• Malicious USB device principle and protection measures

    • source: ivan;
    • Time: 3/24/2020 9:40:11 AM
  • In the field of network and information security, the security of computer USB interface has always been faced with severe risks and challenges, and it is also a problem that users are most likely to ignore. Malicious USB devices are one of the main threats to the security of computer USB interface, which seriously threatens the information security of enterprises and the privacy information security of citizens. This paper analyzes the current situation of USB security problems, introduces the harm and attack characteristics of common malicious USB devices Keylogger and BadUSB, and analyzes in detail the hardware circuit principle, hardware program implementation and attack methods of Keylogger and BadUSB. Keylogger and BadUSB devices were built by AVR microcontroller chip, and then the devices were used to carry out attack experiments on the computer, finally realizing the monitoring and control of the target host, and studying the security protection measures to intercept Keylogger record monitoring and resist BadUSB attacks, so as to provide effective security protection solutions for users. These protective measures and solutions can effectively protect public information security and personal information security, and can prevent the occurrence of information security events at the level of USB interface.

    0 Lead it

    The existing USB interface of the computer provides the corresponding convenience to the majority of users, such as the access to data of the mobile storage device, the charging of the mobile device, the connection of the input device and so on. Due to the lack of information security awareness, people focus on the security of computer operating system or application software and seldom pay attention to the security issues at the level of USB, even if they have the corresponding understanding or cognition. The USB interface provides multiple intrusion paths.

    According to statistics, billions of USB devices around the world have been attacked by USB bombs, BadUSB and other attacks. For example, Stuxnet used USB to operate the centrifuges in Iran's nuclear power plant, which eventually damaged a key part of Iran's nuclear program. Abroad have a called USB Kill Stick equipment, when users insert the device any computer or electronic products containing USB interface, the device will soon destroy the whole computer or electronic devices, USB Kill Stick without virus, the principle of damage when the user is inserted into the USB Kill Stick USB will be sent via signal lines after a 220 V high pressure shock wave and destroyed equipment. There is also the "prism" incident in 2013, when snowden took the classified tape out of the security bureau via a USB drive, which shows that USB security problems can't be prevented.

    USB attack is an emerging technology, which is more covert and poses a greater security threat than traditional attack. Because of its technical implementation than the traditional attack is more complexity and harmfulness of the invasion of the USB devices currently common means of attack, Keylogger and BadUSB equipment hardware and software principle of depth profiling, and the use of programmable USB device for malicious code of burn, realize the computer keyboard record monitor, remote control of the operating system and the user access permissions, the attack protection put forward the corresponding solutions. It is of great significance to ensure the security of user information.

    1 Common types of malicious devices

    Common malicious USB devices are Keylogger and BadUSB, which are characterized by high concealment, camouflage, cross-platform characteristics and can evade detection by security software. The attack method is mainly through the programmable USB interface device, the single-chip microcomputer in the USB device reverse engineering programming, burning malicious programs, the programmed USB device is not restricted by the operating system, has the function of stealing keyboard records, attacks the computer operating system. Keylogger and host computer, keyboard connection, to monitor the user behavior records keyboard keys, to realize automatic computer terminal data theft, and BadUSB equipment directly connected mainframe computer USB interface, to the end, achieve to create the operating system is super administrator account, open the remote access ports, automatic script download and execute remote, automatically created from killing the Trojan back door, etc., to realize the remote control of the computer terminal.

    1.1 Keylogger

    Keylogger The hardware USES programmable USB interface hardware for reverse programming to burn eavesdropping programs. The Keylogger is used to listen to the keyboard keystroke records of the user in the process of using the computer, and the computer after installing listening devices or listening software. The user enters the administrator's permission information in the operating system interface, the online shopping website enters the bank card voucher, the communication record generated by the chat tool, the social account password of the login social network system, and so on, will be stolen by the monitoring tool. Since software monitoring is not the object of this article, it will not be repeated.

    (1)Strong concealment。

    Listening devices are smaller and can be hidden in the USB extension cable, keyboard, the whole listening process has not any influence on the computer operating system, equipment and no malicious programs, only record the user key information, antivirus software is difficult to detect and prevent the malicious behavior, so as to escape the antivirus software of monitoring and evaluation. And the monitoring process does not affect any operation of the user to the computer, the entire monitoring process is very hidden, it is difficult for the user to detect.

    (2)Cross-platform sex。

    This device has a good cross-platform, not affected by the computer operating system, for Linux, Unix, Windows, MacOS and other operating systems, as long as the terminal has an external keyboard can not get rid of the Keylogger.

    (3)Avoid driving。

    After the device is connected, it runs at the bottom of the computer, and the computer does not need to install additional drivers, plug and play, real-time operation, as long as the computer is powered on the device will start to listen to the recording information of the keyboard.

    1.1.1 The hardware principle

    The hardware part is the basic carrier of Keylogger and the physical implementation of data theft. The hardware is mainly composed of microcontrol chip (MCU) and memory chip (EEPROM), etc. The MCU can complete the theft of computer keyboard records, while the memory chip can save the recorded data stolen by the MCU. The more advanced Keylogger also has a wireless network transmission unit, and the listener can monitor the keyboard records of the target host in real time through the network.

    The design of the whole stealing unit does not change the original power supply and data transmission mode of USB, but adds a single-chip system in the middle of the interface, which forms a bypass with the host keyboard. VCC and GND are USB power supply and ground cable respectively, and D+ and D- are USB data cables. USB interface connected with a single-chip microcomputer control system, and block of 8 bits MCU RISC microcontroller and EEPROM memory chip pins VCC power supply, and GND MCU RA0 sutural and in RA2 stitch began to steal from a USB interface on the D + and D - cable transmission of data, data by MCU to save block to EEPROM after finishing data theft, and PS / 2 USB corresponding connection mode for VCC - > VCC, GND - > GND, D + - > CLK, D - > DAT.

    1.1.2 Hardware program

    The program part is the core of the Keylogger system and the logical implementation of the process of data theft and data playback. Keylogger can be developed in C# or Arduino. Taking the code developed by Arduino language as an example, the microcontroller USES AVR atmega32u4-au chip as the main control chip and PS2Keyboard,SD and other built-in function libraries. The PS2Keyboard library is mainly used for communication with keyboard peripheral devices. The SD library provides read and write operations for the SD memory card and is used for the storage of keyboard monitoring records.

    Keylogger receives data after the user clicks the keyboard,keyboard.begin() function initializes the keyboard, sd.begin function initializes the SD card,keyboard.read() function reads the user's keyboard behavior, function sd.open () opens the SD card in writable mode, function file.print() saves the data to the SD card, and finally realizes the monitoring and saving of the keyboard record.

    1.2 BadUSB

    BadUSB Also USES the USB interface hardware programmable reverse programming, record against load program, when the attacker to insert BadUSB computer or terminal with a USB interface, BadUSB in users unwittingly, analog keyboard input, to the terminal data interface transmit malicious instructions, for a few seconds to complete the Trojan, complete operating system vulnerabilities to power, the zero day vulnerabilities such as malicious behavior operation; And the entire attack device itself does not carry any viruses or trojans, the attack process is through the simulation of the user's normal operation of the computer, antivirus software is difficult to detect and prevent the malicious behavior, so as to evade the monitoring and evaluation of antivirus software. This kind of attack behavior brings the huge security hidden trouble to the computer information security.

    (1)Strong concealment。

    BadUSB device is small in size and can be hidden in any device with USB interface. The whole attack process is very hidden, because the malicious software is solidified in the hardware chip, the anti-virus software can not remove the malicious code, the attack speed is very fast, it is difficult for the user to detect.

    (2)Cross-platform sex。

    BadUSB has a good cross-platform, not affected by the computer operating system, for Linux, Unix, Windows, MacOS and other operating systems, as long as the terminal has USB interface can not escape the attack of BadUSB.

    (3)Avoid driving。

    After the device is connected, the computer operating system will automatically identify, no need to install additional drivers, plug and play, real-time operation, as long as the computer is energized after the device can carry out attacks on the computer.


    The virus is embedded in the firmware of the USB device. When the user inserts BadUSB, the virus can spread or replicate in the computer disk. However, traditional antivirus software cannot clean up the virus after it is discovered。

    1.2.1 The hardware principle

    BadUSB can adopt atmega32u4-au as the master control chip of MCU. This chip is a low-power 8-bit CMOS microcontroller based on AVR and supports usb-hid, which can be used to simulate the user's keyboard and mouse operation behavior. BadUSB hardware is mainly divided into MCU and memory (SD card),MCU is mainly used for the communication of computer USB interface and the sending of terminal instructions,SD card is used to save the script command of malicious attacks on the computer,. Where D 1 and D 2 diode to limit the level on the data line, R 1 and R 2 resistance are 68 Ω, overload protection to prevent the current USB computer terminal and MCU circuit, pull-up resistors R 3 Ω resistance value is 2.2 k, is used to distinguish the state of the bus.

    1.2.2 Hardware program

    BadUSB device based on atmega32u4-au chip can be developed using Arduino IDE environment. The Arduino IDE encapsulates USB communication library commonly used in atmega32u4-au chip, Keyboard library simulating Keyboard behavior, SD card library, etc. Functions such as keyboard.press (), keyboard.releaseall (), keyboard.println (), etc., are mainly used to simulate keyboard.press (), which is not released after being pressed.

    Simulates simultaneously presses the win+r key combination on the keyboard, pops up the Windows operating system program running window; The 17th line of code automatically enters the CMD command in the running window and pops up the Windows operating system command line window. Lines 21 and 22, the command to create user privileges for Windows system; Line 23 is to add anti-windows firewall rules and open the remote access port 3389. Line 24 allows the computer to be remotely accessed for adding a registry rule. When the program BadUSB device written above is inserted into the USB interface of Windows computer, the device will complete the creation of permissions in a few seconds, complete the opening of the remote access port, achieve the remote control of the computer, experimental results.

    In attack version of the operating system, Windows 7 or more BadUSB can also perform the super terminal powershell (new-objectSystem.Net.WebClient). DownloadFile (), Start to Process orders, attack device automatically remote downloading malicious program and implementation, realize to the illegal operation of the computer operating system.

    2 Protective measures study

    2.1 KeyloggerProtective measures

    The Keylogger device is small in size and has strong concealment, which can be hidden in the keyboard. The keyboard extension cord does not need to install additional drivers when plugged into the computer host, and even the computer operating system does not have corresponding prompt information after plugging in, which is plug and play. These characteristics make it difficult for users to protect Keylogger from monitoring. But as long as the user aware of the dangers of Keylogger, corresponding safety awareness, regularly check the connection between the host and the keyboard is safe, reliable and whether there is a suspicious device among them, do not use the keyboard, an unknown source host and the keyboard to ban any plug, the input the sensitive information such as user name, password, can use soft keyboard input information, also can use alternative wired keyboard, bluetooth keyboard with the keyboard keys for encryption processing, etc., all of these can avoid Keylogger equipment monitoring of the keyboard's record.

    After the user's key information is encrypted, the computer operating system decrypts the key value according to the decryption algorithm to obtain the real key value, key value encryption principle. Letter "E" on the keyboard, for example, "E" keyboard codes of 00 _00_08_00_00_00_00_00, if the letter "E" keyboard code encryption, the encrypted ciphertext to # # _127_ # # # # # _ # _ # _ # _ _ - # # # #, when user tapping keys "E", the key value is always transmitted to the host computer in the form of cipher text, in the computer hosting the receiving end, through the system of the underlying filter drivers to decrypt the cipher key information for operation, restore normal keyboard code "E". In this way, the key information monitored by the monitoring tool is encrypted ciphertext, so the attacker cannot get the real record of the user, which effectively avoids the risk of keyboard keys being monitored and data being stolen.

    2.2 BadUSBProtective measures

    BadUSBThe device can be hidden in any USB interface type device, and its camouflage is very strong, making it difficult for users to prevent attacks from BadUSB. The main protection measures are as follows:

    (1)By limiting the use of computer USB ports, do not use unfamiliar USB devices。

    (2)Develop the USB software protection to prevent BadUSB equipment operation directly to the master, when a USB device into the computer USB interface, operating system underlying forestall any behavior of the USB device interface, protection software prompts the user equipment is trusted, the user needs to enter the corresponding password to accept USB device, avoid BadUSB analog keyboard, mouse behavior directly, effectively reduce the risk of being attacked.

    (3)USB hardware firewall can be used, all the USB interface of the computer is not directly open to the user, and the USB hardware firewall is connected, the firewall is open to the user interface for the user to use, the firewall has internal USB device enumeration, content detection,USB devices must pass the firewall security detection before access to use.

    (4)Computer USB peripherals adopt firmware signature algorithm, block chain and other technologies to ensure that the firmware is not tampered, and prevent the reverse programming of USB peripherals to implant BadUSB malicious programs.

    (5) establish a USB device whitelisting-list mechanism to determine whether the firmware ID of USB device is in the whitelisting-list at the bottom of the operating system, so as to prevent the insertion of illegal USB devices and protect the computer from attacks at the bottom.

    (6)Adjust the installation policy of operating system devices, such as setting the computer local policy group in the Windows operating system, establishing the group policy of guid-based trusted HID devices, strictly restricting the loading of USB devices, and forbidding the CMD command of operating system.

    3 conclusion

    This paper analyzes the common hardware and software principles of Keylogger and BadUSB devices, and proposes measures to deal with security risks, which can effectively solve security problems at the level of USB such as keyboard record monitoring and BadUSB attack. However, these measures still need to optimize relevant algorithms and adjust security policies in practical application. Only when the peripheral device is regarded as the untrusted data source of the host, the USB security protocol will be innovated, the active authentication of the accessed device can be supplemented, and the malicious USB attack can be fundamentally eliminated. USB level security problem is the user's own problem, it is closely combined with the user's security consciousness, the information system security to demand higher user should raise awareness of the safety of using USB device, should be cautious to use USB devices from unknown sources, regularly check the device manager and check the USB device access records, and formulate reasonable USB device access strategy, to minimize security risks.