Duck Hunt: Memory Forensics of USB Attack Platforms

To explore the memory forensic artifacts generated by USB-based attack platforms, we analyzed two of the most popular commercially available devices, Hak5\u27s USB Rubber Ducky and Bash Bunny. We present two open source Volatility plugins, usbhunt and dhcphunt, which extract artifacts generated by these USB attacks from Windows 10 system memory images. Such artifacts include driver-related diagnostic events, unique device identifiers, and DHCP client logs. Our tools are capable of extracting metadata-rich Windows diagnostic events generated by any USB device. The device identifiers presented in this work may also be used to definitively detect device usage. Likewise, the DHCP logs we carve from memory may be useful in the forensic analysis of other network-connected peripherals. We also quantify how long these artifacts remain recoverable in memory. Our experiments demonstrated that some Indicators of Compromise (IOCs) remain in memory for at least 24 h

CTRL-ALT-LED: Leaking Data from Air-Gapped Computers via Keyboard LEDs

Using the keyboard LEDs to send data optically was proposed in 2002 by Loughry and Umphress [1] (Appendix A). In this paper we extensively explore this threat in the context of a modern cyber-attack with current hardware and optical equipment. In this type of attack, an advanced persistent threat (APT) uses the keyboard LEDs (Caps-Lock, Num-Lock and Scroll-Lock) to encode information and exfiltrate data from airgapped computers optically. Notably, this exfiltration channel is not monitored by existing data leakage prevention (DLP) systems. We examine this attack and its boundaries for today's keyboards with USB controllers and sensitive optical sensors. We also introduce smartphone and smartwatch cameras as components of malicious insider and 'evil maid' attacks. We provide the necessary scientific background on optical communication and the characteristics of modern USB keyboards at the hardware and software level, and present a transmission protocol and modulation schemes. We implement the exfiltration malware, discuss its design and implementation issues, and evaluate it with different types of keyboards. We also test various receivers, including light sensors, remote cameras, 'extreme' cameras, security cameras, and smartphone cameras. Our experiment shows that data can be leaked from air-gapped computers via the keyboard LEDs at a maximum bit rate of 3000 bit/sec per LED given a light sensor as a receiver, and more than 120 bit/sec if smartphones are used. The attack doesn't require any modification of the keyboard at hardware or firmware levels.Comment: arXiv admin note: text overlap with arXiv:1706.0114

A Hardware-Assisted Insider Threat Detection and Prevention Framework

Today, the USB protocol is among the most widely used protocols. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices can disguise themselves as benign devices to insert malicious commands to connected end devices. A rogue device appears benign to the average OS, requiring advanced detection schemes to identify malicious devices. However, using system-level hooks, advanced threats may subvert OS-reliant detection schemes. This thesis showcases USB-Watch, a hardware-based USB threat detection framework. The hardware can collect live USB traffic before the data can be altered in a corrupted OS. Behavioral analysis of USB devices allows for a generalizable anomaly detection classifier in hardware that can detect abnormal behavior from USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices

MAGNETO: Fingerprinting USB Flash Drives via Unintentional Magnetic Emissions

Universal Serial Bus (USB) Flash Drives are nowadays one of the most convenient and diffused means to transfer files, especially when no Internet connection is available. However, USB flash drives are also one of the most common attack vectors used to gain unauthorized access to host devices. For instance, it is possible to replace a USB drive so that when the USB key is connected, it would install passwords stealing tools, root-kit software, and other disrupting malware. In such a way, an attacker can steal sensitive information via the USB-connected devices, as well as inject any kind of malicious software into the host. To thwart the above-cited raising threats, we propose MAGNETO, an efficient, non-interactive, and privacy-preserving framework to verify the authenticity of a USB flash drive, rooted in the analysis of its unintentional magnetic emissions. We show that the magnetic emissions radiated during boot operations on a specific host are unique for each device, and sufficient to uniquely fingerprint both the brand and the model of the USB flash drive, or the specific USB device, depending on the used equipment. Our investigation on 59 different USB flash drives---belonging to 17 brands, including the top brands purchased on Amazon in mid-2019---, reveals a minimum classification accuracy of 98.2% in the identification of both brand and model, accompanied by a negligible time and computational overhead. MAGNETO can also identify the specific USB Flash drive, with a minimum classification accuracy of 91.2%. Overall, MAGNETO proves that unintentional magnetic emissions can be considered as a viable and reliable means to fingerprint read-only USB flash drives. Finally, future research directions in this domain are also discussed.Comment: Accepted for publication in ACM Transactions on Embedded Computing Systems (TECS) in September 202