August 16, 2019
Duck Hunting: Learning to spot and prevent malicious hardware attacks

As Clear as a Broken Window

The essence of a malicious “hack” is to take advantage of an inherent trust. If a thief breaks a window, they violated the trust that people would use doors to enter. This same logic is used time and again by industrious people to overcome, negate, or simply bypass all manner of security devices.

In the last 10 years, there has been an increase in attention on IoT devices and widely available, inexpensive single board computers and microcontrollers. Along with all these new devices came a renewed interest in using small devices to gain access, steal sensitive data, and introduce rogue software and processes into target systems.

So, what can be done about it?

The best defense against most attacks is to train your users to look for and question odd or out of place devices in and around the office. One of the most well publicized devices capable of this kind of attack is the Rubber Ducky USB drive used as a prop in the show Mr. Robot. It is one example of a common attack called keyboard emulation or keystroke injection.

In its most common form, the attacker scatters a few (or a few dozen) USB flash drives near the target in hopes that one or more users might pick one up and plug it into a computer to see what is on it and possibly how to return it to the person who lost it.

You may be thinking you would never plug in such a drive. But what if it had your company’s logo on it? What if it was the same size and color as the one you always see your boss use? Or even if you found a spare keyboard sitting in a cube near yours which is used as hotel space? What about a really nice presentation clicker left in a conference room right before your quarterly meeting?

Best Practices for Duck Hunting

In honor of the Rubber Ducky, we’ll refer to the practice of scouting out potential hardware attacks as, “duck hunting.” For users without the technical expertise to verify “found” hardware such as a USB rubber duck, the best strategy is to assume it is not safe and reach out to the technical resources at your organization.

For those looking for some quick tells hardware may have been altered, here are a few flags to look for:

  • Damaged, well used, or missing screws and fasteners
  • Pry marks near the seams in plastic housings and shells (like on a usb flash drive)
  • Items that are “too good to be true” sitting in the open (includes presentation clickers, phones and even laptops/tablets)
  • New devices that are out of place and nobody knows how they got there. This includes things as simple as a plug-in nightlight or plastic housing with no labels or only a hand-written “IT Dept- Do not remove,” note.
  • If a user sees windows open and close rapidly just after connecting a USB device, it can be an indicator that something is off about the device.

The best way to secure your network and your information, is to create a culture of awareness within your organization. We recommend training your staff up to become a team of “duck hunters” savvy enough to recognize the clues that a duck is swimming in your office and quick enough to notify the experts in IT.

About the Author
Adam Frantz
Solutions Engineer
Adam Frantz has been an engineer with CBI's implementations division since 2018. He is tasked with performing health checks on existing systems, updating security policies, providing insight on best practices, and configuration of security appliances for our clients. Adam holds industry certifications in cybersecurity from Cisco, CompTIA, and (ISC)2.
I Need To...