Ask HN: What stops a random USB device from rooting Windows?

16 points5ESS4y ago18 comments

Ok so I’m learning computer security and I had an idea for an attack method and it’s so simple I wanna know if it’s already put into practice.

Basically it would be a USB device that tells the Windows system it’s a generic keyboard+mouse. Then it would simulate the entry of input something like: 1) WinKey + R 2) cmd.exe [enter] 3) [enters or pasted a malicious script] 4) await UAC prompt. Click pre-calculated dimensions for the button based on screen size/dpi ratio..

Now the entire system is rooted in under 2 seconds.

Can someone explain what mitigations if any Microsoft has put in place (prior to the recent ASR which is new and probably also vulnerable?) to disable this [fake mouse and keyboard attack] ?

Ask HN: What stops a random USB device from rooting Windows?

16 points5ESS4y ago18 comments

Ok so I’m learning computer security and I had an idea for an attack method and it’s so simple I wanna know if it’s already put into practice.

Now the entire system is rooted in under 2 seconds.

Can someone explain what mitigations if any Microsoft has put in place (prior to the recent ASR which is new and probably also vulnerable?) to disable this [fake mouse and keyboard attack] ?

18 comments

17 comments · 7 top-level

ComradePhil4y ago· 5 in thread

This is a well-known mode of attack and some anti-virus software have protections against it: https://www.kaspersky.com/blog/weaponized-usb-devices/26495/

5ESSOP4y ago

Too bad kaspersky has been banned/cancelled in my country (USA). Any alternatives? I don’t necessarily use antivirus, thought it was unnecessary with Windows 11 built in Security. But now my mind is changing… anyways There should be a open source tool for Windows that only allows only 1 trusted keyboard/mouse to input and monitors for anything sketchy in USB firmware. Seems easy enough to create.

JackGreyhat4y ago

The paid version of Windows Defender can do it: https://docs.microsoft.com/en-us/microsoft-365/security/defe...

ComradePhil4y ago

I found this which claims to block these attacks: https://www.gdatasoftware.com/antivirus-windows

> USB Keyboard Guard

> Protects you against manipulated USB devices that pretend to be keyboards, even though they look like USB sticks or external hard drives.

1 more reply

blibble4y ago

how can anti-virus protect against it?

it has no way of telling that that device isn't a logitech keyboard, and can't tell that it's not the user opening up elevated cmd.exe and accepting the prompt

ComradePhil4y ago

From the linked article:

> Kaspersky Endpoint Security's technology will not authorize any HIDs unless the user inputs a code using a HID already authorized to do so.

paywallasinbeer4y ago· 4 in thread

Here's something very similar to what you're thinking of.[0] There's a low cost alternative if you'd like to experiment.[1]

[0] https://shop.hak5.org/products/usb-rubber-ducky-deluxe

[1] https://sequr.be/blog/2021/02/attiny85-rubber-ducky/

5ESSOP4y ago

Interesting and both are sold out. They seem kind of rare. Probably for a reason! I guess it would be bad if somebody like…had a trashbag’s worth of them with “You Won 1 Free Bitcoin” noted and sprinkled them around commercial and public properties a 100mi radius. Or sent out 1,000 in the mail for example.

HeyLaughingBoy4y ago

The reason would be that not enough of them sell to be worthwhile. Simply going from your description it sounds like the kind of product that could be designed and set up for manufacture in a handful of hours. But then what? I have no use for the product and even if I were inclined to ignore the ethical considerations, I doubt that I'd sell enough of them to recoup my time.

The people for whom this would be most useful already have the resources to build it themselves!

jrowley4y ago

I built something like this using teensy board. It’s pretty simple. Mine had a button to activate it, and was not nefarious but could have been. Hope this helps!

https://github.com/joer14/hackers-doorbell

paywallasinbeer4y ago

I see multiple listings on amazon for attiny85 boards: https://www.amazon.com/AiTrip-Digispark-Kickstarter-Attiny85...

hnuser1234564y ago· 1 in thread

If the current user isn't an admin, they can't just click through UAC.

If they are an admin, they could just do this manually.

Either way, no privilege escalation, which "rooting" typically implies.

Sure, you could make a USB stick that automates any user input, but you could just make the same inputs yourself with the keyboard and mouse already at the machine. What kind of situation does this actually benefit you in?

JackGreyhat4y ago

Well, the speed. You plug the usb in, unplug it 5 seconds later, and you walk away from a backdoored system talking to your C2 server.

JackGreyhat4y ago

It should be common practise to run your every day computer life from a "normal", non-privileged user account. This way, automating UAC confirmations are impossible, given that alternative credentials have to be entered for the UAC to be authorized. Yet, you'll find that many people do not do this.

riveducha4y ago

Even better, why not find people with a wireless mouse/kbd dongle plugged into their computer, then send radio signals mimicking their mouse/kbd to do the same thing? That way you don't even need to touch their computer or bypass the check on whether the USB device is preauthorized.

The reason you can't is because many newer wireless devices have encryption, but how many people know or care when they buy one?

I spent a not insignificant amount of time looking into this, but for the purpose of making a game AI, not for hacking other people's computers.

sydthrowaway4y ago

What stops this on Mac?

joeld424y ago

Nothing, really.

j / k navigate · click thread line to collapse

18 comments

17 comments · 7 top-level

ComradePhil4y ago· 5 in thread

This is a well-known mode of attack and some anti-virus software have protections against it: https://www.kaspersky.com/blog/weaponized-usb-devices/26495/

5ESSOP4y ago

JackGreyhat4y ago

The paid version of Windows Defender can do it: https://docs.microsoft.com/en-us/microsoft-365/security/defe...

ComradePhil4y ago

I found this which claims to block these attacks: https://www.gdatasoftware.com/antivirus-windows

> USB Keyboard Guard

> Protects you against manipulated USB devices that pretend to be keyboards, even though they look like USB sticks or external hard drives.

1 more reply

blibble4y ago

how can anti-virus protect against it?

it has no way of telling that that device isn't a logitech keyboard, and can't tell that it's not the user opening up elevated cmd.exe and accepting the prompt

ComradePhil4y ago

From the linked article:

> Kaspersky Endpoint Security's technology will not authorize any HIDs unless the user inputs a code using a HID already authorized to do so.

paywallasinbeer4y ago· 4 in thread

Here's something very similar to what you're thinking of.[0] There's a low cost alternative if you'd like to experiment.[1]

[0] https://shop.hak5.org/products/usb-rubber-ducky-deluxe

[1] https://sequr.be/blog/2021/02/attiny85-rubber-ducky/

5ESSOP4y ago

HeyLaughingBoy4y ago

The people for whom this would be most useful already have the resources to build it themselves!

jrowley4y ago

I built something like this using teensy board. It’s pretty simple. Mine had a button to activate it, and was not nefarious but could have been. Hope this helps!

https://github.com/joer14/hackers-doorbell

paywallasinbeer4y ago

I see multiple listings on amazon for attiny85 boards: https://www.amazon.com/AiTrip-Digispark-Kickstarter-Attiny85...

hnuser1234564y ago· 1 in thread

If the current user isn't an admin, they can't just click through UAC.

If they are an admin, they could just do this manually.

Either way, no privilege escalation, which "rooting" typically implies.

JackGreyhat4y ago

Well, the speed. You plug the usb in, unplug it 5 seconds later, and you walk away from a backdoored system talking to your C2 server.

JackGreyhat4y ago

riveducha4y ago

The reason you can't is because many newer wireless devices have encryption, but how many people know or care when they buy one?

I spent a not insignificant amount of time looking into this, but for the purpose of making a game AI, not for hacking other people's computers.

sydthrowaway4y ago

What stops this on Mac?

joeld424y ago

Nothing, really.

j / k navigate · click thread line to collapse