 Hardware Hacking Village. Welcome to Boston's hacking scene. This is Red Hat's Westford office, birthplace of Red Hat Linux and Red Hat Enterprise Linux. I would offer to give you a tour but it's the middle of the night and there is literally no one here. So let's get started, shall we? As a way of introduction, I've had the privilege of spending my entire career in free and open-source software. These days I'm the Product Management Director for Chef Storage at Red Hat. Previously I was Ubuntu Server PM at Canonical and if you go back the decade I was the Systems Management Tsar at SUSE. This talk has nothing to do with my day job. I'm a manager these days but as a former embedded developer this is sort of my definition of fun. So the obligatory disclaimer is that we will most likely break some hardware while playing with it and it will come out of your pocket. No liability if you follow our instructions and stub your toe or bring about the end of the world or simply break your device which is far far more likely. So you have been warned with great power comes great responsibility don't do anything you should not. And since this is a hacking talk don't just obey the law but also be nice. Let's get going. We have 63 slides and two demos we will have to hustle a bit. So this talk is all about abusing the security assumptions we have made about USB devices. A security analyst posted the section of the most impressive device here which is actually one of the smallest ones. So logically I went around and started shopping for all sort of random things. The fanciest device is here in the Intel box. Every time we open it it will play the Intel jingle. Probably a horrible abuse of their trademark since there is something truly evil in there. But we're trying to keep it a little bit light since this is a fairly dark talk. Let's start with something much more benign before we go all dark and deep. This is something that was on sale on ThinkGeek. I think it was a Black Friday a few years back. There is a whole class of devices called a Neutron. Something you would lose in the cubicle of someone you don't particularly like. And every once in a while would make a chirping sound. Just to annoy them. Make a squeak. No idea where the sound came from. This is the computer version of that. It is actually pretty nicely designed. Not something you have to fiddle with to configure. Here there are switches. It is a USB device of course with a dial for time delay. You select the time delay and it will flip your caps lock. Tap the keyboard or move the mouse or all three. And this is perhaps the most benign of these things. Garrett Mace designed a smaller stealth USB caps locker about 10 years ago for an April Fool's Day. Or you could build an eight dollar one with a DigiSpark if you don't want to fiddle with Protoboard yourselves. Garrett's version may be less polished but it fit almost completely in the USB port. It uses an Atmel AVR 80 tiny 45 chip and has great educational value. As you learn how to run a USB stack right on the hardware. There is no OS here. Carrying out this attack is hideously simple. Obviously you can do it without any particular privileges. You just stick it in the back of the computer of your victim and when they log in it will have access. In some cases even without logging in because it is a keyboard. An HID class device to be precise. So it is a keyboard and or a mouse. This one is innocent enough but from there things get quickly worse. The HID class of the USB protocol defines human interaction devices. Keyboards, mice, game controllers and the variety of other low bandwidth devices like Magstripe readers which are really keyboards. These are all HID devices in the USB world. Thermometers, RFID readers, barcode scanners, even UPS batteries are interfaced as HID devices sometimes. At Princeton they actually taught a class about turning random hardware into an HID device as their class project. You can find the lectures online. One benefit of a well-defined specification like USB HID class is the abundance of device drivers available in modern operating systems. On the downside are the inherent trust keyboards are granted. And the possibility for USB devices to change their type or announce additional sub devices while plugged in. Combined with USB's default behavior of accepting any device that connects to it if there is a driver for it. So let's start looking at how we can exploit all this. The Tomo is a very small device. Also not meant to do anything evil. And it is basically the size of a UB key. You of course all know what a UB key is. It's a second factor device that basically fits inside a USB port. Tomo is a USB platform to prototype things like UB keys. The author explains that while a UB key costs around $50, a similar device can be built for $2 in parts. His intent here is to drive down the cost of second factor devices by an order of magnitude. But you don't have to build a UB key substitute with a Tomo. You have a microcontroller, so you can build pretty much whatever you want. The only thing is what do you have? You have a Cortex M0. So you are writing to bare metal. You're not writing to an OS. 8Ks of RAM, 64Ks of flash. Oh, and it's the first open source hardware association part certified in Australia. It's available from Seed Studio, so you don't have to go and assemble your own. And it has way more flash than a DigiSpark, 64K instead of 8. You don't have a whole lot of software or complex stacks here. But if what you're doing is USB and has a two button, two LED UI, you can basically build it here. This could potentially be a hidden device fitting inside a USB port entirely. On the other hand, there are much better platforms for an attack. Later, we will see one with four cores and eight gigs. But it is interesting to prototype this kind of UB key like application, limited interaction, but you could probably build your annoyatron with this platform. It also seems like completely interaction free devices are not as interesting, or at least not as malevolent. I guess things are interesting only when they cause trouble. So let's look at something that will cause trouble. So I plugged in the annoyatron and have access to your keyboard, either because the OS trust keyboards inherently and lets them in, or because I leave that plugged in, and when you log in, the device gets in. You usually need both to occur. Again, physical access is both necessary and sufficient condition to own the device. We have an entire industry of pen testers, and the gold standard for them is a keystroke injection tool disguised as a USB drive. Which is this, the rubber ducky. The USB rubber ducky is the original keystroke injection attack tool. 10 years old, also the hardware has been updated. While it looks like a USB drive to us, it acts like a keyboard when talking to the US, and typing over 1000 words per minute. Especially crafted payloads written in a custom scripting language mimic a trusted human user while entering keystrokes at superhuman speed. It is named this way because if it quacks like a keyboard, then it must be a keyboard. You have the shell. You can just type your way to success. You don't need a crafted zero day overflow, whatever. You just type on the shell. And from the keyboard in Windows, you can always get a shell with Windows R in case you don't have one. This is the full rubber ducky kit in its current version. First and third are parts to assemble it into a standard USB thumb drive case. Well, standard a few years ago. Now they look different. The second is meant to enable keystroke injection into a micro USB device, effectively enable enabling HID attacks on Android smartphones. Then we have a USB adapter to load payloads into a micro SD card. You put the SD card into this adapter, then load the attack script and then put the SD card back into the ducky. And then we have the core rubber ducky device itself closing in on the hardware. On the left is the micro SD card slot that conveniently lets you swap a library of premade payloads without having to load them every time. The replay button is in the center of the shot. This is convenient during development to avoid having to remove and replug the USB drive all the time. Your fingers will thank you because the edges of the board are pretty sharp. Not nice to have to grab a PCB with your fingers. But it's also good on the device so you don't stress the solder joint of the connector continuously until you break it. The use of the button can also be redefined, although the button itself is not accessible from outside the case. Finally, the LED up top lets you know when the payload is running green when it works, red when an issue is detected. And again, the LED is also concealed when the case is closed. On the flip side, we have the Atmel AVR CPU powering the device and some support electronics. The pins on the left side should be a JTAG header, but I have never seen them used so I'm not 100% sure. The specs. The system is AVR powered. While it is not an Arduino in practice, it resembles it in many ways. The internal flash and RAM make board bring up simpler. If you are an embedded developer, you know what I'm talking about. And the potentially unlimited mass storage via the SD card interface make it extremely flexible in the kind of payloads it can carry. The LED can flash in multiple colors, signaling execution state or error during development. JTAG and GPIO access combined with the standard Atmel DFU bootloader make this a potentially modable platform. But we haven't seen much hacking in terms of modifying the Ducky itself, because it is not a particularly cheap device. We usually see clones being developed instead. So look, it's a keyboard. This is how Windows sees it anyway. This is how the USB thumb drive looks like when you actually plug it in. Not that anybody is looking. This is a Windows 10 system at the latest update level. All that Windows is going to do is warn you that it is configuring an existing driver. You may see an overlay the first time, but it does not ask for permission. It does not ask for anything. And that one time warning message automatically dismisses itself. So by now, we have all understood that we have a rogue keyboard to do our bidding. But what can we do with it? There are three primary attack vectors to be concerned with. The first is file exfiltration. That is copying files to a remote web server. The Ducky is a keyboard. You don't copy files to a keyboard. So the keyboard, the Ducky is instructing a system to copy files to a remote drop in some bad part of the Internet anonymizing the attacker. A second attack in the Windows environment, exfiltrating domain credentials and passwords is the default target. Even if encrypted, these are prized target. As the attacker can brute force them off site. And you can always get Wi-Fi passwords while you're at it. These are already in the clear in Windows. Just ask them for them with the net show command and Windows will tell you. A third attack vector is initiating a reverse shell. And the Ducky can start a reverse shell in just three seconds, beating any human user at this task. All this stuff usually targets Windows. I am not a Windows guy. So I had to build a little dedicated setup here in my lab with these Acer $100 machines that could be infected with all the horrible stuff we will see today. I have built automation to reimage to a known clean state. It has taken me forever as I'm not a Windows wizard. I guess I learned something about Windows backups, which may be useful someday. But the reality is that some of these devices like the rubber ducky have a company behind them. There is a reputation to defend. But others come from nameless sellers on Alibaba or eBay. Some devices we will see are simply scary. Some are even known to phone home to unknown remote servers for reasons that so far were not determined. In any case, to show this, we need to change OS. So Windows here we come. Where is the Ducky? So I'm going to show you a payload that I call Setic Astronomy, which is preloaded on my rubber ducky. It looks like it's loading. And this is an example payload of effectively just going to a webpage. You insert the key. It just fires off a browser and goes to download a gift from my personal account at Red Hat. And this is something that those of you that are familiar with the movie sneakers will recognize. So the first time you plug this in Windows 10 will show a pop up, setting up HCI device. No confirmation or action is required. The Setic Astronomy payload effectively just opens a webpage. It doesn't start a browser. It tells Windows that it wants to open a webpage and the my type resolution for Windows does the rest. It sees that Chrome is the default browser here. So it opens Chrome and and it loads it. So let's look at what the payload actually is. Here, we'll see the source code. So Ducky code is a scripting language for keyboard input. It includes pauses, modifiers, things like control or Windows key string input. It is all very simple, but not in a naive way. It was designed to be easy to use great UX. The delay instruction is important since USB rubber Ducky has the capability to start injecting keystrokes as soon as it receives power from the bus. And while USB is capable of receiving the keystroke frames, the operating system may not be ready to process them. Most likely it is not ready. The other aspect is that you're typing blind. It is more akin to spear fishing. You have to make a reasonable guess as to what is happening on the other side, OS and application wise, like betting that they're running Excel or knowing that the target is Windows. In this case, we are assuming Windows 95 or newer, which seems like a pretty large fishing pool. Let's look at another payload. So we have the hello Defcon. It's another very minimal thing. So this one will open a file and type some text into it. Nothing, nothing particularly complex here, but we want to show how the process works. So you need to encode the ducky code into into something that the interpreter on the ducky itself can run this inject.bin file and to compile that you need an encoder. Several encoders exist. I am partial to the online one because it's convenient. It should be ducktoolkit.com. And what you do is that you load here the code that that we're looking at. So like so. And then you just encode, encode the payload. And you download the file. There are other encoders that can be run locally. I believe there is one that's Java based. Most of the tool chain is available. Large chunks of it are also open source. I don't like to rely on outside tools while doing the presentation. So I have the encoded file already here. How do you load this? So we have to remove the SD card from the ducky itself. Put it in the device that makes the SD card up here as a storage device, not a keyboard. Load the inject bin into the SD card. This is a drive. So it behooves us to eject it properly. And then we put the SD card back into the ducky and plug in the ducky. Really, most of the time of the code was spent in waiting. Waiting to make sure that the US was ready to take the text. Here we're just scratching the surface. Payloads can be optimized, hardened, obfuscated, and the library of payloads that have already been written exists out there. This device is a community. You do not need to build payloads. There are collections, which is unfortunately ideal for script kiddies. Basically, a thousand words a minute of whatever nastiness you want to put it in there. So be nice. In an unprecedented feat of cinematic accuracy, the rubber ducky was apparently featured in an episode of Mr. Robot. Who knew Hollywood could get hacking right even once? Plug this guy in, wait 15 seconds, then yank it, okay? Thanks to a tool called Miming Cats. It will pull all the cash passwords and domain info. It's a rubber duck. It's close enough. Almost correct. I'm not sure what happened there, but seems good to me. These are backup slides showing the hello payload in case Windows decided not to work. So we're going to skip them. And then there is the rise of the clones. According to what I shall hereby call the Wally law of ecosystems. In an open system, success will bring what commercially are freeloaders. It is a good sign for a healthy business. And here it results in hardware clones using the same or similar tool chains. The micro duck is a stealthy HID injector that can fit in the USB A port itself. While Thomas's project is a $3 clone of a ducky built using the DigiStump DigiSpark platform and a tool called duck to spark. This kind of development shows how active and vibrant the rubber ducky community is even after a decade. This is an incredibly popular tool. A more recent take on key injection was released not long ago on crowd supply. Commissioned by Kevin Metnick for a conference keynote and implemented by Olaf Tan and Dennis Go. This is a redesigned ducky. The payloads in this case are written in Arduino. Bootloader access within the cable can be triggered by a magnet. And the Bluetooth remote endpoint is also available. This is effectively indistinguishable from a standard Apple charging cable. But equally nefarious micro USB versions are available. So what do we do to counter these attacks? What we can do is something like this. And this is basic USB security. This is a device called SyncStop. As a CIO, you can buy a bucket of these. Order that everyone use them. Don't worry, they still won't. This is a device that cuts the data lines of a USB connection, preventing data siphoning at charging stations. Now known as the juice jacking attack. So if I'm charging anything at the airport's USB charging stations, it goes through this. So I'm getting only power. If I'm plugging any of the rogue devices that we're going through into my system to charge it, it goes through this. So there is no data connection period. Good luck hacking me through the voltage. I'm sure that will figure that one out at some point, but they're not there yet. At least I hope. That seems like basic profile access. It is not always practical, however, because it is stopping devices providing you power from adding data. But while in a lot of cases we just want power in equally large number of cases, we need a data connection. This is a bus, not a battery charger. A more customizable approach could be built with a device like the USB safe too. Conceivably, when you control the firmware, you could choose what behavior to respond with. You could decide to filter on the class of the device, the HID, the ID of the device or some other property like its serial number. The current device protects from excessive voltage limits to preset levels, and most interestingly sets in software the data protection mode. This means we can choose where the data lines are connected or blocked in software, which is why I'm saying this could be interesting to build something more complex on. This is an interesting concept, but it would still take a serious amount of effort, and if value can be demonstrated, maybe it's possible. You would need to add a full USB stack here, not a trivial exercise, and the hardware would need revving up. Since pretty much every time I speak about this topic, someone asks me what I would do, well this is where I would start. So let's look at the device a little bit more. The USB safe is also interesting to monitor what is actually going on in a USB chain. As it has independent LEDs for data and power lines, you can see them here at the USB A side of the board, up top and on the bottom. The board is a two-layer sandwich. The LEDs are in the bottom layer. The single button up top in the middle of the picture controls both the current level set and the data pass through or blocking behavior. One is a toggle, while the other is a press and hold, and these modes are conveniently stenciled on the back. By the way, I don't think this will protect your electronics from a deliberate USB killer type of attack at 200 volts, but it will definitely help while developing your own electronics as it stops over voltage up to 15 volts. So an accident would be stopped, not a deliberate attack. Another company called Capable Robot has announced a programmable USB hub that has the ability to switch on and off power and data lines from software. They meant it as a way to plug and unplug misbehaving peripherals on a robot or for hardware testing. Depending on actual software implementation, this may be closer to what I was describing when it eventually ships. Of course, blocking by device ID, vendor ID, or serial number can be bypassed by any attacker privy to your security policy and willing to craft an attack just for you. So to stop that, we need cryptographic certificates, which in turn require a managing authority actually willing to revoke the chain of trust of rogue players. This is a thorny problem with lots of bad karma to be earned for the general solution, but if you're trying to manage just your local problem, you can essentially have a white list of devices that are allowed and block everything else. Perhaps that's the most plausible approach at this point. Another device getting even fancier here is called Piso. A similar thing, but instead of being a pass-through, this is a USB storage device. You have three buttons and a tiny OLED screen. Basically, it is a tiny Linux computer geared to providing more flexible storage than a plain card would. It is built on a Pi Zero, so it cannot provide the USB on-the-go behavior of switching between host and device, but it is still quite interesting. It comes with a kit of screws and you can combine it with a Pi Zero to produce a working computer. A super flash drive built on Pi Zero. It comes with a hardware kit to screw on the Pi. In some versions it includes a 3D printed cover to make it more robust for everyday use. I have not found an application for this yet, at least not an evil one, but here's an interesting idea. A demo application, press button one, provide the Arch Linux ISO. Select option two, now it's an Ubuntu boot ISO. Option three, now it's Fedora. It is cute. Conceptually it's like the Tomu we have seen earlier, but now we're higher up the stack. We have all of Linux, not just the bare metal environment Tomu provided, and obviously it's more powerful and has more storage. But it is the same button plus USB interaction model supplemented by a tiny screen so it can talk back to you. At least a little bit. Now let's go back to evil things where we left the ducky. For pentesters the solution is to get in. That's what they are paid for. They have a contract to do it. Put a few plans on the right machines and when some of you log in the morning, they are in. Besides your machines are not patched. It's too easy. It's like shooting fish in a barrel, but it gets worse. At some point someone realized that different classes of USB devices have different inherent permissions. For example, a storage class device may get different access from a network card. Enter the bash bunny, the grown-up sibling of the rubber ducky. This one, same vendor by the way, can do the on-the-go behavior we were discussing just a minute ago, but on steroids. This USB stick can show up as a storage device and a minute later it is a network card and then it can become a keyboard. It keeps connecting and disconnecting to change the driver it talks to as needed. Because different driver classes have different capabilities and different implicit granted trust. What is absolutely amazing to me is that in our industry where basically no one can get UX right, basically you work for Apple or your product sucks. Usability-wise these security products are amazing. They're actually really easy to use. I don't understand why they can get UX right and no one else can, but this is amazing to me. The specs on this hardware are also absolutely impressive. Quad core CPU, half a gig of RAM, 8 gigabytes of storage. An interesting additional attack vector enabled by the bash bunny is to show up as a network device. Plug-in advertises a very fast route with fantastic metrics. You can do this so that the right network driver is already there in Windows. No need to get approval for a new driver. Now you get the system to route all network traffic on the machining to this fake network that promises to be faster than anything else out there. Where you can inspect the network traffic before forwarding it out through the normal interface that actually is connected somewhere. So it actually reaches its actual destination. You're inspecting all of the machine's network traffic but no one monitoring the corporate network ever ever sees what you're doing because it is happening on local host. These are exploits that have already been written for the bash bunny so you do not even need to put in the effort to code them. Which is scary. You get in the network path as the default route then you're nice and you let them see the internet but just so that they don't notice you're there. A different take on the theme is the Cactus WHID. It includes a Wi-Fi access point so your HID attack is no longer blind. We're looking for all intensive purposes to a hardware remote shell. Note the case it ships with. Once locked closed it cannot be opened without breaking. It ships open for inspection which is great for our pictures. As you can see the Wi-Fi part of the device is powered by the inevitable ESP8266 and to facilitate the process of weaponizing USB gadgets you can wire another USB device's pins to the pads on the bottom left here. The new attack vector here is that you get a USB powered knickknack like a plasma globe or a nerf gun turret and wired data lines to this. Pass through the power from the host device you're parasitizing so that there is also power and then the attacker will mail this as a present to the target. Now you have a plasma globe with a big company name on it it is basically a social media exploit without a social. You just mail it to them. So beware unexpected devices in the mail they are the new hardware enabled spearfishing. This already sounds bad enough but fear not it gets worse. And now this one is actually rather outrageous and it is making me lose faith in the concept of computer security as a whole to be honest. Why bother hacking you with a device if I can hack you with a cable? From the picture it looks like it is a big cable but it is actually a rather tiny cable and yeah it has something at its end. This something is actually a GSM phone. It gets power from the USB connection so this is potentially a phone with an infinite battery. The device itself is marketed as a location tracker usable in cars where a thief would not be able to identify the USB cable as a location tracking device. This is utter nonsense. The device has poor tracking precision you would never find the stolen car and makes no mention of tracking in its packaging so is it a device to protect your car? No it's a high speed data and charging cable it says so right there. I also want to highlight how the packaging is also designed to be opened and closed without trace. Not something you usually see. This is because you need to add a SIM card to the cable to make it active. In this manner the cable can be delivered to the target still in its packaging. It gets worse. Didn't I say it would? It does! You can buy this monstrosity for 9.85 on eBay. Free shipping of course. Are we worried yet? Okay let's all take a deep breath. What in the heck is going on here? This is not only evil it is also cheap. You would think that if you use this to spy on someone at least in the United States you would go to jail for unauthorized wiretapping but the device is effectively just a phone in a ridiculous form factor so it's probably legal for Amazon and Alibaba to sell it. Corey Doctorow calls it trickle down surveillance because this is apparently a low quality low cost copy of a device the NSA had on their leaked tailored operations catalog code named Cottonmouth. The cable itself looks like this a ribbon USB cable with a USB-A connector on one end and the micro USB on the other. Some folks have pictured it next to an amazon basics charging cable and the size of the connector is frankly not that strange. You can come here to my office to see the cable and judge for yourselves if you want. In the meantime trust me it does not stand out much. Until it is fielded for use and the casing is super glued shut as one does the cover slides off to reveal a small board. This is a GSM listening and location device hidden inside the plug of a standard USB data charging cable. It supports the 850, 900, 1800 and 1900 megahertz GSM frequencies. It's a quad-band phone. The cover of the USB-A slides off so you can add a micro SIM card in the slot. The end cap of the USB-A plug locks in place so that folks do not find out accidentally there is a phone in the cable you have given them. It can do a bunch of things. It can track the location of the cable. It does not have GPS so it won't give you too precise a location. We're looking at tower triangulation with a service like skyhook wireless or the carrier's advertising data facility. I'd say we're looking at roughly a mile plus or minus in precision with a more densely populated area likely delivering better resolution. It has a microphone. It can listen to what you're saying. It has a collection of AT commands so that you can configure it. It can send text messages to tell you where the cable is. You can text to the cable to change its mode of operation and it even has a decibel trigger mode. It can call you when it hears a sound over 40 decibels so you can listen to what's going on. The chip is a MediaTek CPU that does not have a published spec sheet. It is believed to be a chip designed for low-cost smartwatches. There is a cellular port that shows the initial bootloader sequence but once it goes past the bootloader it is no longer configured. The kernel does not post messages there. This device has undocumented commands that nobody knows what they do and sends packets to China in places that we do not exactly understand but presume are used for the geolocation service. Never ever plug this device into any computer unless it is a secured lab facility. Here is the view inside the case. At best as we can tell USB lines bypass the device itself and go back to the cable. Save of course for stealing a little bit of power off the wire. The mini SIM card reader is in the center. This device is quite finicky about the SIM cards it will accept. On the right you can see the electric microphone commonly found in any standard USB charging cable. Not. On the flip side we find the pads to the serial port conveniently labeled. The MediaTek CPU is in the center stage. The device is actually rather hard to demo because of the decommissioning of GSM networks in the United States. This is a problem I've run into several times since I started researching this four years ago. Initially AT&T still had a G2 network but that is long gone. I thought I could get around it using T-Mobile but despite multiple attempts I could not recently get the device to join their network. It is somewhat hard to debug as it is a headless unit and the serial does not output anything past the bootloader. First I thought it was the limited antenna and low transmission power but going outdoors did not help. I tried checking for a SIM pin but that was not the problem either. So here is what you would have seen. The cable is in use meaning it is powered. It should not matter if a battery or a wall power source is in use. We can now do multiple things. The coolest of these is making a phone call to the cable. The hacker over there knows the phone number of the cable and she dials it. On this side the cable picks up the call and starts sending back what the microphone can hear until we hang up. Not bad eh? But this hacker is a trendy one and she texts the implant next. After the hacker sends the three letter command LOC in a text message to the same number she will get a text message back geolocating the phone to a city in the world Westford, Massachusetts and including a link to a page on a site called gpsui.net showing a map of the approximate position with roughly one mile accuracy. Another interesting text message is one one one one four times one. This activates a mode in which the implant will call the attacker back if the noise at the location exceeds 40 decibels. Perhaps a conversation is on their way. A security analyst named Mitch dissected the implant three years ago and published a long report. Lots more details in his right up. So in closing don't. Obviously doing any of this is in violation of U.S. laws requiring two parties to be aware a call is going on or both parties having to consent to a conversation being recorded and probably a bunch of other things. Please don't do anything like this. It is a crime in most U.S. states. Clearly we have rules about this not being acceptable behavior but what is changing is that folks willing to break the law can do so with a very low barrier to entry namely $25 on amazon or ebay. Before you had to go to some black market purveyor of illicit goods and to find out who they are in the first place. Drive up to some strange place in New Jersey and purchase some bugs from backside of Tony Soprano's restaurant. Now you can go on Alibaba and have them express delivered to you. I'm not impressed this is not what the future should be like. So let's go back to the security aspect. We were joking about the fact that it was easy to break in but realistically this is physical access. If we have a device like we can do things to it we can also do it over wi-fi okay that hardly matters. What matters is that this brings the last USB key attack to a new level. In a military base people are trained to shoot on site when they see a USB key but in a company setting people are much more lax. I'm amazed the sort of thing exists and is being produced on any scale. I paid almost nothing for this device. Something to be on the lookout for if you work in any sort of operational capacity in a security sensitive industry but it's so cheap that where is the barrier where is the limit where is the effort. So let's put it in economic terms or in MBA terms let's dump it down a little. Things change when you drop the cost of something by a factor of 10. Think of the Raspberry Pi. We went from $300 computers to $30 computers and then the Pi zero showed the right kind of thinking and did another almost 10x drop to $5. This cable is dropping the cost of data exfiltration or surveillance or covert activity industrial espionage to the point where everyone can afford it. I'm not going to say we do not have bigger problems but this is not nice. Cheaper industrial espionage is not in the positive column of the progress ledger. This is why any place that has any kind of real security should be pouring glue in their USB ports. There is just no way to offer a reasonable solution. You can put locks in the USB ports and attackers will find a way to break those or your employees will circumvent them for the attacker out of convenience. The only real solution to make USB safe is not to use it. Barring that you need to work to limit the blast radius of a breach. The only reason why USB security is not a bigger issue today is that we're so bad at network security that it is easier and cheaper to exploit you remotely. That is not what I would call a comforting thought and maybe really there is no hope but I choose to remain an optimist. A reminder use a sync stop or any trusted brand of these or a device that you could inspect yourself. Here is a little story. This is the reconstruction of a tweet that was posted at scale 16 in Pasadena. Someone ran to their session in such a hurry that they forgot a charger on the main hall. You know the hallway track where we all say hi. The conference twitter lit up with folks thinking this was a honeypot. So perhaps there is hope after all. On that thought that is what I have. This ends the USB hacking 101. I hope some USB hackers better than me are in the audience and you can teach me new tricks in the live chat session. Point out devices I left out, ideas, thoughts, bring them on. We can make this talk even better in the next edition. Here is my contact info. You can find me on Twitter, send me email. If you see this recording later and come up with ideas or questions please send them to me. Remember that speakers are Pavlovian devices so if you like the talk please let us know. So I am available for questions online and discord if you have any and thank you so much.