Okay, welcome to our talk, Evil Genius, Why You Shouldn't Trust That Keyboard, by Fadit Perez and Mauro Eldridge from DC 5411. Before we start, let's make a brief introduction on this talk and on ourselves, the speakers. I am Mauro Eldridge, I'm an Argentine hacker and I'm the founder of DC 5411.

I work as a cybersecurity architect and I was a speaker the last years at DEF CON Las Vegas, Tetha Siberia, Roadsec Brazil, Dragonjaw Colombia, Postcon Iran and the Texas Cyber Summit, among other conferences.

Thank you, Mauro. Hello everyone, my name is Fadit Perez, I am an Colombian hacker, assisting in communication. I work as a professor at the University of La Guajira and I am a member of DC 5411 Group. Also, I've been a speaker at Dragonjaw Colombia and now at DEF CON in this video.

The objective of this talk is to explain bad USB attacks in a different way, combining hardware hacking, human hacking and social engineering. In this case, we will explain this type of attack using one of our evil creations,

a tampered keyboard, which acts as a remote key logger. As you can see in this photograph, it seems to be a classic keyboard, a normal cheap keyboard without any suspicious. But well, you may be wrong.

It looks pretty normal. This talk is divided into two chapters, the social engineering one, where we try to create a plausible alibi and the necessary conditions for our attack to be effective, and the hardware hacking one, where we explain the mechanics to build a bad USB with cheap

ports and how we use this bad USB for exfiltration of data. Just a little disclaimer, the speakers have full permission from affected parties to conduct

this experiment in an authorized manner, a complex threat teaming exercise, and the authors weren't involved directly or indirectly in any illegal activity. Let's start with the first, the social engineering. The point of the experiment was to infect a user without any direct interaction using

only the bad USB keyboard, but without being able to touch it, not even to connect it. So we had to rely on social engineering or human hacking to get someone else to do their job on our behalf. This is what we had so far.

Our victim and educational institution had no physical access to the place or help from the inside. They only had an open guest Wi-Fi connection, which we were not allowed to mess with, and it was segregated from the main network. So at first, it might not seem like a really valuable asset at first, and we had a modified

keyboard with our bad USB in its original box with its accessories and manuals and everything you expect to find in a brand new unboxed item, right?

So let's try to simplify this equation. We had no physical access from the inside and an original box. Next, we had to create an attack vector from these really pure assets.

So what can we do with no physical access and a box? The obvious first thing that came to our mind was the fake postal service. You have a postal in poster. This was way out of our scope.

So we wanted to do something similar, but not so violent. So we came with this little strategy. Delivering an unsolicited keyboard could only be some strange and suspicious.

You are not expecting an unsolicited keyboard any day of the week. So we had to improve our game and resolve to help in the local industry by printing a few extra things for a small price, and these few extra things are the following.

Note that we have censored the trademark, the brand, because the manufacturer is not linked in any way, it's not related to the stock or this experiment.

So we had for a few dollars, we had stickers, a T-shirt and a neatly packaged keyboard ready to be sent to the institution along with a simple letter. Absolutely nothing to suspect, well, maybe. The package was sent via a well-known private courier app who confirmed it's receipt.

A few hours later, we were already quite concerned with the package market as received and nothing happening. After a while, our keylogging data was going to populate.

Now you might question, you might ask yourself, how does this bad USB keyboard work? So, now my partner, Farid, the hardware hacker of the group, is playing you the magic behind this electronic tampering.

Thank you, Mauro. Here we have the planned component used in this project, which if we want to do in ourselves, we must have a normal keyboard of the model most used in your country. The wireless network component for Arduino ESP8266 and Arduino Nano, a standard USB cable

and command and control server, the Arduino programming interface and above all, lost us patience. In this diagram, it is possible to observe the keyboard schematic.

It defeats the operation the moment the user inerts the keyboard's USB cable without generating that the keyboard has the Arduino Nano device with an ESP8266 wireless interface.

For setting all the information entered to the keyboard to a C2 server, which will be a PHP, MySQL and PHP interface, tools where the hacker will be receiving all the information

entered by our already named keyboard. All TPs are cheap and easy to conceal inside the device. This part does not add significant weight to the keyboard.

There is no sign that could make the beauty suspicious. In this image, you can see each component mentioned in the functional prototype of the attached.

This image presents the post method could to server C2. This image shows the C2 server connection could or have to USB model to steal data

online. As you may already know, this bad USB has a command and control server, which is built upon a LAMP stack, Linux Apache, MySQL, PHP and PHP MyAdmin, a code, a database

and a simple table, as you may see now. You can see that there are at least 28 rows, these rows represent sessions. I'll take a moment to explain to you what sessions are on this bad USB keyboard. Once the buffer of the keyboard stops receiving data for a certain amount of time, it closes

the buffer and uploads its contents to the web server, this command and control server. So, it has separated different inputs by sessions.

Let's try to inspect some of these sessions. For example, here, session number 11 is when the user attempts to access gmail.com, but instead of entering its credential, the victim jumps into another task, let's say Microsoft

Word, and starts typing a document about Torres Javier. Then, he goes back to Gmail, enters his credentials, or hers credentials, and passwords. We have another example here of passwords.

And then, internal instructions. For example, on number 20 it says, I have bought a rim of paper for the office. On session 21 it says, I have made a Mercado Todo recharge for the office.

And it continues, right? Here we can see on session 24 another password. Try to picture obtaining these passwords with other methods, for example with cracking. It won't be certainly impossible, but it will take you a longer time than simply using

these bad USB. On session 25 we have our first case of personal identifiable information. As you can see behind the encoding error, it says Sedula Ciudadanía, which means translated

from Spanish, national ID, which is the equivalent for the SSN, the social security number in the USA. It's a number that identifies a citizen. So it is treated as private information. Then, on session 22 we have the login from an online banking site.

Obviously the credentials were there too. So far, you might ask yourself what you can do. Well, you can obtain credentials for any local or remote service, for local users,

or cloud services, or different providers online. You can obtain private information about users, resources, documents, and infrastructure. You can discover internal conversations or communications, as we have seen before. You can see internal orders, for example, or internal documents about daily basis tasks.

You can use this keyboard as a pivot for new attacks. And in very specific scenarios and rare scenarios, an attacker could compromise an entire supply chain, replacing normal keyboards with infected ones.

I know this might sound actually a little bit crazy or a little bit too rare or too unique, but some days ago, counterfeit or fake Cisco switches were discovered deployed in production.

So, a network engineer saw that his core switch was failing or acting clunky, tried to troubleshoot it, and ended up finding that it was a counterfeit one. To add about counterfeit hardware, I want to offer you a small appendix

with a brief explanation and comparison of fake hardware, and to speak about the possibility of using it for red teaming, aside from what everybody else is using it for, you know, shading. You may notice first case. It's the keyboard that we were talking about.

This is our own prototype. You may find no substantial differences on the outside, no evidence of tampering, nothing really to worry about. And this is the original one, with a non-stock picture from an e-commerce site.

As you see, there are no differences between them. But this tampering is not really limited to any kind of hardware. You can tamper anything you want. For example, let's take a look at this set of speakers that we have tampered ourselves.

For another case study. These speakers might look, as the keyboard, really normal on the outside, nothing really weird about them. But once you open them, you find they are tampered.

You find that they have another hardware piece scattered around, which makes it really suspicious to a trained eye. Now let's take a look at a photograph of these original speakers. Again, a non-stock picture from an e-commerce site.

They are recently unboxed. As you may see, there's nothing to worry about, nothing really strange or weird about them. But this is not only limited to small hardware. Even critical hardware like switches, in this case core switches from Cisco, can be tampered with.

This is a very good comparison between an original Cisco switch board, and two counterfeit ones. The source is F-Secure. As you can see, the one on the left is the original one.

The second and the third are counterfeit. Take a look at the second. On the lower half, it has the Cisco trademark printed on the board, while the third one is not. So differences are subtle, and can be really overlooked by a not trained eye.

This is what's the dangerous part of this. It is very easy to be misled by this hardware. It doesn't end here. This is not something new, as I said before. A user on Reddit a year ago posted about being a victim of a counterfeit Cisco device.

Let's take a look first at an original Cisco switch from Panel, and then a counterfeit one. The sources on these images are Reddit, the original post,

and eBay. This is the original one. As you may see, this is what you expect to unbox from Cisco. And this is the counterfeit one. It's basically what you expect, again, to unbox when you buy a Cisco switch.

So there are no really, really big differences. Some of the most noted differences on counterfeits are the bright on the numbers of the ports. As you may see, 1, 2, 11, 13, 12, and 14, 23, 24, etc.

This is something that is most noted on the internet. The brightest of those numbers. Nothing else from the front. And some people noted that the screws are different. So unless you open it, or unless you have something really, really specific about it, you won't suspect.

This is just to make you understand the dangers of counterfeit or fake hardware. And that are out there, there are people dedicated to faking this kind of hardware.

Not only for a redeeming exercise like ourselves, but to make a profit from it. And it is really, really dangerous to corporations, or to small companies, and to almost every institution out there.

So, before we close this talk, we would like to share a little demo with you about this keyboard and how it acts. So since this is a demo, we'll use two laptops and one of the infected keyboards.

Time to say goodbye and jump to the conclusions. And obviously, the questions and answers. Our conclusions are that you always have to be wary of any new device, whether USB or not.

This might seem obvious, but anyone could be a victim. Be honest. Would you have suspected of this keyboard if you just saw it lying around in a desktop or in your office?

Probably not. And bear in mind that with a few dollars, anyone can build or even buy a product of this type, like t-shirts and stickers like we have used in this case.

Whenever possible, use preventive measures against USBs. And always remember that the mousetrap works because the mouse doesn't quite understand why the cheese is free. So educate your users to not pick things from strangers.

You can get in touch with us at gitgov, Mauro Eldridge, and DC5411, or on Twitter. You have our handles here. We are always open to discuss about our hacking, social engineering, and hacking in general. So we'll be more than happy to talk with you. If you have any questions, we'll gladly answer them in the chat.

Thank you.