Heuristic test provides warnings about thumb drive malfeasance

Image credit: Oleksandr_Delyk / Shutterstock / PortSwigger Ltd

Google has developed a tool for Linux machines that combats USB keystroke injection attacks by flagging suspicious keystroke speeds and blocking devices classified as malicious.

Keystroke injection attacks can execute malicious commands via a thumb drive connected to a host machine, by running code that mimics keystrokes entered by a human user.

In a post on the Google Open Source blog, Google security engineer Sebastian Neuner explained Google’s tool uses two heuristic variables – KEYSTROKE_WINDOW and ABNORMAL_TYPING – to distinguish between benign and malicious inputs.

Measuring the time between two keystrokes, KEYSTROKE_WINDOW can generate false positives if users hit two keys almost simultaneously, although accuracy rises along with the number of keystrokes logged.

ABNORMAL_TYPING specifies the ‘interarrival time’ – or gap – between keystrokes.

The heuristic works because automated keystroke inputs are typically faster than those of humans, among other factors.

Neuner advises users to recalibrate the default parameters by gauging their own typing speed using online utilities whilst running the Google tool in ‘monitoring’ mode.

Done over several days or even weeks, this should gradually lower the false positive rate until eliminated, he explained.

The process trains the system to recognize the normal typing pattern of a user thereby helping it to reduce the number of false alarms, instances where genuine user input is incorrectly flagged up as malign.

Simple, inexpensive, widely available

Keystroke injection tools are relatively inexpensive and widely available online, noted Neuner.

Darren Kitchen, founder of pen test tool developer Hak5, is well placed to comment. He invented keystroke injection in 2008 and pioneered the first tool to simulate attacks: the USB Rubber Ducky, which featured in the iconic hacker TV Series Mr. Robot.

“Keystroke injection attacks are popular because they’re simple – the barrier to entry is extremely low,” Kitchen, also founder and host of the popular Hak5 Podcast, told The Daily Swig. “I developed the now de facto language, Ducky Script, so anyone can learn it in a minute or two.”

Keystroke injection attacks are also difficult to detect and prevent, according to Neuner, since they’re delivered via the most widely used computer peripheral connector: the humble USB.

Keystrokes are also sent “in a human eyeblink while being effectively invisible to the victim” sitting at the computer, he said. Kitchen pointed out that the “USB Rubber Ducky can type over 1,000 words per minute with perfect accuracy and never needs a coffee break”.

Kitchen recounts how he developed keystroke injection to “automate my then mundane IT job – fixing printers in the terminal with one-liners”, before realizing that it “violated the inherent trust computers have in humans.

“That’s a flaw that’s hard to fix,” he continued, “because we want computers to trust us, and the way we speak to them (Alexa notwithstanding) is by keystrokes.”

‘Hacking the Gibson’

However, the attack is “only as powerful as the user that logged in”, said Kitchen, adding that he probably wouldn’t be “hacking the Gibson” since his machines are restricted in what the ordinary user can do.

“On the other hand, if you’re in an organization that has ignored security best practices over the past decade, and all of your ordinary users have administrative privileges, then yeah – keystroke injection attacks are a problem (and you probably have many more).”

Neuner, who posted two videos demonstrating an attack against a machine with and without the tool installed, advised against viewing Google’s utility as a comprehensive fix.

“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” he said.

The security engineer added that Linux tools like fine-grained udev rules or open source projects like USBGuard, through which users can define policies and block specific or all USB devices while the screen is locked, can add further protection.

Matthias Deeg, head of research and development at German pen testing firm SySS GmbH, said it remained to be seen how effective Google’s tool would prove.

“In my opinion, this new tool is interesting and may actually help preventing automated keystroke injection attacks, for instance via bad USB devices,” Deeg, who has researched wireless input devices, including their use for keystroke injection attacks, told The Daily Swig.

“However, we have not yet tested this tool and its implemented heuristics used for detecting automated keystroke injection attacks, and thus cannot say how easily it can be bypassed by tweaking the keystroke injection behavior of the attacker tool. This appears to be a good old cat-and-mouse game.”

A Github README for the Google tool includes a step-by-step setup and operation guide. The utility is run as a systemd daemon, which is enabled on reboot.


RELATED WHID Elite: Weaponized USB gadgets boast multiple features for the stealthy red teamer