Ask HN: What stops a random USB device from rooting Windows?

16 points by 5ESS ↗ HN
Ok so I’m learning computer security and I had an idea for an attack method and it’s so simple I wanna know if it’s already put into practice.

Basically it would be a USB device that tells the Windows system it’s a generic keyboard+mouse. Then it would simulate the entry of input something like: 1) WinKey + R 2) cmd.exe [enter] 3) [enters or pasted a malicious script] 4) await UAC prompt. Click pre-calculated dimensions for the button based on screen size/dpi ratio..

Now the entire system is rooted in under 2 seconds.

Can someone explain what mitigations if any Microsoft has put in place (prior to the recent ASR which is new and probably also vulnerable?) to disable this [fake mouse and keyboard attack] ?

18 comments

[ 2.9 ms ] story [ 46.0 ms ] thread
Here's something very similar to what you're thinking of.[0] There's a low cost alternative if you'd like to experiment.[1]

[0] https://shop.hak5.org/products/usb-rubber-ducky-deluxe

[1] https://sequr.be/blog/2021/02/attiny85-rubber-ducky/

Interesting and both are sold out. They seem kind of rare. Probably for a reason! I guess it would be bad if somebody like…had a trashbag’s worth of them with “You Won 1 Free Bitcoin” noted and sprinkled them around commercial and public properties a 100mi radius. Or sent out 1,000 in the mail for example.
The reason would be that not enough of them sell to be worthwhile. Simply going from your description it sounds like the kind of product that could be designed and set up for manufacture in a handful of hours. But then what? I have no use for the product and even if I were inclined to ignore the ethical considerations, I doubt that I'd sell enough of them to recoup my time.

The people for whom this would be most useful already have the resources to build it themselves!

Too bad kaspersky has been banned/cancelled in my country (USA). Any alternatives? I don’t necessarily use antivirus, thought it was unnecessary with Windows 11 built in Security. But now my mind is changing… anyways There should be a open source tool for Windows that only allows only 1 trusted keyboard/mouse to input and monitors for anything sketchy in USB firmware. Seems easy enough to create.
I found this which claims to block these attacks: https://www.gdatasoftware.com/antivirus-windows

> USB Keyboard Guard

> Protects you against manipulated USB devices that pretend to be keyboards, even though they look like USB sticks or external hard drives.

Still doesn't protect you from a wireless reply attack assuming no encryption in your device is present or hid spoofing. The safest scenario will be using encryption always even with cable keyboard/mouse and a pre-auth with a public/private key scheme like the one in android debugger bridge or TLS.
how can anti-virus protect against it?

it has no way of telling that that device isn't a logitech keyboard, and can't tell that it's not the user opening up elevated cmd.exe and accepting the prompt

From the linked article:

> Kaspersky Endpoint Security's technology will not authorize any HIDs unless the user inputs a code using a HID already authorized to do so.

It should be common practise to run your every day computer life from a "normal", non-privileged user account. This way, automating UAC confirmations are impossible, given that alternative credentials have to be entered for the UAC to be authorized. Yet, you'll find that many people do not do this.
If the current user isn't an admin, they can't just click through UAC.

If they are an admin, they could just do this manually.

Either way, no privilege escalation, which "rooting" typically implies.

Sure, you could make a USB stick that automates any user input, but you could just make the same inputs yourself with the keyboard and mouse already at the machine. What kind of situation does this actually benefit you in?

Well, the speed. You plug the usb in, unplug it 5 seconds later, and you walk away from a backdoored system talking to your C2 server.
Even better, why not find people with a wireless mouse/kbd dongle plugged into their computer, then send radio signals mimicking their mouse/kbd to do the same thing? That way you don't even need to touch their computer or bypass the check on whether the USB device is preauthorized.

The reason you can't is because many newer wireless devices have encryption, but how many people know or care when they buy one?

I spent a not insignificant amount of time looking into this, but for the purpose of making a game AI, not for hacking other people's computers.