USBCaptchaIn: Preventing (Un)Conventional Attacks from Promiscuously Used USB Devices in Industrial Control Systems

(Submitted on 11 Oct 2018)

Industrial Control Systems (ICS) are sensible targets for high profile attackers and advanced persistent threats, which are known to exploit USB thumb drives as an effective spreading vector. In ICSes, thumb drives are widely used to transfer files among disconnected systems and represent a serious security risks, since, they may be promiscuously used in both critical and regular systems. The threats come both from malware hidden in files stored in the thumb drives and from BadUSB attacks [16]. BadUSB leverages the modification of firmware of USB devices in order to mimic the behaviour of a keyboard and send malicious commands to the host. We present a solution that allows a promiscuous use of USB thumbs drives while protecting critical machines from malware, that spread by regular file infection or by firmware infection. The main component of the architecture we propose is an hardware, called USBCaptchaIn, intended to be in the middle between a critical machine and all USB devices. We do not require users to change the way they use thumb drives. To avoid human-errors, we do not require users to take any decision. The proposed approach is highly compatible with already deployed products of a ICS environment and proactively blocks malware before they reach their targets. We describe our solution, provide a thorough analysis of the security of our approach in the ICS context, and report the informal feedback of some experts regarding our first prototypes.

Implanted Apple Lightning USB cable [at BSidesPDX]

USBHarpoon Is a BadUSB Attack with A Twist



WooKey: USB Devices Strike Back

WooKey: USB Devices Strike Back
Date : 13 juin 2018 à 17:15 — 30 min.

The USB bus has been a growing subject of research in recent years. In particular, securing the USB stack (and hence the USB hosts and devices) started to draw interest from the academic community since major exploitable flaws have been revealed by the BadUSB threat. The work presented in this paper takes place in the design initiatives that have emerged to thwart such attacks. While some proposals have focused on the host side by enhancing the Operating System’s USB sub-module robustness, or by adding a proxy between the host and the device, we have chosen to focus our efforts on the device side.


USB Reverse Engineering: A Universal Guide

USB Reverse Engineering: A Universal Guide
by: Ben James
May 25, 2018

[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others. His guide is impressively comprehensive, and covers all the necessary areas in hardware and software.[…]

USB Reverse Engineering: A Universal Guide


The Evil Mouse Project

Conclusion: Never trust USB devices (and not only storage devices…)

The Evil Mouse

Bad Ducky: Rubber Ducky compatible clone based on CJMCU BadUSB HW

The below articles point to related tools, besides the Hak5 Rubber Ducky.


USB Rubber Ducky


MalDuino: Arduino-based BadUSB

MalDuino — Open Source BadUSB

MalDuino is an arduino-powered USB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing commands at superhuman speeds. What’s the point? You could gain a reverse shell, change the desktop wallpaper, anything is possible. For penetration testers, hobbyists and pranksters the MalDuino will serve you well!

MalDuino — Open Source BadUSB



Dan goodin has an article on Ars about some BadUSB-like malware:

Meet USBee, the malware that uses USB drives to covertly jump airgaps

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly “air-gapped” PCs. The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all. “We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle,” researchers from Israel’s Ben-Gurion University wrote in a research paper published Monday. “Unlike other methods, our method doesn’t require any [radio frequency] transmitting hardware since it uses the USB’s internal data bus.”


BadUSB 2.0

BadUSB 2.0 USB MITM POC: The advanced uses and capabilities of rogue USB hardware implants for use in cyber espionage activities is still very much an unknown quantity in the industry. Security professionals are in considerable need of tools capable of exploring the threat landscape, and generating awareness in this area. BadUSB2, is a tool capable of compromising USB fixed-line communications through an active man-in-the-middle attack. It is able to achieve the same results as hardware keyloggers, keyboard emulation, and BadUSB hardware implants. Furthermore, BadUSB2 introduces new techniques to defeat keyboard-based one-time-password systems, automatically replay user credentials, as well as acquiring an interactive command shell over USB. […] So how is this any different from existing USB hardware implants like the Rubber Ducky, or keyloggers. Firstly, the devices I’ve seen can only achieve one or two attack classes such as eavesdropping or message fabrication. BadUSB2 can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device. Furthermore, when combining these attack classes really interesting attack scenarios begin to surface. Secondly, keyboard emulation devices register as an additional USB device making them easy to detect and block, i.e. why do I now have two keyboards attached!? Yes, such devices can be easily detected and blocked. The same can be said of BadUSB, it often needs to register as a secondary USB device to perform a malicious task. BadUSB2 is an INLINE hardware implant giving it the stealth of a hardware keylogger but far more capabilities as mentioned above. Finally, (law of 3’s), just cos. […] This project builds on the USB-MITM architecture introduced by Rijnard van Tonder and Herman Engelbrecht in their paper titled, “Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation”. A special thanks to Rijnard for such a brilliant idea. […]

USB Type-C authentication protocol: defense against bad cables

The USB-IF has developed a cryptographic-based authentication protocol to help protect from bad USB Type-C cables!

IBM research on USB eavesdropping attacks

IBM Research has new research on USB attacks and an “UScramBle” implementation for Linux:

USB Eavesdropping Attacks

Attacks that leverage USB as an attack vector are gaining popularity. While attention has so far focused on attacks that either exploit the host’s USB stack or its unrestricted device privileges, it is not necessary to compromise the host to mount an attack over USB. This paper describes and implements a USB sniffing attack. In this attack a USB device passively eavesdrops on all communications from the host to other devices, without being situated on the physical path between the host and the victim device. To prevent this attack, we present UScramBle, a lightweight encryption solution which can be transparently used, with no setup or intervention from the user. Our prototype implementation of UScramBle for the Linux kernel […]

Western Digital drives vulnerable: BadUSB, EvilMaid

Most news sites are reporting about bad security in Western Digital hard drives. As presented at the other week, and from the Full Disclosure mailing list from a few days ago, excerpt below:

Authors: Gunnar Alendal, Christian Kison, modg
Vendor notification: The vendor has been informed of the research.
Patches: The authors are not aware of any fixes.

Research on Western Digital wide-spread self-encrypting hard drive series “My Passport” / “My Book”. Devices researched utilizes mandatory HW AES encryption. Multiple vulnerabilities, including:
* Multiple authentication backdoors, bypassing password authentication
* AES factory key recovery attacks, exposing user data on all affected devices, regardless of user password
* Exposure of HW PRNGs used in cryptographic contexts
* Unauthorized patching of FW, facilitating badUSB/evil-maid attacks

Architectures researched (USB Bridge Vendor – Chip model – Architecture):
 JMicron – JMS538S – Intel 8051
 Symwave – SW6316 – Motorola M68k
 Initio – INIC-1607E – Intel 8051
 Initio – INIC-3608 – ARC 600
 JMicron – JMS569 – Intel 8051


Recently My_Ouzo posted a detailed tutorial on WonderHowTo’s Null-Byte, on how to make your own BadUSB. Excerpt from introduction:

Recently a guy asked how to make your own “Bad USB” and I promised to make a how-to on this topic soon. In addition it would be nice to have something related on our wonderhowto world. So here it is! Most common USB flash drives are exploitable due to the “Bad USB vulnerability”. This allows us hackers to reprogram the microcontroller of them to act as a “Human Interface Device” (HID) / keyboard and perform custom keystrokes on our target machine. This scenario is often called “HID Payload Attack”, since you have to hand over your script to the Bad USB for the execution ( more on that later ). Even though almost every USB flash drive is exploitable, only a way to reprogram “Phison” microcontrollers has been released yet. In this tutorial we are going to determine the microcontroller of your usb flash drive, compile the source code published in github for the tools we need and move over to building a custom firmware with an embedded HID payload and turning our harmless usb flash drive into a malicious keyboard designed to help us accomplishing the compromise of our victim machine.

Brandon Wilson from DerbyCon: Intercepting USB Traffic

DerbyCon just finished. Brandon Wilson gave a presentation called “Intercepting USB Traffic for Attack and Defense”

BadUSB reminded the world about the dangers of maliciously intelligent USB devices such as flash drives with modified firmware, but little has been released to effectively defend against the threat. A customizable man-in-the-middle USB connection can not only do that, but provide even more benefits to both attackers and defenders, such as modifying or denying specific traffic (similar to a USB write blocker) or bypassing mass storage restrictions in a locked-down corporate environment. In this talk, I will explain how to easily assemble a USB passthrough device using cheap, existing hardware and flash it to either attack ‘secure’ environments, or isolate yourself from untrustworthy or potentially malicious peripherals. Instructions for purchasing the hardware, assembling it, and code for several different scenarios will be released and demonstrated.
Brandon Wilson is an independent security researcher and software developer. He has more than a decade of experience in reverse-engineering embedded systems and protocols, from graphing calculators to gaming consoles to flash drives. He has appeared in numerous publications such as the Wall Street Journal and Wired, and also collects DMCA takedown notices for fun.

Video of the presentation (this video crashed my browser, so don’t view this link if you have anything important in your browser):