Remember BadUSB, the pervasive and unfixable security vulnerability that turns every USB device into a vector for attacks against just about every computer? The one that's out in the wild now? I always knew it was bad, but this video really brought it home for me, and now I want to fill my USB ports up with cement.
USBdriveby is an exploit by Samy Kamkar which basically just pwns the living shit out of any OS X machines it gets plugged into so long as they are unlocked. The concept is pretty hilariously and terrifyingly simple; when the a USBdriveby device — a roughly thumb drive-sized microcontroller attached to a USB port — gets plugged into an open port on a Mac, it immediately identifies itself as a mouse and keyboard and starts going to town. It opens the terminal, messes with network settings, installs a backdoor, and then tidies up after itself in about a minute. And while it's at work, the screen looks possessed, like something out of a hacker movie.
OS X isn't completely vulnerable to attacks like this — some of the more important settings refuse to be changed with just a keyboard. But Kamkar found ways around this with clumsy but effective blind mouse movements. At least if the computer is locked, you're still safe. The example here is based on OS X, but Kamkar says it'd be easily portable to Windows or Linux. Only time will tell, but if a system's security can reliably be torn down with blind keyboard and mouse movements, it's seems pretty likely.
It's freaky, but the really troubling part is the context; USBdriveby just emulates a mouse and keyboard and abuses a computer's willingness to trust as a device that identifies as a USB mouse or keyboard at face value. If you saw this going on in front of you, you would know something is up. BadUSB is way more nefarious. It can do things like masquerade as a network device or embed itself in your friendly USB charging cable and then silently inject an invisible virus the next time your computer boots. Scary shit.
As for the USBdriveby hack, you can actually pretty easily protect yourself just by locking your computer, but it's not so much USBdriveby that's scary as it is all the other things out there that are like it but better. Hacks designed by thieves and cybercriminals that don't share their plans in YouTube or wear microcontrollers around their necks (cool hack but that's nerdy as shit, bro). It's a scary world out there, so just be careful where you leave that laptop and what you plug into it. [Samy Kamkar via Hacker News]