Shaken, not stirred.

When we discuss possible attack vehicles with potential customers – we occasionally get that look which says "Guys, we don’t think James Bond will be knocking at our door or messing with our network or end-points".

One must ask himself, is that really the case? Do you need to be a state level organization in order to execute hardware manipulation attacks? Do you need James Bond in order to launch a device manipulated attack or will an average Joe will do just fine?

Looking into the over whelming wealth of "tactical" attack tools – the fun part in the movie where James Bond meets Q and selects the coolest gadgets – is actually done through shopping in various on-line shops or leaked information-  less romantic, much more effective.

Now we need to find an Average Joe…I wanted to make life difficult – and for that I've recruited my 15 year old son, who will be referred to as "Cyber Warlord" (he's young but ambitious, and I promised him a cool nickname when I write this article). Our weapon of choice ? 

As I showed in my previous article, a USB power bank could be a great platform, so we took a small USB chargeable battery, we've modified it to include a rubber ducky.

The challenge now is to get this power bank connected to as many end-points as possible – here is where social engineering kicks in – would you say no to a boy asking to charge his power bank for two minutes, because it's drained? Well, most people say, yes. Some will connect it to a wall adaptor (power line modem hacking is beyond this article's scope…), but some do connect it to their end point. So? You're able to get to the neighborhood supermarket 's PC and local post office, what does it prove?

It proves only one thing – that "exotic" attack vehicles are not exotic any more – and direct physical access to the targeted PC or network is not something cybercrime is intimated by – we've seen real life examples from our customers – pulling out manipulated keyboard, hacked KVMs, Virtual Cable Mode routers – all of which can cause significant disruption and damage.

Im aware that people would argue, that in their enterprise, USB is blocked – and it would not work – well is it really the case? Remember that blocking a USB mass storage device is a common functionality in EPS – but in this case the ducky impersonates as a keyboard which is not block -supported. You can run an easy test in your office – swap your keyboard and mouse with that of your neighbor, and see if you see your CISO is chasing you, assuming this is not the case – how can you really be sure that the keyboard you’ve just connected is only a keyboard?

So… How would you like your cyber attack? Shaken, not stirred ?