Now You Can Get Hacked by Your Mouse

So, you’ve installed a reputable anti-virus package on the family computer, cranked up the security on your wifi router, adopted a smart strategy to keep track of your passwords, and educated the whole family on how to recognize phishing and harpoon scams.Your network and computer systems are now secure, and you can sit back and […]
Image may contain Head Face Human Person Jaw Skin and Tattoo
Self-portrait of the artist as a Hollywood outsider.
Image courtesy Daniel Clowes

So, you've installed a reputable anti-virus package on the family computer, cranked up the security on your wifi router, adopted a smart strategy to keep track of your passwords, and educated the whole family on how to recognize phishing and harpoon scams.Your network and computer systems are now secure, and you can sit back and rest easy, right? RIGHT?

Sadly, computer security is an ongoing cat and mouse game between the hackers and the hackees, and you have to be ever vigilant. All it takes is one momentary lapse of judgment and your system can be infiltrated. As a case in point, consider the subtle approach Netragard, a security firm, recently used on behalf of a client. Netragard published the complete details of their tactics on their blog:

We (Netragard) recently completed an engagement for a client with a rather restricted scope. The scope included a single IP address bound to a firewall that offered no services whatsoever. It also excluded the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas. With all of these limitations in place, we were tasked with penetrating into the network from the perspective of a remote threat, and succeeded.

The first method of attack that people might think of when faced with a challenge like this is the use of the traditional autorun malware on a USB stick. Just mail a bunch of sticks to different people within the target company and wait for someone to plug it in; when they do it's game over, they’re infected. That trick worked great back in the day but not so much any more. The first issue is that most people are well aware of the USB stick threat due to the many published articles about the subject. The second is that more and more companies are pushing out group policies that disable the autorun feature in Windows systems. Those two things don’t eliminate the USB stick threat, but they certainly have a significant impact on its level of success and we wanted something more reliable.

Most Popular

The blog goes on to discuss Netragard's diabolical solution, which was to MacGyver up a couple of Logitech mice with a hidden USB memory stick containing a custom autorun payload. The mice and a convincing cover letter were then mailed to selected employees, and it was only a matter of time until the city of Troy fell to the Trojan Mouse. Or, in the words of the Netragard guys:

Once we had our malware built, we loaded it onto the flash drive that we soldered into our mouse. Then we wrote some code for the teensy microcontroller to launch the malware 60 seconds after the start of user activity.

Usage: Plug mouse into computer, get pwned.

Cool, but scary, right? Admittedly this is an extreme case, and your average script kiddie is not about to start mailing out mice or thumbdrives to thousands of potential targets. Still, physically connecting anything to a computer presents some risk. Another example of the potential for harm relates to the USB charging kiosks that have started to appear in airports, malls, and other public locations. A posting over at the Krebs security blog discusses how such a kiosk was hacked up at DefCon to educate attendees about the perils such charging stations present:

You’re out and about, and your smartphone’s battery is about to die. Maybe you’re at an airport, hotel, or shopping mall. You don’t have the power cable needed to charge the device, but you do have a USB cord that can supply the needed juice. Then you spot an oasis: A free charging kiosk. Do you hesitate before connecting your phone to this unknown device that could be configured to read most of the data on your phone, and perhaps even upload malware?

Granted, a charging kiosk at an airport may be less suspect than, say, a slightly sketchy-looking tower of power stationed at DefCon, a massive hacker conference held each year in Las Vegas. At a conference where attendees are warned to stay off the wireless networks and avoid using the local ATMs, one might expect that security experts and enthusiasts would avoid using random power stations.

Most Popular

In keeping with their goal of educating, rather than exploiting attendees, the kiosk flashed a red warning message when a user plugged-in a device:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

So, what did we learn from all of this? Well, we learned that IT security is non-trivial, and that if someone really wants into your systems, you face a real challenge to keep them out. The risks you face can come from rogue websites, script kiddies, email scammers, social engineers, or even hacked USB hardware. There are no guarantees, but reasonable precautions are better than blissful ignorance.

As the security guys like to say, security is an ongoing journey, not a destination. You have to keep up to date with the evolving risks, and continue to evolve your defenses accordingly. It's not exactly fun, but there's enough at stake that you can't afford to get lazy or sloppy-- ever.

If you're interested in the full stories mentioned above, check out the Netragard blog posting or the Krebs posting.