Usbdriveby: horrifying proof-of-concept USB attack


Correct me if I’m wrong, but don’t most of these changes require admin authentication on the target machine?


I was wondering that too; e.g. I was under the impression that crontab required root access.

Also hardcoding mouse movement and button clicking is very fragile – the positioning of UI elements are bound to change. But it’s still kind of a fun exercise.

I’m not too worried about such hacking.


Most users can control their own crontab under unix.

The general rule when evaluating such threats is that if the attacker has physical access to the machine, all bets are off. That doesn’t necessarily mean no attempt should be made to require additional authorization for certain user actions, but these are primarily meant to thwart casual intrusions.

TL;DR: Don’t panic. This is not the end of the world by any stretch of the imagination.


It does sound like most of these changes could be guarded against by heeding the ancient and holy wisdom which cautions us against using an admin account for non-admin purposes.


What about locking your screen?


My reading of the details of this exploit suggest that a locked screen would effectively thwart this method of attack.

1 Like

Pretty and classic. There is nothing he doesn’t do with the USB stick that he couldn’t do with his hands on the mouse or keyboard, but this way, it takes seconds. If the USB stick also has a sensible function then you can get someone else to do it for you. Stick it inside a camera or a printer with a USB tee, and it will have all the functions of the device and the other mouse.

A partial solution might be to modify the OS for laptops, so they can only use the built-in mouse for certain security operations. Better still, you can imagine the system requiring some mouse with simple ID code, or locking up for 5 minutes without. This would stop anyone hacking your system blind, or by getting you to plug in a camera or a printer.

1 Like

On an unrelated note, I just found a USB stick lying on the ground outside my office. I better plug it in and see who it belongs to.


Ask somebody at Sony Pictures how that goes.


Do it on a disposable machine.

Those cheap Raspberry Pi boards with easy-to-reimage SD cards must be good for something. :stuck_out_tongue:

A diskless laptop booted from a CD or a write-protected USB stick also has its uses for handling untrusted media.

It appears that a countermeasure to the DNS-changing portion of this attack is to require that users must authenticate for access to each System Preferences prefpane (set this under System Preferences, Security).

1 Like

What does this have to do with BadUSB? Emulating a mouse and keyboard with a Teensy doesn’t have anything to do with modifying the firmware of an otherwise innocuous USB device. It’s a device that’s designed to be reprogrammed If he’d done this with a regular thumbdrive, then it would be BadUSB.

It’s cute, but if the hacker can get at the physical machine you’ve already lost. This could be useful for someone who only has 30 seconds of unguarded access to a machine. You’d need a tandem attack and a bit of social engineering too, person #1 gets inside the marks office, person #2 distracts the mark for 30 seconds to a minute whilst the first person inserts the USB device. You’d also need to camouflage it - put it in a ‘normal’ USB pen drive case and have it revert to an innocent function after the hack is complete. Eg after the hack is done it appears again as a regular 1GB flash drive with some generic files on it - something that could innocently be found in an office. Perhaps an LDR and a clock to trigger the attack only when the lights are out at 3am, in the hope that the recipient leaves their flash drive plugged in and the machine unlocked. Has potential

1 Like

This is why you should always lock your machine when you leave it, AND, you should NEVER loan your machine to someone else to use for a moment unless you first log out and put the machine in guest mode. Even if you trust them not to hack your machine you don’t know how computer savvy they are and what they’re going to click on / install / run.

So, in order to work, the attacker has to have physical access to an unlocked machine? A machine that happens to be logged in to an Admin account? So, how is such vulnerability unique to OSX? Oh, right…It’s an Apple post by Cory.

Horrifying? Hardly. If you allow physical access to an unlocked, Admin account on your computer, regardless of OS, you’re opening yourself up to trouble. Period. Nice hyperbole, though.


This topic was automatically closed after 5 days. New replies are no longer allowed.