4 gadgets that can identify security problems

9 Min Read

Digital security

Their innocent appearance and endearing names mask their true power. These gadgets are designed to help identify and prevent security issues, but what if they fall into the wrong hands?

hackers toolkit gadgets

Could seemingly innocuous objects that give the appearance of ordinary USB drives, charging cables or children’s toys be co-opted as aids in an actual hack? Or is this just things from TV shows?

There are a lot of popular nerd gadgets with endearing names that provide valuable functionality for hobbyist hackers and security professionals alike. However, many of these tools can be likened to double-edged swords: they can help both test an organization’s security and breach its defense mechanisms. Some of them pack a surprisingly heavy punch and can turn from useful tools into powerful weapons if misused by those with malicious intent.

This could ultimately be a cause for concern, partly because I have personally witnessed countless companies struggle to implement appropriate protective measures due to a lack of awareness of potential risks. An example of this is the use of unknown external devices on corporate systems – especially devices that often do not raise suspicion, such as USB drives. That brings us to the first few gadgets that could ultimately cause security issues:

Ducky and Bunny

Despite looking similar to standard flash drives, Hak5s USB rubber ducky And Bass bunny are essentially USB attack platforms with serious capabilities. Originally designed to help penetration testers and other security professionals automate their tasks, these plug-and-play gadgets can wreak havoc in just minutes.

For example, the Rubber Ducky can mimic the actions of a Human Interface Device (HID), such as a keyboard or mouse, and trick the system into accepting the input as trusted. This means it can be used to execute malicious commands to collect login credentials, financial information, proprietary company data, or other sensitive information.

See also  Security guard shot outside The Weeknd co-manager's Encino home
Figure 1. Rubber Ducky (source:
Figure 1. Rubber Ducky (source: Heel5)

By masquerading as a keyboard, it can direct the computer to visit a malware-laden website or execute malicious payloads – as if done by a hacker sitting at his desk. All it takes is to preload the ducky with a series of keystrokes that perform specific actions on the system.

All script functionalities available in the Rubber Ducky can also be found in the Bash Bunny. Potential risks associated with the Bash Bunny are therefore no different than those associated with the Rubber Ducky and include installation of malicious software and information theft.

That said, the Bash Bunny ups the ante even further. It retains the Rubber Ducky’s ability to masquerade as a trusted HID device, but builds on this by adding features such as administrative privilege escalation and direct data exfiltration using MicroSD card storage. It is also optimized for better performance.

To top it all off, even regular thumbnail drives can be co-opted for malicious purposes by converting them into USB Rubber Ducky and Bash Bunny-style devices.

bash bunny
Figure 2. Bash Bunny (source: Heel5)

Flipper zero

Flipper Zero is a bit of a Swiss army knife for hackers that is attracting a lot of attention thanks to its wide range of features and technologies packed into a compact form factor. The palm-sized device lends itself well to pranks, hobbyist hacking, and some penetration testing, especially when testing the security of wireless devices and access control systems. There is also a lot of free third-party firmware that can further improve its functionality.

On the other hand, Flipper Zero’s ability to communicate with various wireless communication protocols and devices can allow attackers to gain unauthorized access to restricted areas or sensitive systems. By combining features such as RFID emulation, NFC capabilities, infrared (IR) communications, Bluetooth, and General Purpose Input/Output (GPIO) control, people can interact with and manipulate various types of electronic systems.

See also  ESET APT Activity Report Q4 2023 – Q1 2024
Figure 3. Flipper zero
Figure 3. Flipper zero (source)

For example, since the gadget can also send and receive IR signals, it can be used to control IR devices such as TVs or air conditioners. More worryingly, the gadget can be used to clone RFID access cards or tags. Unless properly secured against cloning, attackers can use Flipper Zero to gain access to locations secured with RFID-controlled locks. Flipper Zero can also emulate USB keyboards and run preconfigured rubber ducky scripts to automate tasks and perform or facilitate specific actions within a target environment, such as extracting sensitive data.

As cute as it may be, Flipper Zero has received a lot of criticism over concerns that it could be used to further crimes, especially car theft, given its ability to clone key fobs (although, to be fair, this is not without some serious limitations). It has therefore come under scrutiny by several governments Canada is considering an outright ban And Brazil seizes incoming shipments of the product at any given time.

OMG

The O.MG cable looks as inconspicuous as the charging cable of your regular smartphone. Developed by a security researcher who calls herself “MG” online.the cable was created as a proof-of-concept to demonstrate the potential security risks of USB peripherals.

Figure 4. O.MG cables
Figure 4. O.MG cables (source)

The cables harbor a plethora of capabilities that allow exploitation for various malicious actions. They can function similarly to the USB Rubber Ducky and Bash Bunny, executing preconfigured code and functioning as a keylogger, making them suitable for data exfiltration and remote command execution.

See also  Match Systems publishes report on the consequences of CBDC implementation, led by CEO Andrei Kutin - Latest hacking news

O.MG cables include a Wi-Fi access point and can be controlled via a web interface from an attacker-controlled device. The cables are equipped with connectors that are compatible with all major device types and can be connected to and configured for Windows, macOS, Android and iOS devices. Oh my God.

Stay safe

While these tools have been used in several demonstrations, there appear to be no reports of them actually being used in real-world attacks. Still, it’s wise to employ a combination of technical controls, organizational policies, and employee awareness training to protect your organization from potentially risky gadgets.

For example:

  • Organizations should limit the use of external devices such as USB drives and other peripherals and enforce policies that require all external devices to be approved before they are connected to corporate systems.
  • Physical security measures are just as important so that unauthorized individuals cannot physically access or tamper with corporate systems and devices.
  • It’s also critical to conduct regular security awareness training for employees and educate them on the risks associated with USB-based attacks, including being careful about plugging in random USB drives.
  • Deploy security solutions that can detect and thwart malicious activity initiated by rogue gadgets, and provide device management features that allow administrators to specify which types of devices are allowed to connect to corporate systems.
  • Ensure that autorun and autoplay features are disabled on all systems to prevent malicious payloads from automatically running when external devices are connected.
  • In some situations, USB data blockers, also known as USB condoms, can come in handy because they strip a USB port of its data transfer capabilities and convert it to charging-only.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *