The Curse of Convenience: How Plug and Play became Plug and Pwned

“Would you believe me if I told you that your grandmother may have been the perpetrator of the world’s first cyber-weapon? In a culture of convenience can we strike balance between the need for convenience and the need for security"

With that Darren Kitchen (@hak5darren) launched the second day of AusCERT 2016.

As the creator of internet TV show Hak5, Kitchen was a 90s phone phreak and now works in the media and as a penetration tester. He has learned that the trust of systems can be broken by some relatively simple lies.

His presentation started with a look at Stuxnet - the world’s first cyber-weapon.

By targeting the Siemens PLC devices that controlled centrifuges in Iran’s nuclear enrichment facilities, the attacker was able to compromise the safety of the facility. Kitchen says it’s been established that the US and Israel perpetrated the incident. But Kitchen says the other, unnamed perpetrator was his grandma.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

The age of convenience

In the 90s, grandma could send email, read an encyclopaedia from CDROM and read the world wide web. But then came time to print. Setting up the printer was too hard. And so came plug and play.

“Everything was becoming plug and play. Grandma plugged in the set up CDROM, pressed a few buttons and the printer was set up,” says Kitchen.

The issue was one of trust - the operating system would trust that whatever was in autorun.inf was safe to run. And this created an opening for manufacturers who could pre-load software on other removable storage devices such as USB drives. And that opening became an opportunity for malicious parties to instal malware.

However, Kitchen saw an opportunity. In the 90s, when he worked in support, he found the opportunity to use USB storage devices to automate a number of support tasks because operating systems were designed to trust specific devices.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

Violating the trust

Kitchen developed what he called the “USB rubber ducky” - an OS agnostic USB device that takes advantage of the Human Interface Device standard to pretend it’s a keyboard that allows him to remotely control any computer it’s plugged into.

The USB Rubber Ducky looks like a USB thumb-drive and can enter commands at a rate of 9000 characters per minute.

“It was like I was 13 again, entering a program into a computer like it was BASIC at superhuman speed”, said Kitchen.

The same mechanism can be used to hack smartphones with a USB interface through a brute-force attack of all the four-digit PIN codes from 0000 to 9999. It can even be programmed to deal with delays built in by software makers.

The same mechanisms can be used to automatically connect devices to WiFi networks.

Darren Kitchen Speaking at AusCERT 2016
Darren Kitchen Speaking at AusCERT 2016

What we want

"We don’t want to inconvenience users,” says Kitchen.

An example of how this can cost users dearly is the way we connect to WiFi networks. When we connect to a new public wireless network in a coffee shop or shopping mall, we are automatically directed to a landing page. This can be used to direct users to any webpage - violating our trust.

Even the loss of wired Ethernet connectors on our computers can be a point of vulnerability.

In specific situations, where latency is a problem for a wireless connection, USB Ethernet adapters can be compromised.

Kitchen showed adapters that have malware embedded in the controller so hackers can remotely access computers. Not only do these devices provide network connectivity, they can use the HID interface or other standards to give parties access to all sorts of systems.

“They are the hardware man-in the middle. All this exists just for convenience,” he says. “All it takes is a little lie. And we have grandma to thank for this. We need computers to be convenient. We need plug and play”.

Back to Stuxnet

Student caused centrifuges to spin to the point where they self-destructed. But why didn’t system operators stop this?

“They were told a simple lie,’ says Kitchen.

The operator believed the devices were working correctly because that is what their systems told them. They trusted the information on their terminals.

Security is hard

Kitchen says the key is to make security easier. "Where security meets convenience things get really interesting", he says.