BSides Toronto 2020

Profiling Bad USB Attacks
2020-10-18, 10:00–10:40, Twitch

As of April 2020, 59 percent of the global population uses the Internet and a very small fraction of these people know that BadUSBs aren't restricted to mass storage devices with infected files on them. Today, there are normal-looking USBs that are capable of running malicious programs to exfiltrate most critical data on a computer without a single mouse click. All that needs to be done in order to achieve this is, be connected to a USB port. In this paper we will talk about the capability of a device called WHID (Wi-Fi injector) and what can be done to detect and investigate it.

Over the past decade, the distinction between conventional warfare and cyber warfare has blurred due to an evolution in cyber-attacks. One such notable development involves the exploitation of USBs to disrupt computers and launch attacks. The most primitive attacks involved small programmable boards that could be connected to a USB port in order to send keystrokes to a machine. The devices get connected as Human Interface Devices or HID (example: keyboard) which are pre-programmed to run malicious scripts. In their latest avatar, the requirement for pre-programming these devices has been eliminated altogether. WHID is one such device.
WHID, or Wi-Fi HID Injector, was designed by Luca Bongiorni in 2017 with an intention to launch remote HID attacks. It has programmable boards that can either be pre-programmed with malicious scripts or can be programmed on-the-go, since they are Wi-Fi enabled. It is the latter that makes this device a lot more dangerous than its predecessors.
There is an abundance of online resources on how WHIDs can be utilized to compromise enterprise networks. However, there is a scarcity of content which considers the Blue Team perspective - what artifacts and traces are left behind by these devices. Our focus on this very aspect: the artifacts and the data sources that can be leveraged to improve detection of BadUSBs (WHIDs) in an enterprise environment.

Anitha A is a Senior Information Security Analyst with the Cyber Security and Incident Response Team (CSIRT) at Target. Before joining Target Corporation, she worked with Cognizant SOC, she has over 5 years of work experience, primarily in Incident Response and SOC environments. Her strong suit includes Windows host-based analysis with a special interest in Bad USB Forensics.

Payal R K is a Lead Information Security Analyst in Target's Cyber Security Incident Response Team (CSIRT). She joined Target Corporation in 2018 and currently leads the CSIRT India team as an Incident Handler. Payal has a strong skill set which includes conducting host-based and network-based analysis. Before joining Target, she was a Security Analyst at VMware India. During her time at VMware she had an opportunity to speak at Grace Hopper Conference India, 2016 on the topic "Sniffing using Dsniff”.