Introduction: GoodUSB - BadUSB
BadUSB is a computer security attack using USB devices that are programmed with malicious software. For example, a USB device may contain a microcontroller, which can be programmed to turn the USB device into a malicious device. The BadUSB attack was first revealed during a talk at Black Hat in 2014. (Wikipedia)
GoodUSB is what we're going to call the examples demonstrated here. These examples use the same concepts and techniques as BadUSB attacks. However, they do so without actually doing anything malicious, destructive, or otherwise attempting to breach security measures. These examples are explored only for educational purposes.
Penetration Testing (aka "pen testing) is an authorized simulated cyberattack on a computer system that is performed to evaluate the security of the system. A Pen Tester may use BadUSB technology, but it is done by an ethical hacker (white hat) with the permission of the system owners. Such tests are performed to identify weaknesses (also referred to as vulnerabilities), including the potential for unauthorized parties to gain access to the system's features and data.
The ATmega32U4 USB Stick used here, along with other related items, and an educational booklet are included in HackerBox Byte Size 0001. You can also explore electronics, cybersecurity, and hacker culture every month with a subscription to HackerBox Byte Size or HackerBox Elite Hardware Hacking at www.HackerBoxes.com
Step 1: ATmega32U4 USB Stick
This may look like a normal thumb drive, but hidden inside is an ATmega32U4 Microcontroller, which is basically a tiny computer. The microcontroller unit (MCU) can be programmed to do a variety of potentially undesirable things when inserted into a computer.
New in its factory packaging, the ATmega32U4 USB Stick does not have malicious code installed, but it does have an Arduino bootloader. This makes it easy to program the microcontroller using the Arduino Integrated Development Environment (IDE). The IDE will recognize the ATmega32U4 USB Stick as an Arduino Leonardo.
- Download and install the Arduino IDE
- Run the Arduino IDE
- Select Tools > Board > Arduino AVR Boards > Arduino Leonardo
- Select Tools > Port > [select the COM/USB port showing “Leonardo”]
- Tools > Get Board Info which should identify the board as an “Arduino Leonardo”
Step 2: Hello World
In the Arduino IDE, open the attached keyboard_hello.ino sketch.
Or use File > New to create a new sketch and type it in from the image above.
Use the arrow icon to compile and upload the sketch. Once programmed, the ATmega32U4 USB Stick will act as a keyboard that types “Hello World” every two seconds.
Open Notepad or Word and watch the GoodUSB "type" its output into the computer!
Step 3: Additional Examples
Here are a couple of additional code examples. For each one, review the sketch to understand what it is doing.
The sketch mouse_wiggle.ino makes the microcontroller pretend to be a mouse and moved the cursor randomly around the screen. The pseudo random number generator is seeded using "noise" read from an analog input to the chip.
The sketch rickroll.ino configures the microcontroller back into pretending to be a keyboard. It will never give you up, but it only works with windows. Note that "KEY_LEFT_GUI" is the windows button on the keyboard.
Step 4: Every Tool Is Also a Weapon
USB drives (aka thumb drives) are small, readily available, inexpensive, and portable. They are popular for storing and transporting files from one computer to another. These same characteristics make them appealing to attackers.
You can probably imagine that being able to type any command on a computer simply by having the user insert a "USB drive" could be a very dangerous attack vehicle.
Malicious USB Drive Attack Modes:
- Malware (viruses, worms, Trojan horses, ransomware, spyware, etc.)
- AutoRun Attack
- Keystroke Injection
- Rubber Ducky (Duck Scripts)
- Wireless Remote Attack
Some Defensive Protections Against USB Attacks:
- Be careful what you plug into your computer
- Be careful where you plug in your USB devices
- Do not use unknown USB devices
- Avoid public USB charging stations
- Disable AutoRun
- Use a USB Data Blocker
- Limit command prompt access levels
- Enable software to detect super fast typing rates
In summary: Do not insert unknown USB devices into your computer!