The protection mechanism that makes the most sense to me right now would be adding a kernel module for detecting implausibly fast keystroke input. Upon detection of suspicious keyboard input - parameters could be adjustable by security policy settings - it would trigger something similar to Windows User Account Control prompt. Of course, it would have to require typing or clicking something less predictable than Alt+y, like they use to bypass current UAC in their attack
no offense intended but really needs subtitles for the second guy, impossible to understand half of what he says and i was really interested in this presentation, i couldnt even finish watching it..
Yes, they should have taken English lessons instead of spending all those months tirelessly and selflessly documenting this massive security threat for your ungrateful whiny asses... how's that for English?
@@momashi69 No. Read what you're replying to, asshole. No one said they should have gotten better at English, only that they should have recognized how bad their English was, and compensated with subtitles.
The answer to this vulnerability should be input device validation & lockdown. On first bootup, the computer should 'mate' itself to a known good input device via a mechanism in the EFI (requires development of per-keyboard, -trackpad, -etc., per-firmware version, code-signing). The user could be prompted to set a master password needed to then add more input devices. Then whenever an input device (keyboard, mouse, anything else that could easily take control of the system) is added, there would be a prompt & it would need to enter the password to give further input to the machine. EFI or OS Kernel controls could allow more fine-grained automatic policies, like allowing classes of devices to be white- or black-listed, or disallowing for instance on a laptop, a single usb hub that hosts both a display & pointer peripheral, if attacks using emulated mouse movement & screen capturing techniques were spotted in the wild.
Does not help at all: You can take as easily control by emulating a network device. As the presenters mentioned if you remove all the dangerous classes, you can as well leave out the USB ports. Secondly, USB devices do not have serial numbers (and these can be easily spoofed too if you can manipulate the firmware), and worse your benign device, might be reprogrammed at a later time to do bad things. So as mentioned, it's a mess, and the best defense would be to disable firmware updates => which is "easy" for flash sticks, with a known functionality where not that much happens, but for more expensive devices with more complicated features, firmware updates are a feature :(
Would it be possible to use the badUSB vulnerability with a mouse or keyboard instead of a USB stick? Would it be possible to have a mouse/keyboard execute a program/code when it is plugged in?
mouses and keyboards install drivers when plugged in, im sure you could sneak something in there, it would take physically modifying the device i suppose, i dont believe the flash memory would be much more then what is nesscary for the drivers. no extra space for the extra goods
karsten Nohl has a German accent but is quite understandable, Jakob Lell on the other hand was not. Intonation and rhythm is so strongly German that the result is not understandable. Otherwise a very informative and useful presentation.
This is not necessarily German, its more "schwäbisch". Not all Germans sound the same, like in the us you clearly are able to distinguish someone from the south and the North :-)
I speak fluently German and I'm pretty sure I'm not that bad in English. Yet it's really hard to understand the second guy as my knowledge about this stuff isn't that good.. No offense, but subtitles would be awesome EDIT: it was only difficult at the beginning, but later it got better
Nelson Duarte many card readers use usb interface, if you go do device manager it says in fact that it is a usb card reader, the difference is that it is soldered on the motherboard...And by curiosity i thought this vulnerability was already known, back in 2005 some dude did it and created a virus that based on this vulnerability would activate webcams, would control the keyboard and many other things, one catch is that some other dude said that you could counter this "virus", to do it when you see a white square on the superior left corner of your pc begin smashing the space key on your keyboard and you could stop the malicious action from being complete...
I am german and....holy crap...his english is terrible. Someone should have told him during rehearsal that his english is not good enough to do a presentation. Content great...english *facepalm*
I just closed it, wasn't worth listening to someone who doesn't even want to properly pronounce syllables. V's are way overused, causing incapability of understanding, unless I feel like focusing on what he's trying to say, instead of learning from what he says lol
What? I don't think you understand that formatting a drive doesn't actually delete data. It just flips a few bits telling the drive that it is ready for use. The old data is still sitting there and easily recoverable with many different tools (lookup TestDisk or Recuva for example). If you wish to securely delete data, you need to overwrite with a tool such a DBAN or Eraser
Yeah but these "BadUSB's" are not anything new at all. In my Gray Hat Hacking Ethical Handbook these HID's and others are covered and discussed in depth. Even if you turn off the auto-detection/auto-run it not really going to help, because there is a simple work around for that.
This isn't about some hardware based hacking product like the Rubber ducky, this is about a usb firmware virus that can Jump between multiple usb devices and emulate any usb device it wants. They didn't spend months of research and reverse engineering to create their own rubber ducky, they did it to prove it was possible to create a usb virus, and to try and push companies to create more secure devices. That's what the majority of hacker conferences are for, this isn't just for bragging rights, they've successfully proven a point of attack that could have been used, and an attack that at the moment can't even be detected or fixed. It's a serious issue that they've brought up here. For a rubber ducky you need physical access to a computer to 'infect' it, and only while the single usb device is plugged in. With this you do not, a virus on the computer could infect the usb device, multiple usb devices at once at that.
Dylan Williams Are you kidding me right now???!!! This has nothing to do with making a single usb device that you own act like a keyboard. Arguably, the existing Rubber Ducky scripts could make this easier to use, but that's beside the point. The massive, MASSIVE, difference here is that they can start with no usb device at all, stick their virus into a program you download sometime, and the YOUR USB DEVICE is the one that they turn into a keyboard that can infect OTHER COMPUTERS AND USB DEVICES that you connect to.
This is the second conference on this exploit. The first was in 2011. It's still an issue today. This is what made Russia go back to one time pads and paper for everything. This is easy to solve, but that would require the IEEE to not be a seething pool of opinionated assholes that think they are better at running society than the individuals having to deal with the repercussions of their BS.
OMG.. the second guy is probably really smart way smarter then me, but please do not talk, just write down what you reverse engineered, and hand paperwork to someone else, anyone but you!
Whole Reversing and patching USB speech is encrypted in German-English. :(
The protection mechanism that makes the most sense to me right now would be adding a kernel module for detecting implausibly fast keystroke input. Upon detection of suspicious keyboard input - parameters could be adjustable by security policy settings - it would trigger something similar to Windows User Account Control prompt. Of course, it would have to require typing or clicking something less predictable than Alt+y, like they use to bypass current UAC in their attack
+Nathan Smith The malware could simulate human typing speeds.
Brilliant stuff. Great talk. And yes, Jakob sounds like Dr. Strangelove....
"plug & pray" has never been so true
I only have one question: What?
no offense intended but really needs subtitles for the second guy, impossible to understand half of what he says and i was really interested in this presentation, i couldnt even finish watching it..
Yeah that's bad english even by german standards
Same, I'm bailing out.
Yes, they should have taken English lessons instead of spending all those months tirelessly and selflessly documenting this massive security threat for your ungrateful whiny asses... how's that for English?
@@momashi69 No. Read what you're replying to, asshole. No one said they should have gotten better at English, only that they should have recognized how bad their English was, and compensated with subtitles.
@Li Feng Would love to, but to do so, would need to know what he's saying.
Great work. a website that reported about this said it best. "we are screwed."
No were not. Only ignorant people and article writers think that. There are actual fixes and preventative steps that will keep user computers safe.
John Doe You obviously did not watch the video.
I can't understand what the german dude is talking about..
The answer to this vulnerability should be input device validation & lockdown. On first bootup, the computer should 'mate' itself to a known good input device via a mechanism in the EFI (requires development of per-keyboard, -trackpad, -etc., per-firmware version, code-signing). The user could be prompted to set a master password needed to then add more input devices.
Then whenever an input device (keyboard, mouse, anything else that could easily take control of the system) is added, there would be a prompt & it would need to enter the password to give further input to the machine.
EFI or OS Kernel controls could allow more fine-grained automatic policies, like allowing classes of devices to be white- or black-listed, or disallowing for instance on a laptop, a single usb hub that hosts both a display & pointer peripheral, if attacks using emulated mouse movement & screen capturing techniques were spotted in the wild.
Does not help at all: You can take as easily control by emulating a network device. As the presenters mentioned if you remove all the dangerous classes, you can as well leave out the USB ports.
Secondly, USB devices do not have serial numbers (and these can be easily spoofed too if you can manipulate the firmware), and worse your benign device, might be reprogrammed at a later time to do bad things.
So as mentioned, it's a mess, and the best defense would be to disable firmware updates => which is "easy" for flash sticks, with a known functionality where not that much happens, but for more expensive devices with more complicated features, firmware updates are a feature :(
This is a firmware/hardware level exploit. It's only fixable by the hardware manufacturer.
Would it be possible to use the badUSB vulnerability with a mouse or keyboard instead of a USB stick? Would it be possible to have a mouse/keyboard execute a program/code when it is plugged in?
mouses and keyboards install drivers when plugged in, im sure you could sneak something in there, it would take physically modifying the device i suppose, i dont believe the flash memory would be much more then what is nesscary for the drivers. no extra space for the extra goods
And all those years later, we have evolved BadUSB to "Rick Rolling".
0.75x speed works, able to understand most things
thank god
Wow. That is an eye-opener for sure.
karsten Nohl has a German accent but is quite understandable, Jakob Lell on the other hand was not. Intonation and rhythm is so strongly German that the result is not understandable. Otherwise a very informative and useful presentation.
This is not necessarily German, its more "schwäbisch". Not all Germans sound the same, like in the us you clearly are able to distinguish someone from the south and the North :-)
yeah i couldn't understand what he was saying
I've had 40 USB stolen in the raw bed so I'm just going to alert to Anderson county sheriff's
Is the second guy human or robot?
reptilian lol
The best is a cd or dvd disc.... I Think!
I speak fluently German and I'm pretty sure I'm not that bad in English. Yet it's really hard to understand the second guy as my knowledge about this stuff isn't that good.. No offense, but subtitles would be awesome
EDIT: it was only difficult at the beginning, but later it got better
+OGSankai hes so nervous,, And,,,,,And,,,,,And,,,,And
He's kinda having a shock. And yes it's got better later. The point is the content presented is awesome.
Is there an open API for this? we want to implement this in our project
Please turn on CC it can't even understand the second person either! Some of it is too funny!
Oh man, every time the second guy comes in, it gets really hard to understand.
wow first we have sd memory card vulnerability now this, very interesting.
Muss er das Klische bestätigen ? Natürlich, Ja :D
Is it relevant to PCs which run on a non-admin privilege as well?
it could escalate privileges, and even without that, it could spoof your network card to redirect all the traffic to the hacker's server.
waw good job i'll try it
LMFAO what the fuck is Felicia day doing at blackhat
im not a native english speaker and i can completely understand the german guy, stop it guys.
I am sure the talk is awesome, but the second speaker lost me with his english..
How about SD cards, Do they present similar vulnerabilities?
i'd say no, because sd cards are not technically usb devices
SD cards do not; what you will be using to read them however may be, like those USB card readers which is where the micro-controller resides.
it's possible with different approaches look for this " 30C3: Exploration and Exploitation of an SD Memory Card "
Nelson Duarte many card readers use usb interface, if you go do device manager it says in fact that it is a usb card reader, the difference is that it is soldered on the motherboard...And by curiosity i thought this vulnerability was already known, back in 2005 some dude did it and created a virus that based on this vulnerability would activate webcams, would control the keyboard and many other things, one catch is that some other dude said that you could counter this "virus", to do it when you see a white square on the superior left corner of your pc begin smashing the space key on your keyboard and you could stop the malicious action from being complete...
This is painful to watch. I am sure the second guy knows what he talks about but the problem is that he doesn't speak English.
Föhmwäh = Firmware
I am german and....holy crap...his english is terrible. Someone should have told him during rehearsal that his english is not good enough to do a presentation. Content great...english *facepalm*
The first sounds like Arnold Schwarzenegger...For the other dude, Don't feel bad the more talks he does the more he is forced to improve...
Its a pain to listen to him....@9:00
it is pretty difficult, I would like subs tbh.
Turn the subs on - It was a very weird speech
I just closed it, wasn't worth listening to someone who doesn't even want to properly pronounce syllables. V's are way overused, causing incapability of understanding, unless I feel like focusing on what he's trying to say, instead of learning from what he says lol
He is atleast trying to speak english. Hes like reaaalllyy nervous... atleast hes a guy that got that USBs more fun
Yes, thats true. I have no personal problem. He seems very nice. It was only very painfull to listen to him. But summa summarum it was a good speech.
Jacob, I could understand more if you speak German.
the second man was german i think :(. is he speaking english or what?
Yes, just a heavy accent.
GHBSYSHacks - Official might be turkish too
Let us do the squirrel test!
***** dont blame whole country just for that guy :D
***** no need :D. I am moroccan and our pronunciation is worst
You've forever and irreversibly killed the guilty pleasure of buying cheap Chinese devices on eBay...
Nice, Just in case your HDD will be taken by force.
Auto format :P
Rutherford Zerdick doesnt always work if the harddrive is infected at the firmware level
I mean, I will install a AUTOFORMAT that cannot be retrieve in the FIRMWARE LEVEL
+Rutherford Zerdick, CPEH Then you don't understand much about computers. It's trivial to recover data from a formatted drive.
EvizuGaming too bad
Then tell me, what do I mean by "Nice, Just in case your HDD will be taken by force.
Auto format :P"
What? I don't think you understand that formatting a drive doesn't actually delete data. It just flips a few bits telling the drive that it is ready for use. The old data is still sitting there and easily recoverable with many different tools (lookup TestDisk or Recuva for example). If you wish to securely delete data, you need to overwrite with a tool such a DBAN or Eraser
يخربيتكم معقول
I am getting paranoid I let people charge phones on laptop all the time :'O
The german guy was so terribly hard to understand, this was soooo painful to watch.
the second man has a sick english !!!! :/
Not even subtitles would help this guy, it would just say , um usb um yeah um WiFi um endpoint um.um
Yeah but these "BadUSB's" are not anything new at all. In my Gray Hat Hacking Ethical Handbook these HID's and others are covered and discussed in depth. Even if you turn off the auto-detection/auto-run it not really going to help, because there is a simple work around for that.
21:36
This is nothing new... They just made their own homemade Rubber Ducky. Why spend months reverse engineering firmware when you could just buy this?
This isn't about some hardware based hacking product like the Rubber ducky, this is about a usb firmware virus that can Jump between multiple usb devices and emulate any usb device it wants. They didn't spend months of research and reverse engineering to create their own rubber ducky, they did it to prove it was possible to create a usb virus, and to try and push companies to create more secure devices. That's what the majority of hacker conferences are for, this isn't just for bragging rights, they've successfully proven a point of attack that could have been used, and an attack that at the moment can't even be detected or fixed. It's a serious issue that they've brought up here.
For a rubber ducky you need physical access to a computer to 'infect' it, and only while the single usb device is plugged in. With this you do not, a virus on the computer could infect the usb device, multiple usb devices at once at that.
Dylan Williams Are you kidding me right now???!!! This has nothing to do with making a single usb device that you own act like a keyboard. Arguably, the existing Rubber Ducky scripts could make this easier to use, but that's beside the point.
The massive, MASSIVE, difference here is that they can start with no usb device at all, stick their virus into a program you download sometime, and the YOUR USB DEVICE is the one that they turn into a keyboard that can infect OTHER COMPUTERS AND USB DEVICES that you connect to.
A
This is the second conference on this exploit. The first was in 2011.
It's still an issue today. This is what made Russia go back to one time pads and paper for everything.
This is easy to solve, but that would require the IEEE to not be a seething pool of opinionated assholes that think they are better at running society than the individuals having to deal with the repercussions of their BS.
jakob ruined the whole shit
420 root it
19:15
Isnt this just the Rubber Ducky?
It is about infecting turning ANY USB device into a "rubber ducky"
Windows-fanboys...
What has this world only come to.
OMG.. the second guy is probably really smart way smarter then me, but please do not talk, just write down what you reverse engineered, and hand paperwork to someone else, anyone but you!