trust something, don't use it. Moreover, it should be managed as risk, as there is no so called perfect security in this world. The demonstrated attack scenario may sound scary, but we haven't seen one in real life, yet. It may not be so easy to execute such an attack, but we still need to keep an eye on what the attackers are doing.

My Youtube channel - https://www.youtube.com/channel/UCXSZyDvr7tpT62t3XvdCc3w

Popular posts from this blog

Cloud Security - Exploring the AWS Lambda runtime execution environment

By
Serverless computing has been gaining popularity especially in the cloud. While the service provides much convenience for most users who have no access to the underlying environment, hackers are interested in understanding how things work behind the scene, and we want to answer some basic cybersecurity questions. For instance, what is the software used, including operating system and middleware, in the application stack? Where does the service store credentials in the environment? And most importantly, how can a serverless deployment be hacked or leveraged in an attack if ever possible? In the following video demonstration, we try to explore the AWS Lambda runtime execution environment, which is used in lots of use cases from developing application APIs to configuring cloud resources. A malicious Lambda reverse shell backdoor function is written and deployed allowing us to explore the runtime execution environment interactively - https://www.youtube.com/watch?v=khF1PMjQv_E&t=10s T
Read more

Cloud Security - Stealing temporary AWS access key via SSRF to access S3

By
This is a copy of my hacking demo published on Youtube some time ago. For the original video please check out my Youtube channel -  https://www.youtube.com/watch?v=gwsooCD7liU&t=27s Cloud security has been a hot topic. As more and more organizations go to the cloud, security breaches and incidents hitting the news headlines have been catching the eyes of the general public, making some people skeptical to embracing the cloud. However, when we look at the security controls of the cloud services providers, we find that most of them have actually been doing quite a nice and decent job, but then what actually happened in those cases to cause such perception? Human learns best by examples, let's look at a simulated attack to discover some common themes and patterns. We have created a demo illustrating a chained exploit, which takes advantage of different mistakes made by the customer in cloud deployment. It is also how a serious breach might have happened in US hitting the news head
Read more

Mobile Security - TV interview and demo

By
In one of the TV programs I was interviewed a few years ago, an active internet user was invited to participant in a test to assert her awareness of security when using her mobile phone. She was asked to join an interview about all the things she would do online, and during the few minutes amid the interview I was tasked to take over her PayPal account. As a matter of fact, she was quite vigilant about protecting herself online and to avoid any liability issue, both mobile devices used by her and the TV program host were prepared by me ahead of time, and new PayPal accounts, both owned by the TV program producer and host, were created on-site during the test. She was asked to open a PayPal account and setup a password during the interview, and the host immediately transferred HKD 10,000 to her account. After a few minutes, I signalled the host that I was done, and the participant was asked to check her account balance, and obviously she failed to login back to her account. She suspecte
Read more