Evil Has a New Face
A new evolution to the USB attack arsenal is emerging. While the USB Hacksaw attacks are easily detected by most antivirus software and primarily work only against systems running the Windows operating system, the new evolution is cross-platform and significantly more difficult to detect. Enter the "Teensy"!
So what is a Teensy? The Teensy is a small USB microcontroller development board based off the wildly popular Arduino family. These microcontrollers are small, measuring approximately ¾" wide by 1-¼" long and less than ¼" thick. The devices are easily programmed in a derivative language of C++, cost less than $20, and can easily be connected to computers via USB ports. What makes microcontroller attacks such as the Teensy such an effective platform for delivering malicious code isn't just its small size and low cost; it's also the ease in which custom attacks can be developed and its capability to work on virtually all operating systems and platforms.
Many attacks are possible with the Teensy, but one specific method stands out and has gotten the attention of a growing number of security researchers. Adrian Crenshaw, an IT security expert known as "IronGeek" in the IT Security community, has created a custom code library for the Teensy device that enables it to replicate the functionality of a typical Human Interface Device (HID) such as a keyboard or mouse. Adrian calls these the "PhukD" libraries and makes them available free on his site. Adrian developed these libraries to help draw attention to the potential and risks associated with connecting microcontrollers to a computer posing as a legitimate USB device.
The use of a Teensy microcontroller to emulate a HID device may seem benign on the surface until you consider it from an attacker's point of view.
The Teensy device gives an attacker a number of advantages over normal USB drives:
- No user intervention is required. A maliciously programmed Teensy does not require any form of user intervention once it is plugged in to a target system. While most USB attacks rely on autorun.inf being executed or the user being duped into executing a malicious program, the Teensy has no such limitations. Once connected to a system, the Teensy will run its code instantly or wait until a certain condition is met.
- It is multi-platform. Because the Teensy can be configured to emulate a keyboard and does not require the installation of special software to function, it is operating system[nd]independent and easily adapted to work on Macintosh, Linux, and most other operating systems with the same degree of effectiveness. The Teensy can be configured to look for characteristics of a system it is plugged into such as the Apple key on a Mac or pressing Ctrl+Alt+Del on a Windows machine and adapt accordingly.
- There are several components to the Teensy attack that make it difficult to detect. First off, when a Teensy device is connected to a system, the computer simply sees it as a keyboard. Because most systems will allow one or multiple keyboards to be connected the actions and commands run from the Teensy are simply interpreted as the user typing commands. As such the commands executed with the same privileges as the logged on user. This also makes attacks from a Teensy device difficult to detect from a forensic or repudiation standpoint.
- Because file access, executed commands, and all activity is running under the permissions of the logged-in user, it is difficult for a reviewer of the system to conclude anything other than the inappropriate activity was performed by the logged-in user. Even a forensic analysis of the system would point back to the logged in-user being the culprit of any elicit activity. As an example, let's say that a Teensy device is temporarily connected to Mr. Bob's workstation and is configured to craft emails to an external Gmail account and attach sensitive spreadsheet documents. The emails, file access, activity, and logs would all indicate that the actions were performed by Mr. Bob. A forensic review of the box would also conclude the activity was Mr. Bob unless the analysis knew to look for a Teensy or similar HID type of attack.
- Another element that makes a Teensy device attack difficult to detect is the fact that it doesn't fit the mold that most antivirus and malware detection software follow to detect malicious code. The Teensy does not typically store any executable code; instead it relies on sophisticated collections of command lines to perform the intended actions. Because the Teensy is not registered as a drive when connected to a USB port, antivirus software does not attempt to perform a scan of it or its code.
- It is highly customizable. The Teensy can be configured to target a wide range of systems and users, or be customized for a specific purpose. When a Teensy device is used in orchestration with other forms of penetration techniques, there is virtually an unlimited number of uses it can perform.