It is well known that USB drives can be dangerous. Companies run strict screening policies and it has long been known that running unknown ‘exe’ files is a bad idea. But what if the threat was undetectable, unfixable and could be planted into any
Jun 01, 2018 Yes. You heard it right. A portable hacking device that will be a pen drive from outside, but a powerful hacking tool from inside. There’s nothing to hype about this, it is just a few commands that will help you to access each and every password stored on the users’ PC or Laptop.
- At initial glance, this hacking device looks like your typical Lightning USB port for mobile devices. However, it features a very well concealed SIM-card slot, combined with a GPS device and a real-time tracking via GPRS system. The way this hacking device operates is you have to insert your SIM card within the cable.
- How you can make a powerful hacking device easily in only 3 mins?. Just follow the simple steps from video. Download link: http://www.4shared.com/rar/P085R.
The findings will be laid out in a presentation next week from security researchers Karsten Nohl and Jakob Lell who claim the security of USB devices is fundamentally broken . More to the point they said it has always been fundamentally broken, but the holes have only just been discovered.
BadUSB
To demonstrate this the researchers created malware called ‘BadUSB’. It can be installed on any USB device and take complete control over any PC to which it connects. This includes downloading and uploading files, tracking web history, adding infected software into installations and even controlling the keyboard so it can type commands.
“It can do whatever you can do with a keyboard, which is basically everything a computer does,” explains Nohl in an interview with Wired.
Moreover BadUSB can send code both ways, aka from the USB device to the PC and from the PC to the USB device. Previously any malicious code on a USB drive could only travel one way. And it gets worse.
Unfixable and Undetectable
“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed... You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean’ but the cleaning process doesn’t even touch the files we’re talking about.”
The reason for this is the exploit changes the firmware (instruction set) on USB devices rather than simply being a file stored on the main memory which could be accessed and deleted. In short: the exploit isn’t stored inside the USB device like a Trojan horse, it has reprogrammed the device itself. Since USB devices all share similar firmware the trick can be repeated on anything designed to be plugged into a USB port.
Even now the exploit is known addressing it is nearly impossible. ‘Code signing’ is a common countermeasure for stopping the unauthorised modification of firmware, but it isn’t part of the USB standard and even if it were there is no ‘clean’ USB firmware reference code to compare modifications against.
The exploit is already being tied to ‘Cottonmouth’, a USB spy device revealed last year in the leaks of Edward Snowden. The NSA hid Cottonmouth in peripheral plugs that were then connected to key computers. The exact operation of Cottonmouth was never revealed but Matt Blaze, computer science professor at the University of Pennsylvania, told Wired “I wouldn’t be surprised if some of the things [Nohl and Lell] discovered are what we heard about in the NSA catalogue.”
Cottonmouth NSA document leak - image courtesy of Wikipedia
Hacking Usb Firmware
New Habits
With no solutions on the horizon the only safe way to continue using USB devices is to change behaviour.
“Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices,” said Liz Nardozza, spokesperson for USB standards body the USB Implementers Forum, in a statement. “Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology.”
Usb Hacking Tool
Nohl takes this a step further. He argues USB devices should be treated as if they are hypodermic needles . “In this new way of thinking, you can’t trust a USB just because its storage doesn’t contain a virus. Trust must come from the fact that no one malicious has ever touched it. You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that’s incompatible with how we use USB devices right now.”
Usb Hacking Tool
Speaking to me Michael Sutton, VP of security research at Zscaler, agrees with the severity of Nohl's warning. 'Presently the only viable defence is to avoid using untrusted USB peripherals and those that have been outside of your control,' he explained.
While awareness will be the first step in addressing the security black hole now attributable to all USB devices, pressure will also mount quickly on the USB Implementers Forum and the major USB device manufacturers to come up with a permanent solution. Until then paranoia with build.
As Nohl concludes: “Nobody can trust anybody.”
Usb Hacking Device
More on Forbes