Watching a USB Hack in Action Makes Me Never Want to Leave My Computer

By Eric Limer on at

Remember BadUSB, the pervasive and unfixable security vulnerability that turns every USB device into a vector for attacks against just about every computer? The one that's out in the wild now? I always knew it was bad, but this video really brought it home for me and now I want to fill up my USB ports with cement.

USBdriveby is an exploit by Samy Kamkar which basically just destroys OS X machines it gets plugged into so long as they are unlocked. The concept is pretty hilariously and terrifyingly simple: when the a USBdriveby device (a roughly thumb-drive-sized micro-controller attached to a USB port) gets plugged into an open port on a Mac, it immediately identifies itself as a mouse and keyboard and starts going to town. It opens the terminal, messes with network settings, installs a backdoor, and then tidies up after itself in about a minute. And while it's at work, the screen looks possessed.

OS X isn't completely vulnerable to attacks like this: some of the more important settings refuse to be changed with just a keyboard. But Kamkar found ways around this with clumsy but effective blind mouse movements. At least if the computer is locked, you're still safe. The example here is based on OS X, but Kamkar says it'd be easily portable to Windows or Linux.

It's unsettling, but the really troubling part is the context: USBdriveby just emulates a mouse and keyboard and abuses a computer's willingness to trust as a device that identifies as a USB mouse or keyboard at face value. If you saw this going on in front of you, you would know something is up. BadUSB is much more nefarious. It can do things like masquerade as a network device or embed itself in your friendly USB charging cable and then silently inject an invisible virus the next time your computer boots.

As for the USBdriveby hack, you can actually pretty easily protect yourself just by locking your computer, but it's not so much USBdriveby that's scary as it is all the other things out there that are like it but better. Hacks designed by thieves and cyber-criminals that don't share their plans in YouTube or wear micro-controllers around their necks (cool hack but that's nerdy as shit, bro). It's a scary world out there, so just be careful where you leave that laptop and what you plug into it. [Samy Kamkar via Hacker News]