Hacked - Episode 4: Bad USB.
Episode Date: February 18, 2016We explore how easy it is to take over a computer by plugging something into it. Jordan tells stories and interprets the nerdiness of Scott. Learn more about your ad choices. Visit podcastchoices.com/...adchoices
Transcript
Discussion (0)
And we're back.
So right now, somewhere in the eastern Mediterranean Ocean,
there's a French warship called the Charles de Gaulle sailing towards Syria.
The nuclear-powered aircraft carrier can house 1,500 people, it is almost 900 feet long.
It's the flagship of the French Navy.
This is all a roundabout way of saying that it is big.
On a busy day, you'd see as many as 100 fighter jets come and go from the main deck,
taking off and landing, whizzing around like ants.
Now, on January 15th, 2009, sometime in the early hours of the day, all over the world, members of the French Navy, including those on the Charles de Gaulle, began receiving a phone call.
Not an email, a phone call.
Sometimes even a fax, actually, saying, whatever you do, do not open your computers.
So all those fighter jets whizzing around, staying in perfect sync thanks to onboard computers they used to download their flight plans,
Those were all grounded, the entire French Navy, which runs on the system, all at once the entire thing, the whole ants nest on the back of the Charles de Gaul, it ground to a halt.
So why did this happen?
Well, because somewhere, at some point, deep in the belly of that sprawling French naval organization, someone plugged in a USB key.
And on that USB key, there was a worm called a conficker.
So this wasn't uncommon.
At one point, Configer infected anywhere from 9 to 15 million computers and devices, but
it just happened to have infected a USB key that just happened to get plugged into a
naval computer.
What would it do?
Who knows?
But when it comes to fighter jets with missile capability, suddenly you're using facts until
you figured out what in the world is going on.
So this threat of computers automatically running malicious software off of a USB drive, is this
still the boogeyman lurking under the bat of world's super-year?
Honestly, not so much.
I mean, maybe, but computers generally no longer auto-run software because of years and years of exactly this kind of thing.
So why are we talking about this?
Because in November 2015, two German security researchers gave a talk, introducing a security vulnerability that can turn a normal USB drive
into something that doesn't need to run software to take control of your computer.
A vulnerability at the heart of how USB works that lets a hacker turn a USB into a
surrogate, capable of doing their bidding.
It acts like a worm.
It spreads like a worm, but it doesn't rely on the vulnerabilities that worms rely on.
These researchers dubbed their discovery,
Bad USB.
And if the right people don't do something about it soon,
sometime in the near future, the crew of the Charles de Gaul will be breaking out the fax machine.
My name is Jordan Blumen.
And I'm Scott Weinder.
And we're talking about bad USB on this episode, The Pact.
When I was a kid, I would buy a computer game.
That computer game came on a disc, and I would take that disc, and I would put it in the computer, and the game would just start.
Yeah, it's because you're younger than I am.
So when I was a kid, when I bought a game, it came on a big flat piece of black plastic, which was called a disc to me.
And when I put it in, it didn't auto start.
What did it do?
Nothing.
You just clicked it in, and you had to move this lever to hold the disc in place.
It was quite mechanical.
So what happened between when I was playing video games and when you were playing video games?
User experience design happened. People understood that people like convenience. So instead of having to put a disk in, in your case a CD, and navigate to that CD, find the installer setup file, what they could do after Windows 95 is that you could set up a few settings on the disc and what it would do is it would immediately execute whatever those settings told it to.
so it would run the setup or installer automatically.
When you buy a piece of software you put the disk in
and everything just happens kind of on rails.
Yeah, it's convenience.
And why was that a terrible idea?
Well, I think everybody knows in hindsight way it was a terrible idea.
You know, just by putting a disk or any form of media into your computer,
having it auto-execute something without your permission
is an obvious vulnerability.
You know, it was an obvious vulnerability when it was created,
and it's an obvious vulnerability now.
Windows and Microsoft have sensed remove that functionality
from their more recent operating systems.
I think Windows 7 was the last one that did it.
But for computer engineers to think that convenience should come
at the cost of anyone being able to auto-run anything
that they can get someone to plug into their computer,
that seems like at best a massive oversight
and at worst instructed by a different set of motivation,
that what computer engineers probably normally would have, like financial motivations.
Yeah, that's a really good point.
I'm sure it was an oversight.
They were probably just aiming for convenience.
You know, Windows has always been a target of malicious activity, viruses, worms, etc.
So I'm not sure why they would make that oversight.
But they did.
What they did.
And what affected that have?
Well, it created a whole fleet of vulnerabilities.
Like, you know, I stated previously that it doesn't really exist anymore since Windows 7.
And that's not really the case.
It'll still run things if you approve it.
Those settings still work.
The convenience factor is still there.
It's just that it asks you a question.
Right.
Are you willing to open this?
It's the same with, if you remember the old versions of Internet Explorer,
when you downloaded a file, you could be like, yes, always open files of this type.
EXE.
And then immediately, when you downloaded something, you didn't know you were downloading or you didn't know what it was, if you clicked okay to that box at any time, it ran.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where,
attackers are already using AI. They created the Aurora superintelligence platform, a fully agentic
system powered by the swarm of experts. Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows. Humans stay in the loop
and on the loop to validate the critical decisions and keep everything trustworthy, and all of this
is just off running on their secure operations graph. A constantly updating intelligence engine
fueled by more than 9 trillion telemetry events every week and over a decade of real-world
incident response.
The system reasons on real signals and real context, not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven
decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and
proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks
like go to arctic wolf.com slash hacked.
It seems pretty dangerous to let people implement a rule that broad with that little, I guess,
fanfare.
I think that's the nugget right there.
You know, computer hacking is creative problem solving.
And when you have something that's systematically happening all the time, you're creating
a vulnerability because you can plan for it, factor for it.
So, you know, it's not as creative anymore as it is just a part of the toolbox.
I think the biggest, earliest things was, I think it was Loft, a hacker group called Loft,
released something called Bo2K, and you're old enough that you'd probably remember it.
It was essentially one of the first big malware kind of system control malware suites
that any teenage kid could download or send to their friend or trick somebody or in
install on a computer at school, and next thing you know, they had full control of that computer.
When you say full control, like a system control malware, what does that mean? What does that look
like?
B.O2K was more of like an annoyance piece of malware, but like you could watch somebody's webcam,
open someone's CD drive, record someone's keystrokes, you know, things like that.
That technology was out there, it is out there. It was proliferated probably a lot by
auto run, but that's still out there. If you can get someone to install
that those types of technologies are still out there in the world?
Well, I would actually say that in the last, I think, B02K was the year 2000, hence the 2K,
I think recent, any kind of recent versions of that would be way more comprehensive.
And worse than that, there's a suite of other really nasty malware that's out there that would put B02K to shame.
Like the whole rise and trend in cryptographic malware, where it's like encrypting your hard drive
and then holding it hostage, forcing you to pay.
Like that, the rise of those things,
and we'll probably do a whole episode on malware,
but the rise of that style of malware,
the malware for commerce,
not for like being a pest,
is changing the whole world.
So is it just that we've replaced Auto Run
with having to convince someone to click yes one time?
Yes to download, yes to run.
That's a major part of it, yeah.
You know, there's a million other things from fishing,
you know, there's a variety of ways that people use things like email forging and other things
to convince people to download malware.
Like I actually went home.
My mother got a new computer for Christmas at a Mac.
And I went home a couple weekends ago for a family thing.
And she had malware on her Mac.
And like, I've been a Mac user since OSX came out since it was a Unix-based OS.
And I've never had malware.
So my mother got malware in like a three week period.
So, you know, it's easier than you probably think,
especially when you're working with numbers.
So if you're looking at every Mac user in the world,
statistically you're probably going to have a decent penetration.
Hey, Jordan.
Yes, sir.
Do you want to say it or say it?
No, I'm going to say it.
Fine.
This episode has been brought to you by Bug Crowd.
Partnership.
So, Scott, why don't you tell people about
our new and super supportive partner?
Gladly, Jordan.
Bug crowd, they do something awesome.
You know, they provide a platform
for security-focused or, you know,
security-curious individuals
to kind of legally act out these desires.
They run something called
bug banning contests,
and they do it for some of the biggest companies
in the world, you know, notably like Tesla.
Or if you listen to the last episode,
last pass, one of the password managers
is one of their clients.
Okay, so,
What is a bug bounty?
Well, it's essentially a reward system.
So if you can find a vulnerability in, you know, the solutions or software technology that these companies offer, all the details are on their website for these contests.
But if you can find a vulnerability, these companies will reward you often with money.
So you get paid to hack something?
Yeah, essentially.
But legally?
Yes.
As long as you adhere to the terms and conditions of the contest, dot, dot, dot, dot, dot.
Sweet.
Yeah. If you want to check it out, if you want to join me and Jordan in this lovely financially rewarding hacking world, you can check out bug crowd.com slash hacked.
And come join us as a air quotes researcher.
And through this partnership with Bug Crowd, we are also declaring a challenge.
What kind of challenge are you talking about here?
Well, we're looking for tech companies who aren't afraid to let Bug Crowd's researchers and you, our listener base, take a swing at your security.
in the best kind of way.
So this is the thing we're doing now, huh?
Yeah, hopefully.
We'll see if anybody accepts the challenge.
Learn more at bugcrowd.com slash hacked.
If, from a hacker's perspective,
this is all a question of,
how do I get someone to run my program
that does the specific, possibly unseemly thing
on their computer,
the history so far can be broken up into three loose acts.
There's pre-auto run.
There's the reign of auto-run.
And then there's
sort of what we're in now, which is post-auto run-ish.
The question is, what's the next act?
Well, you know, we opened the show with the story about bad USB,
and that's the next phase.
You know, these two, I believe, were Dutch kind of embedded system security engineers,
figured out a way to overwrite USB control firmware
with malicious USB control firmware.
Let's maybe I'll just expand on that by the confused look on your face.
In my defense, I always have a confused look on my face.
Every USB device has a chip in it that controls the conversation that's happening over USB.
From a simple USB key to a USB keyboard to anything has a USB control chip in it.
That chip also has memory, and in that memory is the firmware.
These guys figured out how to take the empty space in the firmware and put a virus in it,
or a malware or a worm or something.
And the way it works is you plug in the USB device,
and then after a prescribed amount of time, the USB device will change from whatever it is, a USB key,
to a keyboard, and then send a bunch of keystroke commands into the computer.
What are those keystrokes hypothetically?
Well, when they demoed this at a security conference,
their virus or malware, their bad USB key,
was smart enough to figure out whether it was a Linux-based operating system
or a Windows-based one.
And if it was a Windows-based one,
it would run some Windows PowerShell commands,
which is kind of like the black screen of Windows,
where you can do a bunch of serious stuff from the command line.
so it would open a power shell, send in a bunch of commands,
install essentially a real virus on the computer or malware on the computer
or a backdoor, Trojan, something like that,
and then it would change itself back to a USB key.
If that piece of malware isn't on the USB's memory,
where is it getting that from?
Does it have to download it off the internet?
Or is it able to keep it in that little spare bit of memory and the firmware chip?
The keystrokes and the control program for the USB key virus
is kept in that little bit of memory on the USB key,
but all it's doing is sending out commands to the world saying,
I am now this computer, download me this backdoor, Trojan horse, and install it.
So to summarize what we know so far, picture a USB drive.
If you're like me, it's probably in the bottom of a backpack somewhere.
On that USB drive, there are two pieces of memory that you should know about.
There's the memory where you store your files,
and there's this second much smaller piece of memory
on its own chip that holds the USB firmware.
A little thing that tells the drive how to talk to the computer
and the computer what kind of USB device is plugged in.
That second chip, the one with the firmware,
is in every USB device, not just memory sticks,
a keyboard, a charge cable, whatever.
So what this new vulnerability does
is it makes use of the spare space in the firmware memory.
If it's the firmware's job to tell the computer,
hey, this is a memory drive,
What bad USB does is, it says, okay, I know you thought I was a USB drive a second ago,
but I'm actually a keyboard.
And oh, look at that.
I'm typing, executing whatever commands the hacker wants,
as though they're sitting right at your computer.
And the huge part of that is that even if you've got an antivirus system
that's going to scan the USB key, it's only looking at the storage media.
So it's looking at the space where you'd put files.
it's not looking at the firmware memory.
So your antivirus is completely useless.
And once it converts itself into a keyboard
and starts sending keyboard commands,
it just thinks that that's the user.
Ever feel like cyber threats are evolving faster
than anyone can keep up?
Last year, 2025 was nothing short
of a record-breaking year for major breaches,
from sophisticated ransomware operators
to AI-enabled attacks
that turned defenses on their head.
Organizations around the world
saw headlines they never expected and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th, diving into the most
impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened, but why
these attacks succeeded.
And most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights and how threat actors are evolving, how
defenders are responding and what strategies can help you stay ahead of the next big breach.
It's not fearmongering. It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
It's pretty crazy to think about the implications once you get a handle on it.
So the thing that makes it really crazy is when they first demoed this,
they plugged just what looked to be an ordinary USB key into an ordinary computer,
and they could use it just like a USB key.
It was a USB key.
And then they just let it sit for a second.
And then all of a sudden you saw a bunch of things happen on the screen really fast without any reason.
And what had happened is that in that split second, the USB key had turned itself into a USB keyboard.
So the computer saw it as a USB keyboard, not as a USB key anymore.
So it had unmounted the USB key and remounted itself as the USB keyboard.
Then it opened up the terminal or PowerShell for Windows and sent through a bunch of commands.
And these commands could be anything.
And they could even access files locally on the computer or send commands to the internet, downloading and executing things.
By the time you're sending actual keyboard strokes into a computer, there's really not a lot you can't do.
So what they did is they had it reach out and download a few things and install some things.
some of these were
you know remote administration
malware or Trojan horses
that allowed them to control a computer from
other computers
other things that they downloaded
is they actually downloaded a virus
which would then replicate
bad USB
onto any other USB devices
that came in contact with that computer
so that makes it into a worm
so even though bad USB isn't vulnerable
to things like antivirus
the way a worm is
it can still spread the way a worm does.
Technically, the reproduction virus would be capable of being caught by an antivirus
because it's actually something that would be running on the computer.
But it's just a fascinating concept.
I plug a physical device into a computer.
It downloads and installs a virus.
That virus will then infect any other USB devices connected to the computer
until that virus goes away.
Because really, it's infecting the control chip on the USB device.
And any USB device that has these control chips, which is all USB devices, would be vulnerable at some point theoretically in the future.
I think they found a virus or made a virus that was capable of attacking two control chips.
And there's only like a small amount of these control chips because they're manufactured in such bulk quantities.
but once it's on a control chip, once it's on a USB device, it can then propagate.
So if you take a USB device, plug it into this computer, your USB device becomes a virus carrier.
You go to another computer, you plug it in, that device becomes a virus infector.
And then anybody else that plugs a USB device into that computer can get that virus.
Like it's a worm, but it's almost more traditionally like a real human virus.
Like it's spreading through contact, less about, you know, data connectivity, like a worm would.
So any USB device is vulnerable, but are all USB firmware chips vulnerable?
I believe not.
The researchers that came up with this did some subsequent testing on more of the USB control chips.
and I think they found that something like 50% of them were vulnerable to this style of attack.
But the big problem that they highlighted was the fact that you don't really know what control chips in what USB device.
So you can't go out and buy something that is stated, you know, it has this USB control chip in it, so you don't have to worry about it.
So it would be up to the manufacturers at this point, and it's kind of at their discretion to decide to start using these sort of responsible practices.
Yeah, well, it's not even that they were irresponsible practices.
It's just that this is such a new style of attack, such a new attack, and such an innovative way of attacking, that I just think that over time this will go away.
They'll fix these small flaws, but right now it's very relevant and very powerful.
So with like a traditional virus, this is something that actually spreads physically.
Are we entering kind of an age when you maybe shouldn't be using someone else's charge?
cable? I don't know over there yet, but maybe in the future, like, this is such a rare thing.
It's more of a vulnerability for info security professionals.
Like, physical proximity has always been an issue. You know, it's really hard to gain access to a
computer, but there's a lot of times when computers are vulnerable and you just don't think about
it. Like, how many times have you seen a computer monitor with a USB hub on the back of it?
You know, USB hubs have been being added to everything for the past 10 years
because USB has become the standard norm for interfacing with your computer.
So they put these things on everything.
So to secure a computer down so that there's no USB ports accessible to it,
is probably really, really tough.
It's interesting that so many of the things we talk about in the show have been around for quite a long time.
So so many of the different things you can do with it have been considered and exploited
and responded to.
This is interesting because it's happening right now.
This presentation was given just at the end of last year.
There's so many unknowns.
There's so many.
We're not totally sure what will happen.
Yeah, I think it was last summer,
like late last summer that this presentation was given.
And I really haven't been able to find any thorough details
on how the industry has responded to it.
I'm sure that major hardware manufacturers have this on their list now.
At least I would hope they do.
It makes sense that this would be a thing that hardware manufacturers would want to respond to moving forward.
But as you said, there's still all of those monitors with the USB hub on the back.
There's still all of those charging stations out there in the airports.
All that stuff's already out in the world.
And to expect all of those places to replace the things that they've already purchased and installed is...
It's a pretty tall bill.
Yeah.
Going back to all of the existing peripherals and fixing them,
because this is a physical problem, never going to happen.
The original researchers actually did a study in which they broke down the big firmware manufacturers
into vulnerable, secure, and inconclusive categories.
You can read their whole expanded analysis.
It's linked to in the show description and at hackedpodcast.com.
But the problem with that, however, is that USB manufacturers don't generally
advertise which chip brand names they use, like, say, Intel inside, because frankly no one would
recognize the names. And since most companies use a bunch of different chips anyway, shopping
based on brands, as it currently stands, would be kind of useless. This is all why Carson
Noel, he was the original researcher, decided not to release the code that was his proof of concept
for bad USB. He didn't want to unleash this thing on the world. But the problem with that is,
Someone figured it out.
That quick?
That quick.
Once they published the information about the style of the attack and how it was happening,
some of the kind of high-level details,
a couple of people reverse-engineered it,
such as the beauty of a large and active and interested hacking community.
Is there anything they can't figure out?
To be determined.
The one thing I will say about this is it's not as severe,
is something like a real worm, like a worm that's spreading wildly through open exploits.
But I do find it just fascinating how it acts like a human virus, like a biological virus,
like it's contact to contact, it's spreading itself.
And really, once you can program it to do whatever you want, you know, once it has access,
the second we lost the days of auto run where you could just have something malicious on a USB key,
or a CD, and somebody would throw that into their computer and it would automatically execute it.
Once that was out of the toolbox, I think this is a very interesting way to replace it,
especially with everything in the world being connected to the internet now.
There's not a lot that you can't do once you have shell access on a computer.
So I don't think it's as severe as other major worms and exploits, but I think it's fascinating.
We really appreciate anyone who still subscribe for way to.
out that giant, giant, giant dead zone between this episode and the last one.
Sorry.
Especially when the last one ended with us saying we've got the next one coming out right away.
We were working on a lot of stuff,
trying to both on HACT and some other projects,
and it kind of just got away from us.
Well, and then there was the whole holiday season and vacation season.
We're not making excuses, but we appreciate you for still being here.
We love you all.
And thanks for all of the passionate support.
encouragement.
Yeah, when you guys write,
it doesn't go and notice.
We really, really do appreciate it.
Yeah.
So we appreciate you all for being there,
and we're hoping you'll stay around.
So when we were making this episode,
we actually recorded two different versions
of the opening story.
You obviously know which one we ended up going with,
but the other one's actually pretty cool.
It's the story of the CIA and spies
and something called Cottonmouth.
So we hope you'll stick around and listen.
Otherwise, this has been another episode,
episode of Hacked. My name is Jordan Blumen.
And I'm Scott Weinder. Thanks for listening.
The Ant Division is a branch of the American government you've probably never heard of before.
It stands for advanced network technology. And if you have bumped into that acronym,
the first time was probably sometime in 2013 during the Edward Snow and leaks.
Ant is a division of the NSA. And one of the classified documents that made its way out into the world was something called the Ant catalog.
Others have drawn this comparison, but the document really does read a lot like a mail order catalog.
Except instead of keyboard vacuums and snow globes, it's spy stuff.
Not poison dart pens and shoe radios, modern spy stuff.
There's the $40,000 device that emulates a cell phone tower.
It's codenamed Candygram.
There's software to install backdoors on popular smartphones,
the kind you might be listening to this episode of Hacked On.
There are monitor cables that let you see what's on someone's display.
And then there's code name Cotton Mouth.
Cotton Mouth is a family of,
USB devices that, if plugged in, give the NSA access to your computer.
Doesn't matter if it's never been connected to a network, if you plug in Cottonmouth, that computer is compromised.
They can see what happens on the computer. They can make the computer do things. Your computer is theirs.
A set of Cottonmouth USB devices ran about a million bucks for 50 units.
So a spy would have to shell out $20,000 for the privilege of a USB drive that could compromise a computer without detection.
That catalog was published in 2008.
Last November, November 2015, two German security researchers gave a talk introducing a security vulnerability that can turn a normal USB drive into something that sounds a lot like cotton mouth.
It's a vulnerability in USB that goes beyond using antivirus software, beyond not running sketchy software off the drive.
It's a vulnerability that's baked into the DNA of how USB works.
And not a lot of people are doing much to stop it.
The researchers have named the vulnerability, quite simply, bad USB.
And they're urging USB manufacturers to listen to their warning,
because if they don't, pretty soon Cottonmouth is going to be the least of our worries.
My name is Jordan Blumen.
And I'm Scott Winder.
And we're looking at Bad USB on this episode of Hacked.