USB Attacks: Fun with Plug & 0wn

Presented at DEF CON 17 (2009), Aug. 2, 2009, 3 p.m. (50 minutes).

How many times have you been handed a USB device and asked to copy a presentation or spreadsheet onto it? Often our biggest concern is around whether the device will be lost along with our company projections or takeover proposals. However, should we be more concerned about whether the device itself can be used to attack us and gain access to our system. In the past USB security has often focused on the contents of the devices themselves. When considering the information that has been lost on unsecured devices it is quite understandable that this has received so much attention. However, in all this excitement have we lost perspective on where the real danger lies? If you want to know the answer to that question then you need to come along to the talk and find out. The presentation will cover a wide range of security considerations for USB devices. However, it will specifically focus on the evolution of an attack that can be delivered through a malicious USB device. The talk will also include discussion about the methods that can be used to identify and exploit vulnerabilities in USB drivers and their advantages and disadvantages. To highlight the reasons for conducting this research the presentation will also include the disclosure of a vulnerability affecting a USB driver in a common operating system that the audience will be very familiar with. It will also show how that can be exploited by simply plugging a malicious device into the system. So, if you want to find out about a range of USB based attacks then come along to the talk. Afterwards you may think differently about that USB device you're just about to plug into your laptop.

Presenters:

  • Rafael Dominguez Vega - Security Researcher
    Rafael Dominguez Vega works in the UK as a Penetration Tester and Security Researcher for MWR InfoSecurity. He enjoys researching into different areas of security, from embedded devices and hardware hacking to social engineering, physical security and 'weird' proprietary protocols.

Links:

Similar Presentations: