Curiosity as a plan of attack – The human Achilles heel of security

Also this year the Black Hat security conference will take place in Las Vegas, USA. The first day saw a large number of different presentations, two of which had a common theme: curiosity. Both Elie Bursztein, a security researcher at Google, and Zinaida Benenson, a scientist at Germany’s Erlangen-Nürnberg University, put the human factor at the center of their presentations.

USB sticks

Bursztein addressed the question ‘does dropping usb drives really work?’. He said that at every security conference there is always someone who claims that he has bypassed a company’s security by placing a USB stick in a conspicuous place outside the building in the hope that an employee will plug it into a PC. This attack is said to be so effective that at one point it even reappeared in the TV series Mr. Robot. In a certain scene you can see how a security guard connects a USB stick found shortly before in the parking lot to his computer, without knowing that the drive was there for a reason.

Enough reason for the Google researcher to set up an experiment himself and to investigate this claim. To do this, he spread 297 prepared USB sticks across the campus of the American University of Illinois, to be found by passers-by. In doing so, he distinguished by location, appearance and content of the stick and was able to track the results via a backend. After people had viewed the contents of the stick, they could complete a survey and indicate their motivations.

Possible attacks

Bursztein distinguishes three possible attacks that can be carried out via a USB stick. The first one is completely based on social engineering and consists, for example, of posting malicious files with the name ‘do not open’, or something else attractive. However, this attack quickly arouses suspicion and is not very reliable. The second option is so-called hid spoofing , in which the data carrier masquerades as a human interface device ; in most cases that is a keyboard. In this way, a command can be executed via keystrokes; for example, opening a remote shell .

The difficulty with such an attack is that the victim’s operating system must be determined before the attack can be carried out. In addition, the payload that opens the command prompt must be small and not recognized by an antivirus program. The USB stick must also look credible.

However, the researcher has managed to find a solution for all these problems. By virtually pressing and locking the ‘scroll lock’ key, he was able to quickly determine the victim’s operating system. A small payload also turned out to be feasible. For example, it was possible to write a Linux payload of 100 characters using a scripting language. In Windows, the process was a bit more complex, but not impossible either. Manufacturing a USB stick cost Bursztein about $40 per device based on a Teensy 3.2 .

He demonstrated the final attack in a video. It showed that the entire process from plugging in the USB stick to opening a shell and connecting to a metasploit -based command-and-control server took about six seconds, with the user only briefly entering a command prompt. see appear. He then had free access to the infected computer.

The third way to use a USB stick for such an attack is to gain access to a device via a zero-day vulnerability. However, this method is very costly and cumbersome, making it only for very dedicated attackers, such as a state.

Bursztein has made the code of his project available online . He also discussed in detail the manufacture of a USB stick based on a Teensy with a convincing appearance. He used a silicone mold for this, which was not easy for him at first. In the end, however, we managed to make good copies. The researcher is considering starting a Kickstarter project for these types of USB sticks if there is enough interest.

Curiosity

Back to the results of the research conducted. It turned out that 98 percent of the dropped USB sticks had been picked up and that 48 percent of them were connected to a computer, something Bursztein had not seen coming. It also turned out that it did not matter where the USB stick was placed, for example in a parking lot, in a common room or in a corridor. The appearance also does not matter much, for example whether there are keys attached or a label has been stuck on it.

The main reason for opening the files on the carrier turned out to be identifying the owner, the finders said. However, Bursztein has his doubts about this statement, because his data shows that the vast majority of people had only opened the photos and not the other files. The reason that was mentioned most often after that is curiosity, something that Bursztein considers a lot more plausible.

The second study, that of Benenson, focused on the phenomenon of phishing . She wanted to investigate the reasons for clicking on suspicious links. To this end, she sent 1600 students a Facebook message or an e-mail from an unknown person containing a link to photos of a New Year’s party. In addition, the request was sent not to share the photos. The number of clicks was then recorded by the researcher.

It turned out that 43.5 percent of students clicked the link in the Facebook post and 25 percent clicked the link in the email. When Benenson approached the students at a later date, it turned out that the main reason for following the link was curiosity. This was given as the reason in 34 percent of the cases. The subsequent reason was that the students thought they were indeed pictures of a party they had attended. Reasons for not clicking were not knowing the sender and suspecting spam or phishing.