Curiosity and plan of attack – Human Achilles heel of security




Also this year the Black Hat security conference in Las Vegas and the American Tweakers is present on site. The first day saw a wide variety of presentations, two of which had a common theme: curiosity. Both Elie Bursztein, security researcher at Google, and Zinaida Benenson, scientist at the German Erlangen-Nuremberg University, suggested the human factor central to their presentations.

blackhat 2016

USB Flash Drives

Bursztein addressed the question ‘does dropping usb drives really work? “. He said that there are always at each security conference someone who claims to have circumvented the security of a company by placing a USB stick outside the building in a prominent place in the hope that an employee that plugs into a PC. This attack would be so effective that it even came back at some time in the TV series Mr. Robot. As can be seen in one scene how a security guard a short time before in the parking lot found USB stick hangs on his computer, without knowing that the drive lay there for a reason.

Enough reason for the Google researcher chance to set up an experiment and investigate this claim. Before that he distributed 297 prepared USB sticks on the campus of the American University of Illinois, to be found by passersby. In addition, he distinguished for location, appearance and content of the stick and he could track the results via a backend. After people had viewed the contents of the stick, they could fill out a questionnaire and indicate what motives they had.

possible attacks

Bursztein distinguishes three possible attacks that can be performed via a USB stick. The first is entirely based on social engineering for example consists of placing malicious files named ‘do not open’, or anything else appealing. This attack, however, arouses suspicion and soon is not very reliable. The second possibility is the so-called hid spoofing, in which the data carrier occurs as a human interface device ; In most cases, this is a keyboard. In this way, there can be executed a command via keystrokes; For example, the opening of a remote shell.

blackhat 2016

The tricky part of such an attack is that the victim’s operating system must be established before the attack carried out can words. In addition, the payload must ensure opening the command prompt are small and are not detected by an antivirus program. The USB stick should look believable.

For all these problems, the examiner, however, managed to find a solution. He was a quick way to determine the operating system of the victim through the virtual key and securing the ‘scroll lock’ button. Also be a small payload was feasible. So it was possible via scripting language to write a Linux payload of one hundred characters. In Windows, the process was more complex, but not impossible. Fabricating a USB stick Bursztein cost about $ 40 per device based on a Teensy 3.2 .

The final attack he demonstrated in a video. It was seen that the whole process of plugging the USB stick to the opening lay a shell and connect to a command-and-control server based on metasploit lasted about six seconds, the user only briefly a command prompt will see. Then he had free access to the infected computer.

The third way to use a USB stick for such an attack is to get through a zero-day vulnerability access to a device. However, this way is very expensive and cumbersome, so it is reserved only for very dedicated attackers, such as a state.

Bursztein the code of his project online available made. He also expanded on the manufacture of a USB stick using a Teensy with a convincing appearance. Here he used a mold of silicone, which it was not easy in the beginning. Ultimately, however, it managed to make good copies. The researcher considers a Kickstarter project for this kind of start USB sticks if there is enough interest to.


Back to the results of the investigations. It found that 98 percent of the filed USB sticks was picked up and that became connected 48 percent of them on a computer, something Bursztein did not see it coming. Also revealed that it did not matter which site was down the USB stick, for example, in a parking lot, in a common area or on a walk. The appearance does not matter, for example, or adhere keys or stuck on a label.

The main reason for opening the files on the carrier appeared to be identifying the owner, the finders declared. Bursztein However, this declaration doubts, because his data show that the vast majority of people had only opened the photos and not the other files. The reason then was mentioned most often is also curiosity, something Bursztein much more likely eight.

blackhat 2016

The second study, by Benenson, focused on the phishing phenomenon. She wanted to investigate the reasons to click on suspicious links. To this end they sent 1600 students a Facebook message or an e-mail from an unknown person with a link to photos of a New Year’s celebration. In addition, the request was not sent to share the pictures. The number of clicks was then recorded by the investigator.

It found that 43.5 percent of students on the link in the Facebook message clicked, and 25 percent on the link in the email. Benenson then approached the students later, showed that the biggest reason for following the link curiosity. This was in 34 percent of cases as a reason. The next reason was that the students thought they were actually pictures from a party they had attended. Reasons for not coming were not knowing the sender and the suspicion that it was spam or phishing.

blackhat 2016

Benenson argues that users actually all the time must be in a sort of James Bond mode: constant alert that something is not what it seems. They also, however, understands that this can not be required of someone.


The solutions that bring the two researchers have in common with each other. Both mention that creating awareness among users plays an important role. For example, Benenson mentions that it is only necessary to be suspicious if there is a valid indication. They also recognize that the suppression of curiosity is not an option, because it is inherent to man. It therefore calls for dealing with users, such as employees of a company who handle daily external messages in conversation.

Bursztein mentions that there are specific ways you defend against an attack via a USB stick, but it does not always work as well. Thus, it is possible, for example to block the USB port on computers. There is also the option to allow only certain USB sticks through system policy. However, this can go wrong when the ID of a device being distorted, which is not very difficult. Help anti-virus programs are not against such an attack, because only text is entered.

Absolute security is a utopia and the human factor remains an issue when it comes to securing systems. Curiosity will thereby continue to play an important role.


In: A Technology & Gadgets Asked By: [22637 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »