WEBVTT 00:00:00.000 --> 00:00:06.820 align:middle line:90% 00:00:06.820 --> 00:00:10.060 align:middle line:84% In this video, we're going to be going over some physical attack 00:00:10.060 --> 00:00:11.330 align:middle line:90% scenarios. 00:00:11.330 --> 00:00:14.890 align:middle line:84% So the first one we go over is USB attacks. 00:00:14.890 --> 00:00:18.340 align:middle line:84% So in the first picture here, we have the USB Rubber Ducky. 00:00:18.340 --> 00:00:21.730 align:middle line:90% It's a Arduino device from Hak5. 00:00:21.730 --> 00:00:23.160 align:middle line:90% It's pretty sophisticated. 00:00:23.160 --> 00:00:26.110 align:middle line:84% It's a very clever device, and if you ever watch Mr Robot, 00:00:26.110 --> 00:00:29.390 align:middle line:84% you probably saw this type of attack before. 00:00:29.390 --> 00:00:32.060 align:middle line:84% So we're going to get into the USB Rubber Ducky 00:00:32.060 --> 00:00:35.120 align:middle line:84% in more detail in a moment, but I 00:00:35.120 --> 00:00:37.440 align:middle line:84% do want to bring up USB drop attacks. 00:00:37.440 --> 00:00:40.700 align:middle line:84% So a USB drop attack - again, referencing Mr Robot, 00:00:40.700 --> 00:00:44.284 align:middle line:90% one of my favourite shows. 00:00:44.284 --> 00:00:48.550 align:middle line:84% In one of the episodes, Darlene was trying to get information 00:00:48.550 --> 00:00:49.700 align:middle line:90% from the police department. 00:00:49.700 --> 00:00:52.750 align:middle line:84% So she took a bunch of USB drives, put a payload on it, 00:00:52.750 --> 00:00:56.470 align:middle line:84% and just scattered it in the police parking lot. 00:00:56.470 --> 00:01:00.970 align:middle line:84% So this attack, while that was a little extreme in the TV show, 00:01:00.970 --> 00:01:04.670 align:middle line:84% it would be pretty suspicious that a bunch of USB drives 00:01:04.670 --> 00:01:07.360 align:middle line:84% are just laying in a parking lot. 00:01:07.360 --> 00:01:09.655 align:middle line:84% Typically what will happen is a person 00:01:09.655 --> 00:01:13.330 align:middle line:84% will leave a USB drive down, or hopefully someone's 00:01:13.330 --> 00:01:15.875 align:middle line:84% going to notice it, and you could do other things. 00:01:15.875 --> 00:01:17.500 align:middle line:84% Like if you really want to entice them, 00:01:17.500 --> 00:01:21.130 align:middle line:84% you can put payroll, or Bitcoin wallet, or things like that. 00:01:21.130 --> 00:01:22.540 align:middle line:90% Put it on the ground. 00:01:22.540 --> 00:01:24.610 align:middle line:84% Typically, these will have some sort of payload. 00:01:24.610 --> 00:01:27.490 align:middle line:84% So when you plug it in, it'll do something, 00:01:27.490 --> 00:01:29.890 align:middle line:84% or it might even look something as simple 00:01:29.890 --> 00:01:33.200 align:middle line:84% as a photo, or a PDF, an Excel file, or whatnot. 00:01:33.200 --> 00:01:34.940 align:middle line:84% And again, it will have the payload on. 00:01:34.940 --> 00:01:36.700 align:middle line:84% So when someone tries to open it, 00:01:36.700 --> 00:01:39.260 align:middle line:84% it'll unleash the payload which can be a number of things. 00:01:39.260 --> 00:01:43.630 align:middle line:84% It could be a encryption scenario 00:01:43.630 --> 00:01:47.090 align:middle line:84% where now you have ransomware on your network, in your computer. 00:01:47.090 --> 00:01:51.970 align:middle line:84% It could be a wipe out your system, a silent connection 00:01:51.970 --> 00:01:55.420 align:middle line:84% that connects in and starts snooping on traffic. 00:01:55.420 --> 00:01:58.480 align:middle line:84% It could be reverse connection back to someone's computer 00:01:58.480 --> 00:01:59.125 align:middle line:90% and whatnot. 00:01:59.125 --> 00:02:02.200 align:middle line:90% 00:02:02.200 --> 00:02:05.970 align:middle line:84% Now, while this is horrible, your antiviruses 00:02:05.970 --> 00:02:07.010 align:middle line:90% may pick this up. 00:02:07.010 --> 00:02:11.400 align:middle line:84% Hopefully it will pick it up, malicious traffic like that. 00:02:11.400 --> 00:02:15.900 align:middle line:84% The more dangerous device would be the USB Rubber Ducky. 00:02:15.900 --> 00:02:20.110 align:middle line:84% And again, it was shown in Mr Robot. 00:02:20.110 --> 00:02:22.840 align:middle line:84% When it was plugged in and ran Mimecast which created 00:02:22.840 --> 00:02:24.940 align:middle line:90% a reverse connection back. 00:02:24.940 --> 00:02:28.450 align:middle line:84% And we're going to take a look at why this is so dangerous. 00:02:28.450 --> 00:02:32.080 align:middle line:84% So the USB Rubber Ducky is, again, 00:02:32.080 --> 00:02:34.420 align:middle line:90% an Arduino device by Hak5. 00:02:34.420 --> 00:02:38.470 align:middle line:84% When you put the case on, it looks like any other USB drive. 00:02:38.470 --> 00:02:41.470 align:middle line:84% When it plugs in, it's recognised as a HID device - 00:02:41.470 --> 00:02:42.890 align:middle line:90% a human interface device. 00:02:42.890 --> 00:02:45.130 align:middle line:84% In other words, when you plug it into a computer, 00:02:45.130 --> 00:02:47.330 align:middle line:84% the computer thinks, oh, this is a keyboard. 00:02:47.330 --> 00:02:49.580 align:middle line:90% It's a USB keyboard. 00:02:49.580 --> 00:02:53.330 align:middle line:84% And because of that, antiviruses normally will not pick this up. 00:02:53.330 --> 00:02:56.430 align:middle line:84% It is just going to think, hey, someone plugged a keyboard in, 00:02:56.430 --> 00:02:59.070 align:middle line:90% and they're typing. 00:02:59.070 --> 00:03:01.740 align:middle line:84% So this is capable of launching any attack that 00:03:01.740 --> 00:03:05.860 align:middle line:84% can be executed by typing on a keyboard, which again, I could 00:03:05.860 --> 00:03:08.560 align:middle line:84% plug this in and put a payload that is going to create 00:03:08.560 --> 00:03:09.730 align:middle line:90% an administrator account. 00:03:09.730 --> 00:03:11.230 align:middle line:90% I could open up ports. 00:03:11.230 --> 00:03:12.490 align:middle line:90% I could turn off firewalls. 00:03:12.490 --> 00:03:14.750 align:middle line:90% I could disable your antivirus. 00:03:14.750 --> 00:03:18.490 align:middle line:84% I could do any number of sophisticated attacks 00:03:18.490 --> 00:03:22.420 align:middle line:84% on it because all it's doing is typing a bunch of commands 00:03:22.420 --> 00:03:24.850 align:middle line:84% at a really fast speed, and I don't 00:03:24.850 --> 00:03:26.740 align:middle line:84% have to worry about typos because it's 00:03:26.740 --> 00:03:28.660 align:middle line:90% a script that I'm running. 00:03:28.660 --> 00:03:33.060 align:middle line:84% And speaking of scripting, the way it runs 00:03:33.060 --> 00:03:35.270 align:middle line:84% is by a really easy scripting language. 00:03:35.270 --> 00:03:38.680 align:middle line:84% So you really don't need to know a whole lot about computers 00:03:38.680 --> 00:03:42.130 align:middle line:84% or programming languages to actually create 00:03:42.130 --> 00:03:43.840 align:middle line:90% a pretty powerful script. 00:03:43.840 --> 00:03:46.030 align:middle line:84% And in fact, there's online editors 00:03:46.030 --> 00:03:47.360 align:middle line:90% that make it even easier. 00:03:47.360 --> 00:03:50.590 align:middle line:84% So the barrier to entry to use something like this 00:03:50.590 --> 00:03:55.140 align:middle line:84% is incredibly easy, which also makes it incredibly dangerous. 00:03:55.140 --> 00:04:00.280 align:middle line:84% Because any malicious hacker or wannabe 00:04:00.280 --> 00:04:02.750 align:middle line:84% malicious hacker doesn't need to know a whole lot. 00:04:02.750 --> 00:04:05.170 align:middle line:84% All they need to know is, well, I'm going to pick this up, 00:04:05.170 --> 00:04:06.850 align:middle line:84% I'm going to go this website, and I'm 00:04:06.850 --> 00:04:09.060 align:middle line:84% going to find a payload I like and it on there. 00:04:09.060 --> 00:04:11.560 align:middle line:84% And then I'm going to somehow get this on someone's network, 00:04:11.560 --> 00:04:14.520 align:middle line:90% or get someone to plug it in. 00:04:14.520 --> 00:04:19.430 align:middle line:84% So this also could be duplicated with a cheap Arduino device. 00:04:19.430 --> 00:04:22.650 align:middle line:84% You could buy $20 Arduino devices. 00:04:22.650 --> 00:04:25.820 align:middle line:84% It's not going to look quite like a USB drive 00:04:25.820 --> 00:04:28.142 align:middle line:84% unless you kind of play around and modify it, 00:04:28.142 --> 00:04:29.600 align:middle line:84% and the scripting language is going 00:04:29.600 --> 00:04:30.440 align:middle line:90% to be a little bit harder. 00:04:30.440 --> 00:04:31.898 align:middle line:84% But I didn't want to bring that up, 00:04:31.898 --> 00:04:34.660 align:middle line:84% because again, it's readily available. 00:04:34.660 --> 00:04:38.840 align:middle line:84% It's not an expensive solution for a malicious hacker 00:04:38.840 --> 00:04:40.730 align:middle line:90% to use this type of device. 00:04:40.730 --> 00:04:42.920 align:middle line:84% So it can be quickly plugged in the computer 00:04:42.920 --> 00:04:44.630 align:middle line:90% and have a payload deployed. 00:04:44.630 --> 00:04:48.980 align:middle line:84% So different scenarios, or it can be like a USB drop. 00:04:48.980 --> 00:04:52.820 align:middle line:84% Again, I could take this device, I could put Bitcoin wallet, 00:04:52.820 --> 00:04:54.200 align:middle line:90% drop it somewhere. 00:04:54.200 --> 00:04:57.620 align:middle line:84% And someone plugs it in, and oh, depending on the payload, 00:04:57.620 --> 00:05:00.470 align:middle line:84% I could do like a quick payload to create an admin account. 00:05:00.470 --> 00:05:04.210 align:middle line:84% All you see is a flash on your screen and done. 00:05:04.210 --> 00:05:06.850 align:middle line:84% Or I can even put a long delay in 00:05:06.850 --> 00:05:08.950 align:middle line:84% and put a partition where they actually 00:05:08.950 --> 00:05:12.040 align:middle line:84% do have a Excel sheet there that they're looking at, 00:05:12.040 --> 00:05:15.180 align:middle line:84% and supposed Bitcoin information on there. 00:05:15.180 --> 00:05:17.650 align:middle line:90% Could put bogus ones in there. 00:05:17.650 --> 00:05:21.382 align:middle line:84% And I could set a delay on there for, say, 30 minutes. 00:05:21.382 --> 00:05:22.840 align:middle line:84% So hopefully they're going to leave 00:05:22.840 --> 00:05:25.810 align:middle line:84% it plugged in their computer for that long and walk away, 00:05:25.810 --> 00:05:29.930 align:middle line:84% and when they do it's going to execute the payload. 00:05:29.930 --> 00:05:31.840 align:middle line:84% So this also could be used in conjunction 00:05:31.840 --> 00:05:33.140 align:middle line:90% with social engineering tech. 00:05:33.140 --> 00:05:37.180 align:middle line:84% So say, I go to a corporation, I go to the front secretary 00:05:37.180 --> 00:05:41.350 align:middle line:84% and go, OK, I got a job interview. 00:05:41.350 --> 00:05:42.790 align:middle line:90% My resume got ruined. 00:05:42.790 --> 00:05:44.320 align:middle line:90% I'm running late. 00:05:44.320 --> 00:05:46.360 align:middle line:84% Could you please plug this into your computer? 00:05:46.360 --> 00:05:50.860 align:middle line:90% It'll take 15 seconds. 00:05:50.860 --> 00:05:53.560 align:middle line:84% Could you plug it in and print my resume please? 00:05:53.560 --> 00:05:55.060 align:middle line:84% And when she plugs it in, then I can 00:05:55.060 --> 00:05:57.940 align:middle line:84% distract her going, oh by the way, do you know 00:05:57.940 --> 00:06:01.052 align:middle line:84% - and start directing her attention away from the screen. 00:06:01.052 --> 00:06:02.510 align:middle line:84% Do you know where this building is? 00:06:02.510 --> 00:06:04.060 align:middle line:90% Do you know how I get here? 00:06:04.060 --> 00:06:07.240 align:middle line:84% And that should be enough time for the Rubber Ducky 00:06:07.240 --> 00:06:09.800 align:middle line:90% to execute its payload. 00:06:09.800 --> 00:06:11.720 align:middle line:84% So these are all different scenarios 00:06:11.720 --> 00:06:14.480 align:middle line:84% that I could use a USB Rubber Ducky specifically, 00:06:14.480 --> 00:06:21.050 align:middle line:84% or even just a regular USB drop to create a malicious payload 00:06:21.050 --> 00:06:23.610 align:middle line:90% using a USB device. 00:06:23.610 --> 00:06:26.990 align:middle line:84% So this is all incredibly dangerous. 00:06:26.990 --> 00:06:29.720 align:middle line:90% It can be fairly common. 00:06:29.720 --> 00:06:34.390 align:middle line:84% Corrupted USB devices, bad USB devices, stuff like that. 00:06:34.390 --> 00:06:36.000 align:middle line:90%