Feeds

Hackers pierce network with jerry-rigged mouse

Mission Impossible meets Logitech

Build a business case: developing custom apps

When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.

Deprived of the low-hanging fruit attackers typically rely on to get a toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a technique straight out of a plot from Mission Impossible: He modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it.

For the attack to work, the booby-trapped USB Logitech mouse had to look and behave precisely the same as a normal device. But it also needed to include secret capabilities that allowed the mouse to do things no user would ever dream possible.

“The microcontroller acts as if there's a person sitting at the keyboard typing,” Desautels told The Reg. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands in on the keyboard or the mouse.”

Interior view of modifified Logitech mouse

Interior view of Logitech mouse modified by penetration testers. Picture supplied by Netragard

The Teensy microcontroller programmed by the Netragard hackers was programmed to wait 60 seconds after being plugged in to a computer and then enter commands into its keyboard that executed malware stored on the custom-built flash drive snuck into the guts of the Logitech mouse. To squelch warnings from McAfee antivirus, which was protecting the customer's PCs, the microcontroller contained undocumented exploit code that subverted the program's dialogue boxes to evade detection.

Desautels said he chose the highly involved method after deciding against a simpler attack that relied only on a USB drive and functionality in Windows that automatically executes its contents when its connected to the computer. As previously reported, malware infections that exploit the widely abused Autorun feature plummeted in the past few months as Microsoft has made it easier for customers to turn it off.

The modified mouse wasn't hemmed in by the change because it didn't rely on Autorun for the malicious code to be executed. The programmable microcontroller, in effect, acted as its own rogue agent that was under the control of the Netragard penetration testers who had programmed it. Because the the attack code is executed by the mini computer on the Teensy card, the technique can work against a variety of operating systems, not just Windows. What's more, no drivers are needed.

“You're plugging in a computer device, in either a keyboard or a mouse, that has a mind of its own,” Desautels explained. “There's no defense, either. Plug one of these in and you're basically screwed.”

To get someone from the target company to use the mouse, Netragard purchased a readily available list names and other data of its employees. After identifying a worker who looked especially promising, they shipped him the modified mouse, which they put back in its original packaging and added marketing materials so the shipment would look like it was part of a promotional event.

Three days later, the malware contained on the mouse connected to a server controlled by Netragard. Much of the malware used in the attack was first dreamed up by security researcher Adrien Crenshaw. Netragard's detailed description of the attack comes as the US Department of Homeland Security released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors connected them to their computers. ®

This post was updated to include details about the DHS study.

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?