DEF CON 24 - Dr Phil - Mouse Jiggler: Offense and Defense

##########################################
So thanks for coming out on a sunday afternoon here at Def Con and today talk a little bit about mouse jigglers defense and a little bit of offense as well so what's this talk about anyway yd why should you be here or some of you might be in your hotel room watching this palace jigglers are now a common item in a toolkit for many law enforcement organizations and also for people who like to come in grab your stop.
And if you're using full disk encryption which you should be using its kind of worthless if you're actually logged into your computer so other reasons that this might be interesting is if you want to build your own mouth stigler it can be kind of fun not just a little bit about me this my sep seven defcon talking last five years.
So you've seen me around you think he looks familiar.
Also funny story i have a film credit i'm on IMDb for the defcon documentary as Professor i was in the elevator the other day with someone who is also credited as the student and someone recognizing like you look familiar to me for something so i teach digital forensics and security at a university that's my day job also Harbor packer been known to write a few books just released a very small book on Windows forensics last year we released a linux forensics book and a couple years before that I released this book on hacking with low-power devices so yeah I mean this is the small book so what's his talk about well first of all you don't want to be like this guy was FBI's knocking on his door needs think it was shit right so what is he doing he's running to all these computers and he's launching a nice little deletion process is grabbing drives throwing them in the toaster is putting cities in the microwave and here's my favorite part is getting these huge magnets and is deleting this hard drives and now he pretends like hey but what's what's going on guys you know so you don't want to be like this guy for a couple reasons number one what this guy just did is called obstruction of justice and it kind of gets you into a bad place right the other thing is as much as it looks really cool when you're going across all your hard drives with magnets it doesn't really work.
Ok those suckers would have to be super powerful but it's Hollywood alright so what is a mouse jiggler anyway you know does sound a little dirty a lot of people like that's also good energy talk you're giving this year felt but it's it's simply something that's used to keep a computer awake and unlocked it can be used as a prank anything could use it prank right and there are two basic types you have your software jigglers that's not what we're going to talk about and then you have your hardware jigglers and that's what you got to be worried about so I've got a couple of pictures here of two very common mouse ticklers that might be in somebody's toolkit so we're going to talk about how do you detect these what sort of things could you do just simple stuff in order to defend yourself so when it comes to detecting a mouse jiggler you could use a known vendor ID and product ID now it turns out there is pretty much one company that makes days and their vendor ID is zero e90 and their product IDs the most common ones are 28 and 45 but honestly this company makes forensic stuff so if anything from their companies plugged into your computer is it probably a good idea to do something about it right you can also detect behavior you know what if somebody you know listen to this talking like well I'll just make my own but so we'll talk about how you can detect that and also you can just do things based on a device class you know any kind of device that could be a jiggler do something so the easiest detection is detection by a known vid pit combination known vendor ID and product ID so sensors a single manufacturer this is super easy right and the nice thing about it is very quick you can immediately detect it some of the other things we'll talk about are not as quick you have to it analyze stuff for a little bit it's very easy and it's definite you're like okay it was definitely one of these devices you know it's not like I think it was alright so how do we do this what we use you Devils and how many of you are familiar with you Devils alright just a few of you right so you'd have roles are kind of like the new thing I see the new thing that they're not super do I think like the last 10 years or so but you know for linux that's been around forever.
That's new and they determine what happens when your new device is attached to your computer and they have a set of matching conditions and you can use them to launch very scripts now one caveat is if you launch his script it should return right away otherwise bad things happen on your computer you don't want to launch a script that says let me spend five minutes.
Analyzing this device to figure out if it's a mile stigler because you can't install any other USB devices in that time it's going to kind of suck right so here's an example of a you double this one will detect a known mouse jiggler and if you look at the rules normally their stead in at see you dev rules dot d and you just create a simple text file with a bunch of rules i believe you have to market executable but other than that there's no real requirements that normally we name these rules with a number and then a dash and then its name in a hat.
It should in dot rules right now the reason we use the numbers is these things are executed in alphabetical order so you might have something that definitely has to run right away or should run after other things so that's how we handle that we just use a different number.
So in this case I use 10 which is appropriate for this particular thing alright so then here's my rule my role just says action double equals add so a double equals if you've ever programmed in c c++ etc you know means this is equal to naught.
Please assign something to this right and the same is true with you Devils so it says if the action equals add you just plugged in a device and the vendor is zero e90 which is the known vendor ID then to your list of scripts to run please add that's what the run plus equals this so it says at CU dub scripts lockscreen dot sh right so in this case the first thing I'm going to do is just lock the screen right you know what was the goal the mouse jiggler don't let your screen lock right you plug it into my computer it instantly lots sorry but now when you change these rules you have to restart the u-dub service so that's why i have the little note says don't forget to run sudo service you dev restart right let me back up for just one second so you see here where it says adders with an ass idvendor equals that equals equals through e90 what that is about is that you can detect the device now when you plug in a device USB devices are layered right there a device that could be a composite device and so you say when i add an s to any of these matching items that means if anywhere in the chain you know my parent anybody has this vendor ID for this device or part of it in this tree structure that's going to get loaded.
Please match it right so that's why it's important to add the s there if anyone's wondering you can also detect a mouse jiggler based on behavior so what do they do they periodically make small mouse movements now the prank version which you can buy doesn't make just small movements and periodically it's just like makes your machine unusable so this is something you can prank your friends with although honestly it's like if you have physical access to your friends machine there's a lot more fun things you could do but they do sell this device I don't think your typical law enforcement person is going to have this in their toolkit because they couldn't use your machine anyway and then there's a forensic version the forensic version has a much longer period usually around half a minute to a minute.
Sometimes they're randomized depending which version you buy so what you can do is you can detect these periodic mouse movements.
Now the other thing that's a little bit unusual about these devices is that they normally have no clicks right why don't they have any clips because that could screw up right if you're working on something if the mouse moves a little bit at whatever but if the mouse is moving and clicking like you might do on the prank version that's a problem so another thing that we can detect normally these mice are two button mice so there are two button mice that are never used to click on anything and they move in predictable ways so if you think that you might have a mile stickler you should probably immediately apply some sort of benign defense you know something like locking your screen yeah it could be a pain if every time you plugged in a possible jiggler the screen lock but so what I mean that's how often you plug in a mouse or keyboard things like that because this will take a couple of minutes so here's the u-dub rule for that and again this is another file stored in at Ciudad of rules d and the action is add again and it says oh you just add in anything right so I'm going to be super cautious i'm not going to check the vendor ID or anything like that i'm just going to say you added something so please add to your list of things to run this little script the detection script and i'm going to pass it to parameters the bus number and the device number you'll notice that there's also an ampere Stan added to the end because I said you shouldn't have long running scripts and I just said this might take a couple minutes to run right so you don't want this running and clogging up your you def system so once you've added this simple rule remember you need to restart you dab with sudo service you'd every start and then you can go on to the script so its detection script uses something called USB HID dump and this will dump hit reports hit if you're not familiar stands for human interface device so there are a class of USB device you have keyboards you have mice joysticks basically a hit is anything that connects of human to your computer so this script has to be run with root privileges which it will be if it's run by the u-dub system and it relies on the no click behavior among some other things and so here i have a little screenshot hopefully you can kind of see that this is a couple of reports from mouth.
Like a proper mouse and you'll notice that this mouse has I think something like 15 buttons on it and a couple of axes it general normally a mouse report like this we'll start with a bite or bytes for the the buttons so each button gets a bit so you can have eight buttons provide if you will and then you'll have the various axes so this is a really nice mouse that has got you know scroll bars and all all kinds of stuff on it so it's a bit longer of a report so here's the script itself and starts out with the standard shebang bin bash just to make sure that it's running the bash shell and I have a have some stuff in this script that obviously if it's being run as a non-interactive process its printing stuff to the terminal which you'll never see but you can also run it separately.
That's just lie there for debugging so yeah normally don't need a usage function in your scripts that run but so i define little usage function and then I check and say hey did you give me enough parameters remember i need the the bus and the device number and then I first do a check for the standard LG bow-wow stigler that Emily it's a 2-button mouse so what I do is I look at the address so i get the address i use printf in order to format that so you might recognize that statement where I say device that dress equals see if i can successfully cursor over there yet here right and i'm using a little trick that some of you might be aware of already in bash shell scripting you can run any command and then take the results from that command and use it to set a variable.
By enclosing that commanded parentheses and proceeding those parentheses with a dollar sign.
So here I've said please run the command printout and I have a format string and that format string just says please give me 0 padded three bite decimal numbers separated by a colon and then I give it dollar sign one dollar sign to which were the two arguments passed into the script and then I get a report i use that same trick my dollar sign parentheses and I call timeout one second timeout if you haven't used it it just runs whatever you give it for how long you say and then it kills the process and so I run USB HID dump and I give it that address and i'll give it another parameter dash es which says please give me the streams not just the descriptors that describe the device and then I pipe that too.
He grabbed and I say hey did that bullet begin with three bites of zeros or did it not begin with three bites of zeros because it turns out that the cheaper mouth stigler will give you a lot of no reports like yep didn't click anything yet didn't move right over and over and over again now if you get the the the fancier one it doesn't really do that but it works differently so i get a bunch of these and then I check and I say all right did I get anything that's what this first statement says it says if that thing wasn't 0 then I'll just echo something that you'll never see unless you run it directly and then i will start declaring i declare a couple array variables which you can do in bash that's where the declared ash a mouse reports and also not no reports comes in by the way just FYI.
You'll notice i don't know how visible it is here that those are separated by semicolons.
And the reason I did it that way is just to put more than one command on us on a line so that I could kind of fit it on this screen.
Obviously it's still a little bit smallish but in the materials on the DVD from defcon they we have all this stuff so you know don't stress too much if you can't read it too then I get a 2 minutes worth of reports and I store that in my array and then I do a little bit of command-line kungfu here and I say okay are any of these not null reports and then I look at that list and I say all right it wasn't no and there's two reports that are exactly the same and there's no mouse clicking going on you pretty much got a mouse jiggler right at that point now if you have the slightly fancier one then I'm going to check for things like a five button mouse its 5-button 3-axis mouse and once again there will be no clicks right so that's kind of a big key and I will look for the report that corresponds to that and if i get a bunch of reports that are duplicates or you know nobody's ever clicking on anything then I know that this is a mouse jiggler finally I can do detection based on a device class so whenever you insert a possible jiggler I can do something about it again this should be benign you know don't start wiping your drive just because something that might be a jiggler was installed right this is really a good idea even if you have the other rules in place you know you do something simple as hey you inserted a USB Drive or any USB device I'm just gonna like.
The screen now i mean if if i do that here's the you devil where I say alright any hid device so it's like all right you inserted a mouse a joystick a keyboard your screen is going to lock so what right if it's used so what you know your password you know by the way you know if someone storms into your office and they're trying to you know their their first goal is to get you away from your computer their second goal is to keep it from going to sleep right so that's where the ballast regular is going to come in but you know I think personally with all the stress of armed people in my office I would temporarily probably forget my password until all my encryption and deletion scripts completed that just me alright so this script are this you double is pretty simple you say anything that was in the hid subsystem go run lock screen now when it comes to the scripts themselves you have to choose your level of paranoia you know you just want to lock the screen to encrypt some files again I recommend you use whole disk encryption in general do you want to start a secure wipe do you want to do some physical destruction there's been some other defcon talks in the past the reference later about that so the first thing i want to talk about is locking your screen from a script now this might sound simple but remember you have a non-interactive process right so it's like what screen right it doesn't have a spring and that's kind of an issue so if you're running various windowing systems it's going to vary a little bit so if you're running gnome you can get the session ID by running been login control lists sessions and then you can run bin login control LOC session with that session ID if you're running KDE or LX de you can look at the display and you can use the X screensaver command alright so basically you say oh I'm going to login as root essentially and lock the screen and in other systems if you justyou su-dic and then you run a command screen lock command whichever it is that will work now here's another little tip for you if you're kind of new to linux notice that i have display equals colon zero before my command this is a nice little thing you can do in linux so if you want to run a command and you want to change in environment variable just for that command and not in general you can do this you can list all the environment variables you want to set before you run your actual command and it works great ok so here's my little lockscreen script in this case I just put my username in there you could somehow you know try to figure out what your user name is but keep it simple right.
This is your computer you're trying to lock it down so you know make it applicable to you and I'm running actually a bun to on the test system that Iran so it's running genome and here's the little command so I run list sessions and I pipe that to grab I grab for my username and I pipe that too awk and then I print the first item from that line and that is my session ID and then I call lock session with that session ID and it's very similar for some other windowing systems right so it looks kinda like this I'm just minding my own business here work in my little abantu system and here comes some person and boot alright so you know but my computer just locked now a little worried about this right.
My computer just locked its encrypting files in the background don't be stupid all right don't have a little graphic going haha I'm like deleting shot shit there you know encrypting files right that's it that's kind of a bad idea right you don't want to alert people as to what you just did or I'm sorry what they just did because did you touch that computer now you're not like that first guy from the movie that was from the movie the core actually but you know that wasn't you your forensic tech I don't know I don't know what he did not my problem I was nowhere near it you know things happen.
Oh I forgot about that script yeah we have that safeguard sorry alright so encrypting stuff if you want to encrypt your sensitive files again you should be using whole disk encryption you have a couple of options you can use gpg which is- privacy guard it's the same thing as pgp but open you can use openssl you can use bcrypt and see crypt and you can also use random encryption keys right so you might temporarily forget your password if people ask you and then if they say well what did you use to encrypt this file or set of files if you can honestly say i don't know i don't know the key I'm sorry you can't coerce me to give you something i don't know that so talk a little bit about generating random keys and somewhat securely storing them i mean obviously if you want to stash this case somewhere it could be discoverable so you know i'll give you some general ideas don't don't be the guy that does the exact thing I'm going to show you in this talk right it's kind of like I taught a pen testing class couple years ago and I had some students in the class and like I I Iran all these commands to and you know in code my stuff from a display and Dave Kennedy's metasploit book and avg founded every freaking time like they read that book too you know.
Alright so here's how you can use gpg and again i have a little usage statement and it will take a directory and for everything in that directory it's going to use for to loop through everything and it's going to say hey is this file already encrypted doesn't have a gpg extension so that's what you see going on here.
Let's see if I there it goes so here I'm saying alright if you get the filename get the base name base file oops sorry base file is a command or base name is a command that will get you just the filename like it could have a huge path on the front of it and you strip that off and then you can use base file and then pound pound dot that is a constructs where you can take that name that shell variable base file and get just the extension off of it so it's kind of a cool little trip and then I check and I say alright has this thing oh this is wrong script they're all about the same right so if it doesn't have a gpg extension then i'm going to echo my password and pipe that to gpg and give it a pass phrase which is in file descriptor 0 which is standard in and i'm going to say please use the metric and encryption using that key and here's the file name and then as soon as i'm done i'm going to remove the file so i'm going to remove the original file that is and that's pretty much it.
Openssl very similar just a different command and I'm looking for enc as the extension now here I'm going to use a s 256 CBC which how many people went to hacker jeopardy last night how many of you were sober enough to remember what CBC stands for i can look it up later alright it it was actually in a question or it gets an answer technically all right you can also use see crypt she crypt you pretty much want to use that little trick reset environment variable so i set my environment variable jiggly equal to whatever your password is and then I call Cece and crypt on and I give it dash capital e in that environment variable in the my file name so if i want to randomly encrypt stuff i can get a a random password well there's a lot of different ways you can get a random password this is just one so we use our old friend DD to do any forensics you probably know about DD they love or hate it it's very easy to use my input file in this case is dev you random you random is better than random it's more cryptographically sound and I give it a block size of one an account of a hundred twenty-eight so it says please go to random you'd you random that is and give me a hundred and twenty-eight random numbers and then I'll pipe that to base64 and that's my new password right so if I want to get my files bag I have to find a place to put.
It this password so some suggestions again don't do exactly what I'm going to do here the middle of a log file some obscure log file that nobody's probably going to look at you know don't make it it juicy system love that they're going to look at they're trying to figure out what's going on your system some random file you can also use a random sector on the desk including something that's unallocated you can also use slack space in your files and whatever you do securely delete your script when you're done you know don't just like hey I did all this awesome stuff and i stashed it here and I didn't delete the script that stashes that they're so someone might find that so here's a simple example of doing a random encryption you know I get a password using DD and then I go and crip stuff and then when I'm done I'm going to securely delete my files so speaking of securely deleting files you can use the secure delete package and it comes with SRM like RM but secure as Phil for filling things with zeros or random stuff and swap which will nuke your swap partition or file some common options dash D says ignored the dot files the dot and dot files which probably good thing.
Dash f is for fast i don't recommend you use that as you know fast as don't use you random if you're really in a hurry like if you have a lot of files maybe maybe it's not social bad thing dash L lessen your security sounds like an option you don't want to use dash R will recursively delete sub-directories yes please please delete everything in the directory that I set up for bose you're reading the script I don't know why you want that and dash z10 out things on the last right so it looks like it's empty space so here's a pretty simple delete script where I'm going to go to the directory that you told me to burn and first I'm going to use s swab to kill anything in the swamp file then i'm going to burn your files using a for loop going through that directory and then i'm going to use s Phil to get rid of the directory itself and then i'm going to hit the swap again and I'm going to shut down the system right so what if i want to wipe the whole disk I'm looks like i don't i don't ever want to see this stuff again there you can get your data from dev 0 or random are you random now fuse you random for this process it's gonna be slow now one thing i should say yes it's possible that if you have a government that's going after you if you overwrite your disk a few times they can get it back if they have specialized equipment and they're willing to spend you know a million dollars to get your hard drive back so choose your level paranoia here might take a little while so if you're going to do this i recommend you delete the important stuff first so if you're going to wipe a petition it helps to have more than one partition because you can't really do this on a mounted partition right so you gotta unmounted first and here's just a couple of ways that you could do that physical destruction our favorite right there's a lot of things you could do charge capacitors you can charge up some capacitors that are just going to fry some circuits if you give them the command to discharge there's always pyrotechnics hopefully don't start fire destructive edges you know things that might explosively go through your hard disk platters things like that there's been some past defcon talks there was one Def Con 19.
That's how I lost my eye and then aptly named last year how I lost my other I both very good talks i recommend you go out to youtube and watch those alright and the last thing I wanted to talk about really briefly is how you could make your own Mouse jiggler now I'll preface this by saying you probably don't want to you can buy a mouse stickler for twenty bucks so what's the point in building one yeah unless you just want to do it for education if you did want to make one I would probably use the ftdi VNC to microcontroller ftdi if you don't know them they make USB stuff so if you had an older or do we know you would have an ftdi chip that would do the USB to serial conversions for you there's cables if you any hardware debugging you probably have one of their cables that you stuff like that.
Couple years ago they came out with a microcontroller that was really good at USB stuff it's kind of like an arduino but it's also supports two USB devices and or hosts so if you wanted to code your own Ziggler you basically have to create a usb hid device and send some commands so creating a USB HID is like this you have to create a kid descriptor this describes that device in the kinds of reports that it sends as noted in the slide i have shamelessly taking this from John Hyde's USB designed by example book.
Alright so here's an example of a mouse descriptor and it talks about where the minimums and maximums reach the ranges you know does it have this many buttons are that many buttons what are the reports look like alright so that's what this is about you can send some commands so you cendri hit reports to the host again the cheapo ones have like a 2-button mouse with two axes so it sends a three by report you could do something a little bit longer if you wanted and you can add other axes it doesn't really matter what you do so if you made your own you could make it a little bit harder to detect first thing I do is not use either ft is bit and pit or actually their bed you can set your own head or the one in the commercial model sticklers just pick something random right you can also randomize the inputs a little bit better than some of these doing do that and you could also randomize the interval right so it's not periodic it's not super easy to the tucked and if you're doing this yourself you're probably doing this is a prank anyway so you could add you know a little keystrokes here and there if you wanted to add a keyboard to your device you would use something like this as the usb hid keyboard descriptor again this is shamelessly ripped off from John Hyde's book which by the way of this book you can download for free if you go to ftdi chip dot-com and just search for us be designed by example you will see this book it it's freely available with example code and all of that ok if you do decide to send some key strobes something you should be aware of that you're not using ASCII codes you're sending key codes which are different so you'll have to map those you can press multiple keys at once you know you can make things happen like oh I don't know you want to lock their screen or things like that.
The other thing is yeah you can have those keys set to specific values but if you're just messing with somebody do you really care what they are just randomize it is like simran random junk on that you can get more details a talk I did last year was called one device to pull them all actually went through making a scriptable hid keyboard and some attacks and things that you could do with that some other ideas you can convert that annoying device into a keylogger pretty easily if you bother make one and you could combine that homemade jiggler functionality with some stuff I talked about last ER alright alright so with that if you have any questions you can always hit me up on Twitter at peephole strong i'm also the handsome guy you might see sporting a deerstalker hat at a conference.
You can also catch me at bloom con little plug that conference we started this year it's going to happen next year March 24th 25th over Bloomsburg Pennsylvania I know most of you like we're but we're a couple hours from Philly New York City DC and all that self a good time but with that if you do have any questions i was told to ask people to come up to the mics so that they could be heard in the recordings and it might have some free stuff to give away if you have a good question say.
There they go would it be possible to design the scripts that when a key big mouse ticklers plugged in depending on the visit sign of them it rewrites the firmware so than any other computer they're put into it would lock those computers to ok so you're saying is somebody inserts a mouse jiggler and you want to infect the mouth stickler yeah I did I can't think of a mechanism where that would work i'm not going to say it's impossible but i'm going to say probably fairly difficult any other questions yeah does it work for only one computer or the entire network for ok so you could deploy these scripts and your entire network if that's the question you're asking ok oh she just answered my question ok have you thought about detecting the most Hitler and then putting this into a log file which then gets deployed to the other computers so if you detect one that took a couple of minutes the other ones will then immediately detective I haven't thought about that but that is a good idea i think that's a mouse trigger worthy question.
Yes sir.


##########################################