Samy Kamkar has a proof-of-concept attack through which he plugs a small USB stick into an unlocked Mac OS X machine and then quickly and thoroughly compromises the machine, giving him total, stealthy control over the system in seconds, even reprogramming the built-in firewall to blind it to its actions.
Unlike most hacks, this one is visually pretty spectacular, since the attack emulates a keyboard and mouse, making windows appear and disappear at speed, while phantom words appear in the terminal and a phantom hand clicks the mouse on interface items deep in the OS.
Specifically, when you normally plug in a mouse or keyboard into a machine, no authorization is required to begin using them. The devices can simply begin typing and clicking. We exploit this fact by sending arbitrary keystrokes meant to launch specific applications (via Spotlight/Alfred/Quicksilver), permanently evade a local firewall (Little Snitch), install a reverse shell in crontab, and even modify DNS settings without any additional permissions.
While this example is on OS X, it is easily extendable to Windows and *nix.
We even evade OS X's security - while they attempt to prevent network changes being done by just a "keyboard", and even prevent most applications from changing position (special authorized accessibility features must be enabled which we don't have permission to), we evade both of these with some unprotected applescript and carefully planned mouse movements. While a device like Rubber Ducky is similar, it's unable to mount the same attacks as it lacks HID Mouse emulation.
Lucian's SPUDwriter (Single Purpose User Device) was designed to help him focus on creative writing after a long day of staring at a screen in his engineering job: it uses an e-ink screen and a keyboard, and only outputs via SD card or thermal printer. As a person who does all of their engineering work […]
Freedom EV is a free/open software stack intended to replace the software in your electric vehicle, it's been tested on a Tesla Model X and should work on a Model S, if you can get root.
Every year or two, I embark on a round of crazy book-tour travel where I change cities every day for weeks on end (35 cities in 45 days on two continents in 2017!), and I'm on a perennial quest for a piece of luggage that is fuss-free: I want to stumble exhausted into my room, […]
What do Facebook, Twitter, YouTube and Google all have in common? Somewhere in their framework, they all use MySQL, that most versatile (and free!) of database management systems. And they’re not alone. If your company or the one you’d like to work for wrangles data (and who doesn’t?), they’re going to need someone with a […]
There’s a reason you’re hearing about the gig economy in every other business story these days. More than ever, people are finding income from more than one source. And if you find the right one, a side hustle can do more than just pad your pockets – it can allow you to finally get paid […]
High-def cameras are available to anyone and for much less than they were just a decade ago. Even the phones in our pockets can be used to shoot and edit short films. It’s never been easier to be a filmmaker, providing you have the technique. Enter the Film & Cinematography Mastery Bundle, an online boot […]