Well it's no joke. It's actually a sneaky way of attacking a computer system where the user doesn't even know what's going on and it give you an undetectable* way of getting access to all sorts of goodies.
Firstly the mouse. It's just a simple USB cabled mouse. There are thousands on the market and people use them day in, day out. Yes there are a lot of cordless mouses around these days. And keyboards. But I wanted something that could be dropped in a Corporate environment and people would use unwittingly. A simple Mouse it is then.
Next the Duck. Well anybody who does any sort of hardware hacking must have come across a Rubber Duck from that infamouse (sic) provider Hak5.
They're simple to use. Simple to install. And does the job very well. Albeit in a somewhat restricted and kind of expensive way.
But I'm a cheapskate and wanted a little more flexibility.
Enter the Raspberry Pi.
The RPi Zero-W has an extremely small footprint. It also offers on-board WiFi, a bi-directional USB port and a programming arena which is extremely familiar to me. Moreover somebody has already done half the work for me.
The next big problem is fitting the RPi inside the mouse. You can't just plug it in. It has to exist in the USB infrastructure. Which means that I need a USB hub inside there as well. This is easily done in the form of a USB Nano hub.
By de-soldering the USB wires that go to the mouse and attaching them to the input section (on the left in the image above) then soldering some spare wire from the top right port back to the mouse board we have a fully functioning mouse again.
The other port goes to the cut off section of a micro USB cable which in turn is plugged into the bi-directional port on the RPi. Plug in a micro SD card with the installation and you're good to go.
Obviously I added a few more options to the standard build to suit my needs. Firstly I went for a silent install for most options. No opening up Notepad and sending commands to say that everything is running. The idea is to be under the radar as much as possible.
So what can the RPi do? Well it identifies itself to the operating system as a device of your choice. I have it configured to boot into various modes emulating a wide variety of devices. It can tell the system that it is:
- a mouse
- a keyboard
- a CD Drive
- a DVD drive **
- a USB Storage device (aka thumbdrive) **
- a digital camera (PTP protocol) **
- a network adaptor.
The on-board WiFi adaptor is how I connect to the device and tell it to perform whatever commands are necessary.
For purely visual purposes the default option is to configure itself as a keyboard. That way people are easily impressed when the computer suddenly starts typing things, or more often as not, suddenly starts playing a Youtube video in full screen mode. But behind the scenes there is so much more you can do with this device. For example when I start the system as a Network adaptor I basically lie to the OS telling it that it has a fantastic response speed (it doesn't) so that it will root all network traffic though it. Of course this then goes to my own computer, and through it out of another network interface back to the Internet. Meanwhile I'm sitting in the middle with Wireshark logging everything. Oh it's even more fun if it's in a Corporate environment where the default option is to install Corporate certificates to de-crypt and spy on all HTTPS traffic. Especially if you have the ability to re-encrypt using those self-same certs.
So why does this this technique work? Well basically because USB security does not exist. It is a fundamentally broken protocol. The only way around it is to block the ability to plug in USB devices.
But then again, who is going to suspect a simple mouse? Even if it is a Duck.
* Well yes, you can detect it... if you go looking at the hardware devices attached to your computer. But who goes looking for those except the extremely paranoid? Remember lsusb is your friend. USBGuard even more so.
** In digital storage mode, due to the limitations of the system it can only offer a maximum of 2Gb of data storage. More than enough to carry a decent payload or three. :)