Don’t accept Mice from Strangers…

I think we’ve all been reading about the increasing onslaught of hacker penetration that has been going on lately. In a new angle on possible techniques, This piece in the Register describes how computer penetration testing firm Netragard successfully gained access into one of their clients’ PCs. They were forced into a unique solution by their client’s demand that they try to gain access without using the more common network-related intrusion methods (social media, telephony, etc). They also couldn’t break in & use the computers either, so an unobtrusive hardware solution was arrived at. In the photo above you’ll see their method in the underside of a common Logitech mouse. Inside is a Teensy USB development board (such as I have posted about before) along with a USB flash drive. Since the Teensy can be seen by your PC as a keyboard device they were able to program the device to execute keyboard commands that installed nasty intrusion software into the PC hard drive which within a few days remotely connected to Netragard’s servers through the internet.

To get the hardware into the company, they packaged the mouse with fake promotional documents and sent it to an employee, who of course tried it out.

How relevant is this type of intrusion? Check out this article over at Bloomberg. In particular:

The U.S. Department of Homeland Security ran a test this year to see how hard it was for hackers to corrupt workers and gain access to computer systems. Not very, it turned out.

Staff secretly dropped computer discs and USB thumb drives in the parking lots of government buildings and private contractors. Of those who picked them up, 60 percent plugged the devices into office computers, curious to see what they contained. If the drive or CD case had an official logo, 90 percent were installed.

!!!

via Adafruit