Say hello to BadUSB 2.0: A USB man-in-the-middle attack proof of concept

Oh, peachy. Say hello to BadUSB 2.0, a tool “capable of compromising USB fixed-line communications through an active man-in-the-middle attack. It is able to achieve the same results as hardware keyloggers, keyboard emulation and BadUSB hardware implants. Furthermore, BadUSB2 introduces new techniques to defeat keyboard-based one-time-password systems, automatically replay user credentials, as well as acquiring an interactive command shell over USB.”

The full research paper, BadUSB 2.0: USB man-in-the-middle attacks (pdf), by security researcher David Kierznowski is available on Royal Holloway. The paper describes BadUSB 2.0 as an “in-line hardware solution” that is “capable of performing passive or active man-in-the-middle attacks against low-speed, USB-HID devices, such as keyboards and mice.” Yes, BadUSB 2.0 can “intercept messages going to the host, as well as messages destined for the peripheral.” Its attack capabilities are impressive.

Kierznowski posted a down-and-dirty condensed version of his research paper on GitHub. Unlike Rubber Ducky or keyloggers, which Kierznowski said “can only achieve one or two attack classes such as eavesdropping or message fabrication,” BadUSB 2.0 “can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device.” Combining the attack classes is when “really interesting attack scenarios begin to surface.”

But wait, there’s more. He added:

Secondly, keyboard emulation devices register as an additional USB device, making them easy to detect and block, i.e. why do I now have two keyboards attached!? Yes, such devices can be easily detected and blocked. The same can be said of BadUSB, it often needs to register as a secondary USB device to perform a malicious task. BadUSB2 is an INLINE hardware implant, giving it the stealth of a hardware keylogger but far more capabilities as mentioned above. Finally, (law of 3’s), just cos…

Kierznowski described the implemented PoC attacks:

Eavesdrop: Once the keyboard has been registered to the target, all keystrokes are captured to the ‘/tmp’ folder.

Modify: Weaponized code could use regular expressions to modify user keystrokes in order to defeat one-time passwords. In this POC we simply annoy the user 🙂

Replay: The POC code will automatically detect ‘ctrl-alt-delete’ and assume it is a login session. It stops recording once the ‘enter’ key is pressed. At any time the ‘replay’ command can be given to automatically authenticate to the workstation.

Fabricate: Start/Run or generic commands can be issued to the target operating system just as if you were at the keyboard.

Exfiltrate: I’ve implemented a PowerShell exfiltration POC that uses the ‘morse code’ technique (LEDs) to exfiltrate data. Using custom HID output reports is faster, but MS Windows restricts read/write access from Win 2K. In short, this is a very rudimentary POC, and did I mention very slow!

Before you freak out, Kierznowski noted in the research paper, “BadUSB2 is only a proof of concept, and although the core code is there, it would require further development to be used in real-world engagements.”

On GitHub, he concluded that the “risk assessment” is “low risk because you need physical access.” But “keep in mind that a weaponized version of this design would likely utilize some form of RF, so getting access once may be enough to persist an attack. Also, when was the last time you tested hardware delivered by your suppliers!? Supply chain attacks are real – Just saying :).”