The USB stick that thinks it’s a keyboard
To Covent Garden, where James Lyne – director of technology strategy at Sophos – has been presenting a review of the security landscape during 2012, and a look forward to next year’s threats. The review is an annual event, and always entertaining thanks to Lyne’s bona fide geek credentials: this year’s talk included references to Anonymous masks, the obligatory Gangnam Style allusion and several exhortations to “[verb] all the things”.
Predictions for 2013 include increasingly sophisticated and targeted attacks, on mobile platforms as well as PCs. No surprises there. More interestingly, Lyne also expects to see a rise in ransomware, which locks away your files and provides the decryption key only on payment of a fee. So far, malware ransoms have typically been around the £200 mark, but Lyne reckons criminals will soon start to recognise high value targets (such as company CEOs) and demand much higher fees for the return of sensitive documents. He describes this type of attack as “irreversible”, as there’s nothing third-party software can do to recover your files if they’ve been strongly encrypted: the only defence is to keep backups. You’ve been warned.
The part of the talk that particularly struck me, however, relates to the little device pictured above, which Lyne demonstrated with glee. Fully assembled, it looks just like a regular USB flash drive. Or, from the internal microSD slot, you might assume it was some sort of card reader. In fact – believe it or not – it’s a keyboard.
The key-less keyboard
To be precise, the device is a keyboard controller. Windows detects it as a regular full-sized keyboard, but instead of providing physical keys for the user to press, the device takes its input from a pre-programmed microSD card. Load it up with a simple script and as soon as the device is plugged into a Windows PC it will automatically open a command prompt, type in an exploit giving the attacker remote access to your PC, and launch it.
Instead of providing physical keys for the user to press, it takes its input from a pre-programmed microSD card
As infection vectors go, it’s pretty ingenious. You won’t take over the world with an attack like this – not least because it doesn’t spread at all. To that extent it’s the very definition of a targeted attack. But choose the right targets – for example, start posting these little devices out to corporate executives and senior politicians – and you may well reap an awful lot of extremely sensitive information. Lyne mentioned that several of these devices have already been found in the wild over the past year.
The perfect crime? Well, not quite. If you’re watching the screen when plugging the device in you’ll see the command prompt briefly open and close – that’s inevitable, given the way the device works. Your suspicions will probably also be aroused when you notice that the device doesn’t show up as a drive in Explorer. A slightly more complex design could perhaps cover its tracks by combining legitimate storage with an illicit keyboard controller – but by the time you smell a rat, the malware is already lodged into your system anyway.
And of course the device flies straight under the radar of conventional security software, because, well, it’s a keyboard. It has no storage – none visible to the operating system, anyway – so there’s simply nothing to scan.
I cannot but admire the brilliant lateral thinking that’s gone into this little device. Mainstream operating systems and applications may be getting ever more robust, but malicious hackers are becoming (in Lyne’s memorable phrase) “tragically competent” at working around established security measures. I get the feeling Sophos won’t be running short of new and ingenious types of malware to showcase any time soon.