In this talk, we’ll cover some novel USB-level attacks, that can provide remote command and control of, even air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.
In 2000, Microsoft published its 10 Immutable laws of security . One of which was “if a bad guy has unrestricted access to your computer, it’s not your computer anymore.” This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire , PCMCIA and thunderbolt  as well as USB-based attacks including simple in-line key loggers, “evil maid” attacks  and malicious firmware .
Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH . Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks . While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple’s secure enclave in the physical security of the iPhone , most laptops and desktops remain vulnerable to attacks via physical interfaces.
In our experience, organizations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible , and having done so can provide access to “chewy” internal networks  ripe for lateral movement.
While most people are familiar with USB devices, many don’t realize the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL , GoodFET/Facedancer , Shikra , Rubber Ducky , USBdriveby  and BadUSB . However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.
Additionally, existing attacks are predominantly “send only” with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviors, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks . Lastly, these attacks are often “spray and pray”, unable to account for variations in the user’s behavior or computer setup.
Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.
Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.
Dominic White is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 12 years. He tweets as @singe.