 Okay, welcome to our talk Evil Genius where you shouldn't trust that keyboard by Fadid Perez and Mauro Eldridge from DC5411 Before we start, let's make a brief introduction on this talk and on ourselves the speakers. I Am Mauro Eldridge. I'm an Argentine hacker and I'm the founder of DC5411. I Worked as a cyber security architect and it was a speaker the last years at death con las vegas Siberia roadside Brazil dragon jar colombia post con iran and the Texas saber summit Among other conferences Thank You Mauro Hello, everyone. My name is very precise. I am an colombia hacker Sisting in communication. I work as a professor at the University of La Guajira And I am a member of DC5411 Also a being a speaker a dragon jar colombia. I'm now a death con in this The objective of this talk is to explain but usp attacks in a different Combined hardware hacking human hacking and social engineering In this case, we will explain this type of attack using one of our evil creations a temperate keyboard Which acts as a remote key logger as you can see in this photograph It seems to be a classic keyboard a normal cheap keyboard without any suspicious But well You may be wrong It looks pretty normal This talk is divided into two chapters the social engineering one where we try to create a possibly alibi and The necessary conditions for our attack to be effective and the hardware hacking one Well, I will explain the mechanics to build a bad usb with two pots and how we use these bad usb for exfiltration of data Just a little disclaimer the speakers have Fault permission from affected parties to conduct this experiment in an authorized manner complex redeeming exercise and The authors weren't involved directly or indirectly in any illegal activity Let's start with the first social engineering Oh the point of the experiment was to infect a user without any direct interaction Using only the bad usb keyboard But without being able to touch it not even to connect it So we had to rely on social engineering or human hacking to get someone else to do that their job on our behalf This is what we had so far our victim and educational Institution had no physical access to the place or help from the inside They only had an open-guess Wi-Fi connection Which we were not allowed to mess with and it was segregated from the main network So at first it might not seem like a really valuable asset at first And we had a modified keyboard with our bad usb in its original box with its accessories and manuals and everything you expect to find in a brand new Unboxed item, right? So let's try to simply Fight this equation. We had no physical access from the inside and an original box We had to create an attack vector from this really pure assets So what can we do with no physical access and a box? the obvious first thing that came to our mind was the fake Postal service We have a postal imposter This was way out of our scope So we wanted to do something Similar, but not so violent So we came with this little strategy the Delivering an unsolicited keyboard could only be some strange and suspicious You are not expecting an unsolicited keyboard any day of the week So we had to improve our game and resort to helping the local industry By printing a few extra things for a small price This few extra things are the following Note that we have a sensor at the trademark the brand because the manufacturers not Linked in any way It's not related to the stock or this experiment. So we had for a few dollars. We had stickers a T-shirt and a neatly packaged keyboard Ready to be sent institution alone with a simple letter Absolutely nothing to suspect Well maybe The package was sent via a well-known private courier app who confirmed its receipt a Few hours later. We were already quite concerned with the package market as received but nothing happening After a while our key login data Available to populate Now you might question you might ask yourself How does this bad USB keyboard work? So now my partner for it Hardware hacker of the group playing you the magic behind this electronic tampering Thank You Mauro Here we have the plant opponent use it in this project Which if we want to do in our serves We most have a normal keyboard of the model most user in your country The wireless network component for Arduino ESP H2C and Arduino Nano and Standard USB cable and command and control server the Arduino programming interface and about all loss of patience In this diagram, it is possible to observe the keyboard schematic if they fit the operation of the moment the is user in nerds the keyboard's usb cable without Generating that the keyboard has the Arduino Nano device, which and ESP H2C while interface for setting all the information entered to the keyboard to a C2 server, which HP MySQL and PHP Tools where the hacker will be risk being all the information entered by our Already the keyboard all TPs are cheat and easy to close it inside the device This part don't know add Significant we to the keyboard There is no sign that could make the beat the suspicion In this iMash you can see each comp mentioning in the functional prototype of the attach This iMash send the post method code to server C2 This iMash show the C2 server connection or help to the USB model to steal data online As you may already know this But USB has a command and control server Which is built upon a lamp stack Linux Apache my SQL PHP and PHP my admin The database and a simple table as you may see now You can see that there are at least 28 rows. This rows represent sessions I'll take a moment to explain to you what sessions are on this bad USB keyboard Once the buffer of the keyboard stops receiving data for a certain amount of time It closes the buffer and uploads its contents to the web server this common and control server so it has Separated different inputs sessions Let's try to inspect some of these sessions For example here session number 11 is When the user attempts to access gmail.com, but instead of entering its credential The victim jumps into another tasks. Let's say Microsoft Word and starts typing a document about Torres Javier Then he goes back to gmail enters his credentials or hers credentials and passwords We have another example here of passwords and Then internal instructions for example on number 20. It says I have bought a Rim of paper for the office on session 21 it says I had made a Mercado total recharge for the office and it continues right Here we can see on session 24 another password. Try to picture Obtaining these passwords with other methods for example with cracking It won't be certainly impossible, but it will take you Longer time than simply using this bad USB On session 25 we have our first case of personal identifiable information As you can see behind the encoding error it says cedula Ciudadania, which means translated from Spanish National ID Which is the equivalent for the SSN the social security number in the USA. It's a number that identifies a citizen So it is treated as private information Then on session 22 we have the login from an online banking site Obviously the credentials were there too so far You may ask yourself what you can do. Well, you can obtain credentials for any local or remote service for local users or cloud services or different providers online You can obtain private information about users resources documents and infrastructure You can discover internal Conversations or communications as we have seen before you can see internal orders, for example or internal documents about Daily basis tax tasks You can use this keyboard as a pivot for new attacks And in very specific scenarios on rare scenarios and a technical compromise an entire supply chain Replacing normal keyboards with infected ones. I know this might sound actually a little bit crazy or a little bit too rare or too unique but some days ago Counterfeit or fake Cisco switches were discovered deployed in production So a network engineer So that his core switch was failing or acting clunky Tried to troubleshoot it and ended up finding that it was a counterfeit one Add about counterfeit hardware. I want to offer you a small appendix with a brief explanation and comparison of fake hardware and To speak about the possibility of using it for redeeming aside from what everybody else is using it for You know shading you might notice first case. It's the Keyboard that we were talking about This is our own prototype You may find no substantial differences on the outside No evidence of tampering nothing really to worry about and This is the original one With a non-stock picture from an e-commerce site as you see there are no differences between them But this tampering is not really limited to any kind of hardware. You can tamper anything you want For example, let's take a look at this set of speakers that we have tampered ourselves For another case study These speakers might look As the keeper really normal on the outside nothing really weird about them But once you open them You find they are tampered You find that they have another hardware pieces scattered around Which make it really suspicious to a trained eye Now let's take a look at a photograph of these original speakers Again a non-stock picture from an e-commerce site. They are recently unboxed As you may see there's nothing to worry about nothing really strange or weird about them But this is not only limited to small hardware Even critical hardware like switches in this case core switches from Cisco can be tampered with This is a Very good comparison between an original Cisco switch board and two counterfeit ones The source is F secure As you can see the one in the left. It's the original one The second and the third are counterfeit Take a look at the second on the lower half. It has the Cisco trademark Printed on the board while the third one not so differences are subtle and Can be really overlooked by a not trained eye. This is what's the dangerous part of this It is very easy to be misled by this hardware It doesn't ends here. This is not something new as I said before. I Used it on Reddit a year ago posted About being a victim of a counterfeit Cisco devices Let's take a look at first at an original Cisco switch from panel and then a counterfeit one The sources of these images are ready the original post and even This is the original one As you may see this is what you expect to unbox from Cisco and This is the counterfeit one It's basically what you expect again to unbox when you buy a Cisco switch. So there are no really Really big differences Some of the most noted differences on counterfeits are the bright on The numbers of the ports as you may see one two eleven thirteen twelve and fourteen for 2324 etc This is something that is most noted on the internet the brightness of those numbers nothing else from the front and Some people noted that the screws are different So unless you open it or unless You have something really really specific about it. You won't suspect. This is just to make you understand the dangers of Counterfeit or fake hardware and that are out there. There are people dedicated to faking this kind of hardware Not only for a redeeming exercise like ourselves, but to make a profit from it and it is really really dangerous to corporations or to small companies and to Almost every institution out there so Before we close this talk, we would like to share a little deep view about this keyboard and how it acts So since this is a demo will use two laptops and one of the infected keyboards Time to say goodbye and jump to the conclusions and obviously the questions and answers Our conclusions are that you always have to be wary of any new device whether USB or not This might seem obvious But anyone could be a victim be honest Would you have suspected of this keyboard if you should solve it lying around in the desktop or in your office? probably not and Bear in mind that with a few dollars anyone can build or even buy a product of this type T-shirts and stickers like we have used it in this case We never possible use preventive measures against these And always remember that the mouse trap works because the mouse doesn't quite understand why the cheese is free so educate your users to Do not pick things from strangers You can get in touch with us at get goff Well, Mauro Eldridge and DC 5411 or on Twitter. You have our hundreds here We are always open to discuss about how are hacking social engineering and hacking in general So we'll be more than happy to talk with you If you have any questions, we'll gladly answer them in the chat. Thank you