RISK ASSESSMENT RATING: 5.33
How often the rogue device is used in the wild to conduct real-world attacks, with 1 being the rarest, 10 being widely used.
The Penetration Testing Teensy may be gaining a following, but it is still less popular than its “distant cousin” the Arduino microcontroller or the more polished Rubber Ducky.
The cost or “DIY burden” of the device, availability (ease of acquisition), and degree of skill necessary to deploy/operate the device, with 1 being expensive/difficult to build, not publicly available, and requiring deep technical expertise to operate, 10 being low-cost, available for purchase online, plug-and-play operation.
The Pentest Teensy is an out of the box solution for USB HID spoofing, and at $20, it costs little enough that it can be experimented with. However, the need to create a program for the Teensy that meshes with the target is a less than trivial endeavor. This may be a problem for the more ambitious amateurs, but pre-built, automated tools like Dave Kennedy’s SET provide a set of easier attacks for those with less experience.
The potential damage caused by successful execution of the attack, with 1 being exposure of trivial information from the target, 10 being organization-wide superuser-level compromise or equivalent.
A properly executed USB HID spoof can be extremely detrimental to an organization, as it can gain access to many systems and store information on the device itself. That being said, properly executing a USB HID spoof is no small matter. Without the proper configuration, or with some careful authentication on the target, attacks simply will fail at compromising anything, much less mission-critical access.
Penetration Testing Teensy
While they lack the processing power required to run an operating system or traditional security tools, the flexibility and exceptionally low cost of hobby microcontrollers such as the Arduino make them perfect for purpose-built rogue devices. With their small size and minimal energy requirements, these microcontrollers are extremely well suited for covert installations where other types of devices simply wouldn’t work. Hidden inside of an everyday object or computer peripheral and powered by nothing more than energy leeched off of their host device, a microcontroller can turn almost any object into a potential rogue device.
One of the most widely researched security applications of microcontrollers is USB Human Interface Device (HID) spoofing; the microcontroller poses as a standard USB keyboard and sends keystrokes as if they were typed in by a human operator. Currently, the most commonly used microcontroller for HID spoofing is Paul Stoffregen’s Teensy, as it officially supports mimicking USB keyboards. While some researchers have combined the Teensy with additional hardware to increase its functionality, most techniques will work with the device right out of the box, making it very easy to replicate.
Hardware Specifications (Teensy 2.0)
- CPU: ATMEGA32U4 8 bit AVR @ 16MHz
- RAM: 2.5K
- ROM: 32K
- I/O: 25 pins (12 analog, 7 PWM)
- Coms: SPI, UART, I2C
- Dimensions: 1.2 inches x 0.7 inches
While not as popular as the better known Arduino microcontroller, the Teensy is quickly finding a following in the security field thanks to its robust support of the USB HID protocol. Spoofing a USB keyboard on the Arduino takes a combination of hardware, software, and arcane microcontroller knowledge; with the Teensy it is simply a matter of looking at the example source code included in the documentation. This out-of-the-box support for USB HID, combined with the Teensy’s diminutive physical size, make it the logical choice for building into USB keyboards and mice.
Even though the stock Teensy is capable of spoofing a USB HID device and passing keystrokes to the computer’s operating system, additional hardware can be added to make more advanced attacks possible. With the addition of DIP switches, the Teensy can be configured in the field without needing to connect it to a computer. If an SD card is added, the Teensy has a USB storage device which can be used to upload or download files to the host computer.
In the most basic terms, the Teensy is only able to send keystrokes blindly to the host operating system in the hope that they are working as expected. If the software or operating system on the host computer is different than what the Teensy was programmed for, the commands being sent may fail or have unexpected results. Without a very good idea of what the software environment is like on the target machine, the effectiveness of a USB HID attack is greatly limited.
Technically, USB HID spoofing attacks are no different than if the attacker themselves sat down at the computer and typed the commands in; however, the Teensy has the advantage of typing faster than any human can and typing without mistakes. It’s also much less suspicious to plug in a device the size of a USB flash drive and walk away than to be seen typing away at a computer.
At only $20, the Teensy is cheap enough that it doesn’t need to be recovered after use, making it ideal for permanently embedding into peripherals. With only a few extra pieces of hardware added, the Teensy can be made into a very formidable USB HID spoofing development platform, perfect for experimenting with more advanced attacks based on source code that has already been made available from existing research.
That said, the logistics of HID spoofing make it largely impractical as a general purpose tool. The programming on the Teensy must closely match the target operating system and software to be effective, and even then, the entire attack assumes that there is no authentication required.
While a successful USB HID attack can be tricky, the potential for damage is quite high. Complex attacks like installing backdoors or copying data off of the target machine can be done in seconds, potentially without the need to install any additional software.