The Curse of Convenience: How Plug and Play became Plug and Pwned

“Would you believe me if I told you that your grandmother may have been the perpetrator of the world’s first cyber-weapon? In a culture of convenience can we strike balance between the need for convenience and the need for security"

With that Darren Kitchen (@hak5darren) launched the second day of AusCERT 2016.

As the creator of internet TV show Hak5, Kitchen was a 90s phone phreak and now works in the media and as a penetration tester. He has learned that the trust of systems can be broken by some relatively simple lies.

His presentation started with a look at Stuxnet - the world’s first cyber-weapon.

By targeting the Siemens PLC devices that controlled centrifuges in Iran’s nuclear enrichment facilities, the attacker was able to compromise the safety of the facility. Kitchen says it’s been established that the US and Israel perpetrated the incident. But Kitchen says the other, unnamed perpetrator was his grandma.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

The age of convenience

In the 90s, grandma could send email, read an encyclopaedia from CDROM and read the world wide web. But then came time to print. Setting up the printer was too hard. And so came plug and play.

“Everything was becoming plug and play. Grandma plugged in the set up CDROM, pressed a few buttons and the printer was set up,” says Kitchen.

The issue was one of trust - the operating system would trust that whatever was in autorun.inf was safe to run. And this created an opening for manufacturers who could pre-load software on other removable storage devices such as USB drives. And that opening became an opportunity for malicious parties to instal malware.

However, Kitchen saw an opportunity. In the 90s, when he worked in support, he found the opportunity to use USB storage devices to automate a number of support tasks because operating systems were designed to trust specific devices.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

Violating the trust

Kitchen developed what he called the “USB rubber ducky” - an OS agnostic USB device that takes advantage of the Human Interface Device standard to pretend it’s a keyboard that allows him to remotely control any computer it’s plugged into.

The USB Rubber Ducky looks like a USB thumb-drive and can enter commands at a rate of 9000 characters per minute.

“It was like I was 13 again, entering a program into a computer like it was BASIC at superhuman speed”, said Kitchen.

The same mechanism can be used to hack smartphones with a USB interface through a brute-force attack of all the four-digit PIN codes from 0000 to 9999. It can even be programmed to deal with delays built in by software makers.

The same mechanisms can be used to automatically connect devices to WiFi networks.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

What we want

"We don’t want to inconvenience users,” says Kitchen.

An example of how this can cost users dearly is the way we connect to WiFi networks. When we connect to a new public wireless network in a coffee shop or shopping mall, we are automatically directed to a landing page. This can be used to direct users to any webpage - violating our trust.

Even the loss of wired Ethernet connectors on our computers can be a point of vulnerability.

In specific situations, where latency is a problem for a wireless connection, USB Ethernet adapters can be compromised.

Kitchen showed adapters that have malware embedded in the controller so hackers can remotely access computers. Not only do these devices provide network connectivity, they can use the HID interface or other standards to give parties access to all sorts of systems.

“They are the hardware man-in the middle. All this exists just for convenience,” he says. “All it takes is a little lie. And we have grandma to thank for this. We need computers to be convenient. We need plug and play”.

Back to Stuxnet

Student caused centrifuges to spin to the point where they self-destructed. But why didn’t system operators stop this?

“They were told a simple lie,’ says Kitchen.

The operator believed the devices were working correctly because that is what their systems told them. They trusted the information on their terminals.

Security is hard

Kitchen says the key is to make security easier. "Where security meets convenience things get really interesting", he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags AusCERT2016HID Interfacecyber weaponsStuxnetPlug and Playhak5cyber securityCdromAusCERT conference

More about HIDSiemens

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts