Why You Should Never Use an Unknown USB Device Cybersecurity professionals have done a pretty good job getting the word out about the dangers of using USB flash drives to the point where most users think twice before plugging that USB drive into their computer. Unfortunately, this message may be lost to some users. According to a recent Ernst & Young LLP (EY) study about best security practices, “Gen Z and millennial workers — digital natives who make up a significant portion of the workforce — are least likely to prioritize or adhere to them.” One only has to look at the top influencers on Instagram or TikTok to see how a group could be easily persuaded to buy the next cool gadget. An exploit that you can plug into your computer, like USB-based plasma balls, fans, a Mini-fridge, coffee warmers, LEDs, or even a charging cable. Plasma ball Fan Mini-fridge Coffee warmer LEDs Charging Cables Some of these devices come from questionable sources and can be weaponized to attack your computer. How? Let’s expose this vulnerability and weaponize the USB fan we picked up at a local trade show. The tools for this project are something that most people have in their workshop or are readily available. The Digispark ATtiny85 microcontroller is available on Amazon or eBay for less than $4.00 each, and the fan for $3.00. The Arduino IDE and Digispark libraries are free downloads. Code to exploit your computer through a BadUSB is widely available and comes with support from the online community. A motivated APT actor would have no problem mass-producing and distributing these to a targeted audience at a trade show or conference. An expensive attack for a large operation but very effective. Hardware Digispark ATtiny85 microcontroller USB Fan Software Requirements: Arduino IDE Digispark Libraries Tools Wire cutters Soldering Iron Solder Glue gun Glue ammo Safety Warning: Do not try these modifications on your USB devices if you do not know what you are doing. You could damage your computer! This example is for educational purposes to illustrate how this exploit works. USB Fans I am not sure exactly where this fan came from, but I think that proves the point. Let's open the fan’s case and see what we need to do. A quick inspection reveals that the USB cable contains two wires, power(red) and white(ground). The specs on the sticker indicate that it requires power from a 5 Volt source. The cable that this fan uses has two wires that provide power to the fan. This cable will not work for us because we need two additional wires that can carry data. Reaching into our box of USB cables, we find a USB data cable that meets our needs. Cut off the end opposite the USB A side, splice the cable, and remove the foil wrapper up to the side you strip. You should have four wires: power (red), ground (black), USB+(white), and USB-(green) that looks like this. Now we are ready to start assembling our BadUSB fan. Place the Digispark microcontroller on the fan housing to get an idea of your placement. Choose an orientation so that it’s easy to run the wires to the Digispark’s pins. Remove the existing wires from the fan. I placed a soldering iron on the connected wires and gently pulled them apart. You can throw away the USB cable you just removed from the fan. Adding the New USB Cable Thread the new USB cable into the fan housing and make your connections to the Digispark and the fan using the wiring diagram as a guide. Again, do not make these modifications if you do not know what you are doing. Check the manufacturers’ specifications for the location of the pins. While researching this article, I found two different published specs for the USB connections, P3 and P4. Solder the Red 5v wires to the ATtiny85 5v pin Solder the Black Ground wires to the ATtiny85 GND pin Solder the White wire to the USB+ Pin 3 Solder the Green wire to the USB- Pin 4 The finished BadUSB Fan. Using a glue gun, secure the Digispark ATtiny85 BadUSB to the housing and also keep the new USB cable in place. I followed the original cable implementation and guides to keep the modification looking natural. Replace the fan’s rear housing and place the modified BadUSB fan in its original packaging. What Happens Next? Our Digispark ATtiny85 BadUSB fan is fully-armed and ready to deploy. The only thing missing is the code for it to perform a keyboard injection attack. Typing at over 800 words per minute, keyboard injection attacks can install malware, encrypt your data with ransomware, exfiltrate sensitive data, and install reverse shells to your system… in seconds. This code is readily available in GitHub repositories or easy to learn and implement for Nation State Actors or even a beginner programmers. USB device vulnerabilities are so effective because most of these attacks avoid anti-virus software tools.
