Hacked device as a functional mouse were utilized to exfiltrate sensitive information (recognized as genuine HIDs, bad USB). The discovery was made during academic cybersecurity research that included scanning file repositories. Researchers came across classified operational documents that belonged to a large US-based natural gas utility operator. When approached by the researchers, the utility’s cybersecurity team was surprised to discover that the documents were authentic. And there was no internal evidence that had been taken out.
The network containing the stolen documents was air-gapped, eliminating any possibility of them being leaked through the Internet. The use of all removable media was strictly blocked so the option that someone had saved a copy of the document and taken it out was also ruled out. The investigation concluded that the internal critical network was no longer air-gapped and that it had been breached, likely through a hacked device. The network was therefore not only vulnerable to exfiltration but also to injection and sabotage.
Hacked Device as a Functional Mouse
Upon plugging in, the host PC recognized the compromised device as a hybrid of a fully operational mouse and HID keyboard. USB Class 3, Subclass 1, Protocol 1. Using keyboard emulation, the HID interface typed a PowerShell script which built and executed a covert channel communication stack.
By establishing an out-of-band connection through the wireless interface of the compromised mouse, they managed to bypass the air-gap. Although keyboards are primarily seen as input devices, it’s important to recognize that the bidirectional communication channel used to control keyboard functionality can also serve to extract data from an enterprise.
Tools Used on Hacked Device
The Raspberry Pi Zero W can be bought on Amazon for as little as $25. Its low cost, credit card-like size and the range of hacking tools it provides makes it a useful device for hackers. In this case, it guaranteed not only minimal current consumption, which the host PC (the target of the attack) could easily provide. But also allowed the perpetrators to perform Network Packet sniffing and exfiltrate information out-of-band remotely due to its integrated WiFi functionality.
Sepio has also discovered devices that are not based on WiFi communications. Instead use LoRaWAN (wide area low power wireless network) modules for remotely communicating with rogue peripheral devices.
When connected, the system identifies the compromised device as a legitimate and secure USB hub. To which both the mouse and Raspberry Pi Zero W are connected (Raspberry Pi Risks – A Friend or Foe ?). A wide collection of Penetration Testing images and utilities are available for Raspberry Pi. Ranging from keyboard emulators (rspiducky), through traffic hijackers (PoisonTap), and backdoor full remote access implementations.
Keyboards can also serve the same purpose of executing attacks for infection or exfiltration of sensitive information. Once again, the system will recognize these actions as valid Human Interface Devices (HIDs).
Sepio is the leader in the Rogue Device Mitigation (RDM) market and is disrupting the cybersecurity industry by uncovering hidden hardware attacks operating over network and USB interfaces. Sepio’s Asset Risk Management platform, identifies, detects and handles all peripherals; no device goes unmanaged.
Sepio is the only company in the world to undertake Physical Layer Visibility fingerprinting. Sepio calculates a digital fingerprint using the device descriptors of all connected peripherals and compares them against a known set of malicious devices. Automatically blocking any attacks, and providing full physical layer security. With Machine Learning, the software analyses device behavior to identify abnormalities, such as a mouse acting as a keyboard.Download Case Study