Feeds

Hackers pierce network with jerry-rigged mouse

Mission Impossible meets Logitech

Top 5 reasons to deploy VMware with Tegile

When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.

Deprived of the low-hanging fruit attackers typically rely on to get a toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a technique straight out of a plot from Mission Impossible: He modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it.

For the attack to work, the booby-trapped USB Logitech mouse had to look and behave precisely the same as a normal device. But it also needed to include secret capabilities that allowed the mouse to do things no user would ever dream possible.

“The microcontroller acts as if there's a person sitting at the keyboard typing,” Desautels told The Reg. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands in on the keyboard or the mouse.”

Interior view of modifified Logitech mouse

Interior view of Logitech mouse modified by penetration testers. Picture supplied by Netragard

The Teensy microcontroller programmed by the Netragard hackers was programmed to wait 60 seconds after being plugged in to a computer and then enter commands into its keyboard that executed malware stored on the custom-built flash drive snuck into the guts of the Logitech mouse. To squelch warnings from McAfee antivirus, which was protecting the customer's PCs, the microcontroller contained undocumented exploit code that subverted the program's dialogue boxes to evade detection.

Desautels said he chose the highly involved method after deciding against a simpler attack that relied only on a USB drive and functionality in Windows that automatically executes its contents when its connected to the computer. As previously reported, malware infections that exploit the widely abused Autorun feature plummeted in the past few months as Microsoft has made it easier for customers to turn it off.

The modified mouse wasn't hemmed in by the change because it didn't rely on Autorun for the malicious code to be executed. The programmable microcontroller, in effect, acted as its own rogue agent that was under the control of the Netragard penetration testers who had programmed it. Because the the attack code is executed by the mini computer on the Teensy card, the technique can work against a variety of operating systems, not just Windows. What's more, no drivers are needed.

“You're plugging in a computer device, in either a keyboard or a mouse, that has a mind of its own,” Desautels explained. “There's no defense, either. Plug one of these in and you're basically screwed.”

To get someone from the target company to use the mouse, Netragard purchased a readily available list names and other data of its employees. After identifying a worker who looked especially promising, they shipped him the modified mouse, which they put back in its original packaging and added marketing materials so the shipment would look like it was part of a promotional event.

Three days later, the malware contained on the mouse connected to a server controlled by Netragard. Much of the malware used in the attack was first dreamed up by security researcher Adrien Crenshaw. Netragard's detailed description of the attack comes as the US Department of Homeland Security released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors connected them to their computers. ®

This post was updated to include details about the DHS study.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.