And you thought USB storage keys were bad…
Security researcher Luca Bongiorni has made the ultimate hacking device for red team engagements – and one that he hopes will bring more awareness to the security shortcomings of USB gadgets.
His device, one that he’s developed out of a passion for all things offensive security, is called WHID (Wireless HID keystrokes) Elite – a 2G, SIM-enabled tool that comes with a range of features for an attacker.
WHID Elite weaponizes any number of USB gadgets, Bongiorni told The Daily Swig, whether a mouse or fan, once mounted inside an attacker’s device of choice.
While portable USB flash drives have long been a nightmare for an organization’s security team, Bongiorni says the danger spreads much further than the popular storage device.
“Security awareness about a USB fan, or USB gadgets that are not USB keys, is very low,” Bongiorni said.
“Even a mouse can be bad, even a plasma ball can be bad, a USB fan can be bad, that’s why I made WHID Injector and WHID Elite, to bring more awareness from that point of view.”
Presenting the tool on the Arsenal track at this year’s Black Hat Europe, Bongiorni explained how he wanted to develop the capabilities of a previous iteration, WHID Injector – a USB device that, once plugged into a target’s machine, could allow an attacker to remotely inject keystrokes without the need for physical access.
“I wanted something that would have more remote-control capability and even more features,” he told The Daily Swig.
“That’s why I started with the design of WHID Elite.”
WHID Elite, the second version of the tool, still allows an attacker to inject keystrokes remotely, but now comes with a 2G SIM card inputted within the device – making remote capability practically global – rather than solely through WiFi.
The tool will soon be operational with 4G (LTE), Bongiorni said, and the hardware was purchased cheaply from a manufacturer in China.
“Instead of sending the package to the target company with the attacker having to be outside the building to connect to WHID Injector, the attacker can deliver the package, on the other side of the world, and as soon as there is a mobile coverage in that area, that attacker can send an SMS to the SIM card,” Bongiorni said.
The increased range has made it possible to add mobile phone-like additional capabilities to the hacking tool. This includes GPS location tracking and acoustic surveillance – a command sent to WHID Elite will turn on its microphone and relay eavesdropped audio back to the attacker, for example.
“The attacker will be able to listen to the conversations that are happening around the weaponized USB gadget that has WHID Elite inside it,” Bongiorni said.
WHID Elite also comes with an embedded USB hub microcontroller that allows a threat actor to weaponize legit Human Interface Devices – such as keyboards or mice – in order to conduct multiple operations. This would permit both data and instructions to transmit back and forth between the attacker and a target’s machine over a 2G mobile network.
Mousejacking attacks, which rely on system flaws within common wireless devices, are also possible due to the NRF board that WHID Elite uses.
“The NRF board is the hardware needed to conduct mousejacking attacks and WHID-Elite firmware contains the code that instructs that NRF board how to conduct the mousejacking attacks,” Bongiorni explained.
With all these features – including external transmitters for radio jamming – Bongiorni admits that there was some difficulty in integrating WHID Elite’s capabilities together.
“The challenges that I faced during the development of WHID Elite were designing a board that was small enough to be hidden inside a keyboard, and to keep everything [the features] stable,” Bongiorni said.
“All these features were fighting each other sometimes.”
Beta testing was another challenge, Bongiorni said.
In line with his presentation of WHID Elite, Bongiorni is introducing another offensive device, USBsamurai – a malicious USB cable for the less technically abled. The device enables an attacker to inject keystrokes on a target’s machine, much faster than WHID Elite due to its reduced feature set.
“The idea of the powerfulness of USBsamurai is that it’s contained inside a USB cable,” Bongiorni said.
“It can be easily hidden inside any other device, a keyboard, or a mouse, and the best part is, that in the latest version, once it’s plugged in you can bypass air-gapped environments.
“And it gives you a remote shell inside a laptop that is potentially not connected within a network,” he added.
Both WHID Elite and USBsamurai are being made available through GitHub.
The Daily Swig will be back with more news from Black Hat Europe throughout the week
YOU MIGHT ALSO LIKE Open source tool searches for leaked secrets in GitHub