Thumb Drives.. Can you tell the difference?

 During a physical penetration test, it is not uncommon for the tester (attacker) to drop usb thumb drives out in the parking lot or someplace within the building.  The hope is that an employee will pick it up and connect it to their computer.  The end goal: malware that makes a connection back to the attacker.

Business have some controls in place to try and help block this simple attack by blocking the ability for USB drives to connect to the device.  There are two problems that immediately come to mind.  First, how do you know that the device is really a thumb drive?  What if it was something else that attacks your system, like a human input device (hid)?  The second problem is just user awareness in understanding how attackers attempt to trick you into accessing the system.

Today, I want to talk about the device itself and the difference between a USB thumb drive and the HID.  As you can see from the picture, they look very similar.   Can you tell which is which?

The one on the left with the “Secure Ideas” label is in fact a 4GB USB thumb drive.   The one on the right is a HID, called a rubber ducky.  So what is the difference?  The USB device is just a storage device.  You can save and retrieve files from it.  You can even install bootable operating systems on it if you want.  This is what you normally buy when you want to transport files around with you on something small.

The HID device actually has a microsd card installed in it and is not meant for storage as this picture shows.

When plugged into a computer, the computer sees it as a Human Input Device (HID).  What does that mean?  Simply, it thinks it is a keyboard.  The devices is programmed by the attacker to run commands by sending a set of pre-configured commands to the system.  When it is plugged in, it runs the commands, even if USB thumb drives are blocked.  We can’t really block HID devices since most people need a keyboard to work.

The HID device may install some malware or a back door that creates a connection out to the attacker to give him access to the system.  You may notice it doing this as it is not always very subtle (opening a command prompt and writing out a program to compile).

Just the other day, sitting in the office, Kevin asked for a thumb drive to put some files on.  He rustled around the desk and found one to use.  Unfortunately, the one he chose was actually the HID and not the Thumb Drive.  He was very surprised when he plugged it in and the keyboard popped up.  Fortunately it wasn’t set up to manipulate a Mac, but it could have been.  These devices do exist and we need to be able to realize the potential that a device you receive may be malicious.  Sure, the Professionally Evil thumb drive could be malicious too, but it is easier to block those in a corporation.

James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at james@secureideas.com, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.

2 thoughts on “Thumb Drives.. Can you tell the difference?”

  1. "During a physical penetration test, it is not uncommon for the tester (attacker) to drop usb thumb drives out in the parking lot or someplace within the building."

    I really don't like this technique. First, you don't know who is going to pick up that drive and what PC they'll insert it into. That means you very well could be placing malware or a bot on a PC that's beyond the scope of the pentest. Second, it's questionable as to it being legal if the drives leave the scope of the pentest – you're writing and spreading malware. Third, if you've custom written a bot or malware the last thing you want is to lose control of where it went, you don't want an AV vendor pick it up via a heuristic scan and write a definition for it. A lot of hard work, of yours, will be gone.

  2. I agree that there are some concerns about dropping these and all of your points are valid. It also depends heavily on what you have put on the drive. Maybe it isn't a piece of malware, but just a script that opens a browser to just see if the user has inserted it. Not everything done has to be malicious and attack.

Leave a Comment

Your email address will not be published. Required fields are marked *