Good afternoon. Welcome to 'Does dropping
USB drives really work? in Mandalay EF,
by Elie Bursztein. Before we begin, a few brief notes. Stop by the business hall, located in Bayside AB
during the day, and for the welcome reception
from 17h30 to 19h00 tonight. Also, Black Hat Arsenal is on
the Palm Foyer on Level 3. Finally, join us for the Pwnie Awards
tonight in Mandalay BCD which is right next door at 16h30. Thanks for putting your
phone on vibrate. It makes it easier for the rest
of us to ignore the ringing while you wait for your
voicemail to pick it up. Finally, there are microphones
interspersed throughout the floor. When it comes to the Q&A
we would really appreciate it if you would make use of those
since we are recording. With that, Elie. Bonjour. My name is Elie Bursztein and today
as you see I'm going to tell you a little bit about the result of
our large-scale study we did about how effective
are USB drop attack. This is something I did
on my spare time with my co-conspirators from the
University of Michigan and the University of Illinois. During my day job, I work at Google
where I lead the Anti-Fraud and Abuse Research Team. So, it's a little-known secret
in our community that dropping USB keys
in a parking lot and all the weird places works. I can't remember
a single Black Hat, and I've been to many, where I couldn't remember
someone told me, "I drop a USB key and boom!
Magic! I got this job done." It becomes such a well-known
secret that last year a TV show decided to feature it in
one of their episodes. Do you guys can figure out
which one it is? Yes, you're all correct,
Mr. Robot did feature USB drop attack in their
Episode 6 last year. Love that TV show. So, that begs the question, does dropping
USB keys really work? Is it a fluke or is it
really the real thing and we should all do that
and go out on vacation and not rely on super
complex attacks, right? So, to answer this question, today I'm going to go through
three main points. The first one is we're going
to briefly review what are the three types of attacks
that you can have with USB keys? Next, we're going to discuss how
effective are USB drop attacks? This is a result of our last scale study
where we dropped 297 keys, and yes, that's a lot of keys. And finally, we're going to think
about how an attacker can push forward based on what
we did and do it more efficiently and really make use of those
USB drop attacks. So, let's start with reviewing
what are the types of attack you can carry through USB. So, it's mainly three
types of attack. The first one is a Social
Engineering attack where you try to convince people
to either click on the link or directly phish them for
the login and password. Then you have the HID Spoofing
which is human interface devices where you screw some hardware
to emulate the keyboard. And finally, there is the fabled
and yet never seen, 0-Day USB key who will export
a bug into one of the drivers. So, the social engineering
attack is very simple. You take a USB key, any key will do,
you put a bunch of phishing HTML file, you name them 'Confidential', 'Secret',
'Do Not Open', it's pretty good. And then you hope that people will
click on them and then [inaudible]. Okay, and the next
one is the HID, human interface device
spoofing attacks where you basically have
accustomed hardware which will pretend
to be a keyboard, and as a result will be actually viewed
by the operating system as a keyboard. So, this keyboard is programmed
to inject a bunch of keystrokes which will result in
a bunch of commands which will compromise
the victim's computer. So, the end goal is, of course,
to get a remote (inaudible) which connects back
to the attacker and then you get full control
over the computer. So, what are the pros and cons
of those three types of attacks? The social engineering attack, which is the one we used in our
study is very easy to do. You basically create
a bunch of HTML files. It's not reliable because you're not
only counting on the people to plug the key but also
to fall for the idea to click on the HTML which
has a weird name. And it's not very stealth at all because
you obviously have the user to see a bunch of files and he can open
them look at those source codes so he's not (inaudible). On the plus side it is extremely
cross platform because LVOS's do know
how to open an HTML file. The HID spoofing attack which is probably used
by pen tester and corporate espionage most likely is a little bit more
complex to carry out because you have to have
custom hardware that you need to program,
usually in C. Then it's a little bit
more reliable because as soon as
you plug the key, and I'll show you a demo,
the computer is compromised. It's not that stealth because you see
a bunch of terminals popping in, poppin out, and it's weird things, so you might be surprised
about it but it's more stealth than
the social engineering one because after the attack is carried
there is nothing left to see. And it's not really cross OS because
each operating system requires a different
type of comment. The last one, the fabled 0-Day attack
is actually complex to carry out because you have
to find the bug, you have to write
the code to exploit it and you have to bake it
into a custom hardware. It is extremely reliable for
the operating system and version you are targeting,
I believe. And it's stealth because
you don't see anything. It all happens at the driver level
so there's nothing to see. It's absolutely not cross OS because
you have to find one bug for each OS or more likely each OS
and each driver version. So, how effective are
USB drop attacks? To answer this question we had
a very complex game plan, as you can see. Let's just drop a ton of USB keys
and see what happens. So, this is not as easy
as you would imagine because we had to jump through
a few hoops to get approval for that. So the first thing was we had to
go to the University and say, "Hey, we would like to bring
mayhem to your campus," "would you be okay with that?" They're like, "Uh, we don't know,
how about you make sure" "you only use regular keys with
plain files, plain HTML files." So, we had to resort to the social
engineering attack because they were concerned about us
arming the people who plug the key. The second thing is we had to work
with Public Safety and tell them, "Well, something weird might
happen at a moment's notice." "So don't worry about it. It's all fine.
It's just an experiment." But all in all, we were able to get
the Internal Review Board, the University Counsel
and Public Safety on board with the idea of dropping all those key
during two days on the Illinois campus. So, second thing is it's not that easy
to manage and trace 297 keys so we had to build a full framework to actually
track them (BREAK IN AUDIO) them, to monitoring them, to know
where it had been dropped so we can actually
have all the data. And finally, we had a debrief
to help understand why the hell people did click on that
if any of them would do that. So, this is basically what our
framework looked like. The first thing we wrote
is a simple Python script who will create a file and
assign to each of the files, inside the file, a unique identifier
which will help us to trace the life
cycle of the key. Upon created it registered
the key to a server which, as I said, is on Google App Engine
and then we wrote the small Android App that would be used by the dropper. We had many undergrad
and grad students helping us dropping the keys. You need the law of manpower
to drop 300 keys. And this app will record the locations
and time of the drop and where the type of location it was
so we can trace location of the drop. And finally, when you would
open one of the HTML files, the HTML file will
embed in images, these images have
a unique identifier, and this unique identifier
would help you to trace which ones were opened. People had the option, in exchange
of an Amazon gift card, to answer a survey about how
much they knew about security and why did they decide
to open the USB key. So, we tried to understand a little
bit of the mindset of someone who looked in such a key. So, we tried to control
for a bunch of ideas. Like, we were curious to know first if the key
appearances would be impacting, in one way or another,
the opening rate. So we started with a simple swivel
key and we multiple colors of those. And then we said, okay, let's try
to add real keys to it, maybe people will fall for it
because if there's a real key, maybe it's more important. Then we're like, okay, let's add a return
label with the name of the experiment, and see if people actually
returned the key to us. Then we're like, okay,
let me get more interesting. How about we put a label on it,
so we tried 'Confidential', and I'm not saying
students are cheaters but we thought that 'Final Exam
Answers' might be useful. So that was our five type of keys
and for each key we went through the trouble to personalize
the content so this is basically a view
of the five we had. So the one we had no label, we had
a bunch of documents like 'Resume', 'Mail', basically
'Photos' and so forth, so we tried to figure out
what people would open. Would they try to open photos,
would they try to open a resume, would they try to open a doc? That's quite an interesting
social experiment. So, the next thing we did is for the 'Final Exam'
we had a bunch of final exam naming and then tried to see if people
would open those. And finally, for the 'Confidential' one
we tried a bunch of ideas including 'Termination Letters',
'Confidential Meeting' and we tried to see which
one people would open. So, we also wanted to control
about drop location. So, the first one,
this one is parking lot. Does it work on parking lot? But how about just outside,
on the bench for example, would that work? We also were... is it more impactful
when you're inside the building, so we dropped it into
the common room. We dropped it into the classroom. Apparently one of our students
got caught doing it, but you know. And then finally, we also
dropped it into the hallway. And so we get an idea of whether
inside versus outside of the building, where you're probably more
confident that you are safe, will impact your opening, right? So, that's what we did. Here's a few shots
from the app. So, this is a parking lot drop. A real one, and you can see it. There's the USB key
at the bottom. We had outside on a table. And outside on a bench
which is for the bus stop. And so that's, for example, one of the three
drops we did of the 300. I would show you 300 photos,
but it will be going boring very quickly. So, here's the better view, this is the overview
of where we dropped keys. We tried to cover all the campus. And as I said, we did it through
two days and two waves. And we dropped it all over the place
to see if it also would affect the same. So, after all this hard work,
what happened? Well, the first thing
is we got busted. This is a Reddit thread. They're like, "Hey, I don't know
what happened." "I found a final exam answers
on the campus." This guy is very honest. Anyway, in the end,
the guy replied, "Yeah, don't worry about it, it's a study,
everything is fine." It was actually 24 hours before
we saw it so that tells you how long it takes for
people to catch up. So, basically within
the first few hours, no one noticed it,
it actually took a while. And again, it's 300 keys,
so it's really visible. So, after all of this,
main question, right? Did it work? Yeah. So, 45% of the people,
not only plugged the key, but as I mentioned, also decided
to click on the file. So, let's recap a little bit
for the study in numbers. So, we dropped 297 keys,
we tried 300 but three failed. That's why the 97 comes in play. Of those, 290 were picked up
so at least we made quite a few people happy
with a new USB key. Of those, 135 did phone home,
that's roughly 45%. And then we got 54 keys back. Thank you to the people
who bring them back. We actually kindly asked
them to keep them. So, if you are to open the file we say,
this is part of an experiment, you are welcome to keep the key, but a lot of people felt that they
wanted to return the key so 54 people did
return us the key. And we got 62 people, which is 21%,
who actually answered the survey, which is quite an interesting number because it gives us enough sample
to really understand what happened. So, the first thing to look at is how
fast our keys were opened. So, 20% of our keys were
opened within the first hour, which is really fast. And 50% were opened
in less than five hours. So, not only did USB drop key
work, but it is also very fast. We were actually surprised by
the speed of the opening rate. The other thing we tried to remember
is tried to figure out is there any correlation between
the appearance of the key and the opening rate. It turned out that it's not
statistically significant. A large number, to be different, we don't have enough sample to know
any significant conclusion but you can see that one
thing is significant too. Do not put return label. I don't know why you would put
that if you are an attacker to put your name on the key,
but don't do it, it doesn't work. People will not open it, they will
just bring it back to you. Probably not what you want. The other thing is, we tried to control is there
any differences for the drop location, and again, not much differences. The parking lot still it appeared
a little bit higher but again, it is not statistically significant. But yes, parking lot seems to work, so we proved the legends are real. Yes, you can drop a USB
in the parking lot and, yes, Mr. Robot once again, it is a realistic thing.
Kudos to them. Outside works as well and everything
works almost the same way, so no reason to plant them outside
of the parking lot. That seems the best
place to be. Why people did open
those damned keys? Well, a lot of people said, "Oh, I wanted to open the file
so I know whose it was" "so I can return the key." You know, benevolent
was the main reason why people wanted
to open the key. 18% said, "Well, I was just curious," and also had other motive. Now, what's interesting is I know
which files the opened. Remember, I had a bunch
of interesting files, right? How many of you bet it actually
matched what they said? No one raised their hand?
Come on. Such a low expectation of your
fellow human being. Well, you're right.
Yes, you're right. Most of the people were
opening pictures. Not really resume or the document,
they're just like, let's go for the picture because you know
everyone on the 5,000 people campus, that's the best way to find
who the person is. So, yes, surprisingly, the behavior
did not match the intent. I do believe the people still
wanted to return the key, and like I said, we had 54 keys
returned but it's interesting to see that 'Photo' was
the most opened one. So, that's where we stopped
as a study. We can't hack people but that's not
what an attacker would do, right? An attacker would not use
social engineering keys, they would use more advanced keys,
because they want a sure fire. And now I'm going to talk to you
about how as a pen tester, or an attacker, you would
go about dropping keys which are way better
in the opening rate. Remember we had 45% who
plugged and clicked on the file. But there's probably a higher
number who plugged and didn't click on the file. So, how do you get to the
(inaudible) an attacker and you actually really want
to compromise people? Well, first let me show you a demo
of what we're going to go and build. So, there is a key on the stairs
and you're very curious so you pick up the key. Like, "Oh, looks interesting, how about
I plug it in my computer?" And so you go home and like, "Hey, I'm going to see
what's happened to it." And I plug it and then
nothing happened really. And then my computer
started to act strange. It makes noise and you can't hear the noise,
but then it's hard to see. (inaudible). It starts to open the terminal (inaudible). And then code happens and then
the computer is compromised. That's all you see as a victim. That's how fast it is,
that's how deadly it is. This is what you see
from the server side. I used Metasploit because that's
all you really need to do with it. And you see now I have
a interactive session which is a remote share to the computer
and then you can ask who I am, of course, it's why the test
for the user is test. You can do (inaudible),
you can do whatever you want. So basically it takes literally
a two second plug to get compromised and
you can open a webpage, make the computer
do stupid things. That's what a USB drop attack
will look like in real life. That's how reliable
and fast it is. So the moment your terminal
opens you're dead, because you can't even act
fast enough to close it. That's what is going to happen. So now, let me tell you
how you do that. So, first thing is, I want
to point out is with HID, human interface device
spoofing, is not new. And remember, as told by Adrian
in DEF CON 2010 showing us one of those early HID device
which is on the picture. The only problem with it is,
I don't think anyone will plug that. Samy Kamkar did a very nice
one for his necklace for OS X. Again, I won't plug that,
but it's quite interesting that it works both for
Windows or OS X, it's one or the other
at that point. And we have a problem of making
this realistic, right? So it's not the technology, we just have to reshape it to make
it work for our use case, so that's what we're going to do. So, here is the challenge when
you try to weaponize HID device for making them droppable. So, the first thing is you have
to make them cross-device. It's understood that HID devices
are never meant to have any feedback from
the operating system because they are
always agnostic. So you have to find
a way to fingerprint whether you are on OS X
or Windows or even Linux because there is not way to know
where you're going to plug the key. With your pen tester you know
your environment so you can plug the key and
it does things fast for you, but in our case it's going
to be dropped. Will the (inaudible)
read it from the Mac, from the Windows?
We don't know. So the key has to figure it out
itself what to do. The second thing is,
you have to use, to create a small
(BREAK IN AUDIO) binary-less persistent reverse-shell
which have to be small payload because keyboards don't type very
fast and it has to be on a script, to not trigger AV and with your reverse
shell to bypass firewall. Finally, and the most
fun part of the project, and I'll show you a ton
of photos in a bit, is how to make them realistic. I have them here,
by the way, so as I'm talking you're welcome
to come on stage and look at all the stages. I brought them for me so you
can feel how real they feel. So, how do we do that? How will we convince? So, we start with a very,
very tiny device which is a Teensy and it's
very small so we know it's going to fit well
into a fat USB key. It's programmable in C
and it's Arduino compatible and it's what most the people
for their previous work. So, OK, one button,
play, OK. So, how do you craft
a payload for that? So the first thing we need
to figure out is when the drivers are loaded. So, the first thing is, when you plug the key
we don't know how long it's going to take
for the key to load because the systems
have different timing. The second thing is,
we need, as I said, to fingerprint which
OS it will be. And finally, we have to execute
the reverse shell. So, a few GOTCHA. The first thing is the timing
between the commands. Usually previous work we’re relying
on careful crafted timing. The problem here is the timing
is different from one OS to another so we have to be careful
about that. And the second one is,
it's really complex to know if you have successfully
executed your command, because again, no direct
feedback into an HID device. The way we go about that is
by using the CAPS LOCK key. So the CAPS LOCK key
you can turn it on or off and actually the keyboard
knows about it, so basically the idea is
you try to issue a toggle, execute your command to get it
back and check if it changed. Until it has changed you know
your command hasn't been executed
because it wait for it. And so this idea is using one-bit
feedback based on the key status. So the reason why we use
CAPS LOCK is, and I spent quite a bit of time
trying to debug that, is there is no NUM SCROLL
key on OS X. I didn't realize why my stuff
was not working and like, oh, okay, the key does not exist so the OS
does not know how to turn it on and off. So, basically how you
implement it in C, the code is available
by the way on Github, I made it available today
if you're interested. But the basic idea,
we tried to make it (inaudible) loading to our devices
and we tried to blink it, because it has internal LED. And then when it's able to blink
we know it's loaded and we try to execute our attack. For the fingerprint, there was a work two years
ago presented at Black Hat about USB fingerprinting and
it was about to implement that. It seemed very, very complex
for what I wanted. When Jean-Michel, my friend, came up with the idea that we
can probably try to do a lock, the SCROLL LOCK key,
in powershell and if it was working then
we'll be on Windows, and otherwise, we'll be
on OS X or Linux. And it turned out it works really
well and it's very flexible because we can do way
more with this technique so we implemented
this one instead. And it proved very,
very reliable in many, many devices we tested. So we stuck with this one
to fingerprint which device it is. So, how do you spawn
a reverse-shell? So the last stage is spawning
a reverse-shell. The first thing is you
open the terminal, then you spawn a process because
you want it as a background process, you don't want it as a foreground
process because people can kill it. A lot of previous work were
just opening a terminal but people will close it. What I do is I spawn
a background process and then in this background
process I run a reverse tcp connection
back to the server, which in our case is Metasploit, because it already does an awesome
job of being command in control and there is no code
needed on that stage. A few things to note is, we do a reverse-shell because
we want to pierce your firewall. You have no idea what
the firewall will look like so you want to connect
back which is usually more allowed than
inbound connection. We use scripting language
and obfuscation because we want
to avoid antivirus. We also do it on in-memory
and not touching the disk for the same reason. The payloads have to be small. In certain OS's, you probably
don't know it but there's only 62 keystrokes
per second so your payload
has to be super, super tiny otherwise it's going
to take ages for it to type. So there is no way you're going
to type a full binary in the terminal, that's not going
to work for you. And finally, as I said, we leverage
Metasploit as a command and control because there is no way
we're going to reinvent the wheel if something is doing
a great job at it. So, the Mac OS X payload was
actually surprisingly small. I was about to write it in Python and then I came across this cheat
sheet from Pentestmonkey who had this one line, reverse shell in bash with no
unknown function at the end, I never knew about it,
which basically (inaudible) connection in dash. So all I had to do is put it into background
process and we were done. And we ended up with 100
character reverse shell, which actually will be
used in background, will reconnect, will do
everything you want, one hundred characters. This is super tiny, works perfectly
well, saved me a ton of time. On Windows it's more complicated. So, I took inspiration
from Powerfun by Ben Turner and Dave Hardy. And so the idea is to create a TCP
connection in Powershell which connects back
to the server. Then we're going to take
this payload, compress it so it's smaller
and then Base64, so we can put it as... make it
typable by the Teensy and we put it into an outer payload
which will basically use, again, Powershell to spawn
a process, decode it, decompress it and
a dedicated memory, and you would end up, again with a reverse-shell
in memory. So, that's how the Teensy,
a half program, works both on Windows
and on OS X. The code is available on Github there will be a link
at the end of the talk, so you can download it,
look at it, improve it. If you have improvement,
please commit. Send me a commit,
I will gladly take it. So, the final point, how
do you make this thing, which doesn't look at all
like a USB, a USB? So, first step, we have
a Teensy and then, well, you can plug an adaptor,
but that doesn't look like a USB at all. So, the first thing
you have to do is, okay, can't use an adaptor, we have to order
a Type A connector and then I'm going to
solder it like this. And then by soldering it we have almost
a USB key type of size, right? It's a right step in
the right direction. Now it seems the right size, okay? It takes a little bit of practice. This is my early experiment,
not that great. On the right side is also me trying
to remove the micro USB because the first time I didn't
know you can leave it up. So I actually ended up
breaking a teensy. But after a few practices
you get the hang of it and then we were able
to make ten of those so, practice makes it perfect. And then you have to create
a silicon mold. And so the way you
create a silicon mold is you order a bunch of silicon, you mix it until you
get a nice goo. And then you take your key,
in my example it's this one, so it's a normal USB key,
I bought it. And then I basically
put the clamp on it, put it into a plastic cup, and then
I pour the silicon into the cup. The only GOTCHA here is silicon has air,
so if you don't want to have bubbles and you want your key to have
a very sleek aspect you have to be careful
to remove the air. The way you would do that is either
by vacuuming the key, or if you don't have
a vacuum like us, you actually need to pour it
from very high up and then it will have
a thin stream of silicon and will remove the air. And so basically you let it
rest for 24 hours. And then you get the mold like
this one, and it's very squishy. The mold will be used
to cast the key. So, how do you go
about casting a key? So, the idea here is we're
going to use resin and we're going to colorize it. And so the resin is two
polymer you're going to mix. So, one thing here to note is
you can't mix all of it at once because it's going
to very quickly solidify. So, what you do is
you use two syringes, one for each product, and you
use about 10cc of each. And you mix them and
you take 2cc of color and you mix all of this and you
have then your resin. And then you're going to cast it.
Do wear gloves. Do wear a lab coat if you
are going to do that because it's extremely toxic to have it
on your skin so be careful. By the way, this is actual
photos of us doing it. We documented everything. And so, basically then you pour
your resin into the mold and you overflow it almost
and then you stick the teensy into and you let it rest. If you're too impatient
you're going to break it, so leave it about 30 minutes. And then you're going to,
with something like this. Yes, that's a cast teensy
and she looks really, really almost like
the same thing. And the excess resin is really easy
to remove with a small knife. It's not hard so, don't worry
about excess resin. It's better to have too much
and not enough. So, let me think, the only
other GOTCHA we had is, do not let it overflow to the hole
into the connector otherwise your USB
is going to not work. And it's very hard to remove actually
when it's inside the connector. And so, well, the first attempt
was not that great. Too impatient, no colors and well,
we were wrong with it. And then we got this advice that
you need to use lubricant to make sure that you can remove
really easily the key out the mold. Except it gives you this really
bad look like it's a smudge, and it's not like a smudge
you can remove it, it was literally into the key. It's here if people
want to see it. So, do not use lubricant. But, then you try it
again and again and then at the end of the day
here's what you obtain. It almost looks perfect, right? No? Yes? Okay. That's a lot of work. It took us, like, a full week. It literally takes a full week
to get all this experimenting where I did every night, like four or five hours at a time. But yeah, you really obtain, like, a USB key which
is like the real thing. The only thing you might
notice is the connector is a little bit off center because
of where the teensy's soldering is. But other than that it literally
looks like the real thing. And so, how much did that cost? Well, it cost about $40 to actually
make such a key. It cost about $20
to get the teensy, the mold and resin
casting is about $10 and the equipment and supply
is about $10 as well. So in total you're going to end up
with paying $40 for a key. Not cheap change,
but absolutely doable for someone who really
wants to make it work. And this is a price assuming
you're actually making ten keys and you already have
all the equipment to do it. There is a lazy approach. You can try as well if you
don't want to do that. If you take the key which
has a rubberized aspect and then you remove
the inner working of it, and then you pour directly
your resin inside the mold and then you plug your teensy
like we did in a voyager key, and then you obtain a key. It doesn't look as slick I think
and it's a little bit weird but it's definitely a short cut. The last thing I wanted to discuss is how do you defend
against those attacks? The first thing you can do is awareness
and security training. I think that's the most
important thing that's why I wrote so many
blog posts about it. It's teaching people to be mindful of
what they plug in their computer. Try to tell them that you do not pick
up food from the floor so you should probably not pick up
a USB key from the floor. You might also get
poisoned by it. If you're in a company, you can
absolutely block the port. You can block the USB port
and that'sonly available. And the last thing is,
and it's kind of a band aid, you can use Windows policy
to disable certain types of device. I know you can use a code
which is called USBkill which will basically reboot your
computer if a specific type of device is plugged
or a non-device. The problem with that is the USB
protocol do not have authentication, so as a result, anyone can appear
to be a Microsoft keyboard or a Logitech keyboard,
so it's not a sure thing. And that's what deterred me
to write one more of those, because it's a false
sense of security. People will be able to spoof
any ID's they want. So, if they know you have
a Logitech keyboard, there'll be a Logitech keyboard
nd it won't work. So, the takeaway. First, yep, legend proved. USB drop attacks do work and we found
at least 45% of people did click. And then you can actually create
reliable malicious USB keys. It's not trivial but for someone who
really wants to do it, they can. It requires a bit of handiwork. And finally, yes, there is
no easy defense which also explains why
it's such a deadly attack. But in that case, device policy
and awareness is something which would help mitigate
that kind of attacks, like, any social engineering attack. I would like to thank a lot of people
because all you saw, it looked like really easy, but in reality there was
a lot of people helping us. Cealtea who worked on the silicon
molding and testing with me. Nicolas "Pixel" Nobel who
helped us with hardware, soldering, teaching me how
to not mess up with my teensy. Jean-Michel Picod who invented
the idea of the fingerprint and helped with the teensy
programming. Mike Bailey who is my co-conspirator
from University of Illinois who convinced the University
to let us drop all the keys. Zakir and Matt Tischer
who are students who actually did all
the heavy lifting of dropping the keys
while having coffee. And so, if you want to build one,
I just put online a blog post who details everything
I just told you. You can, step by step, from writing
the payload to creating your own mold to creating your own fake USB,
it's really easy to do. The code is on Github. If you want a free one,
I have about eight left. And I'm pretty sure there is more
people who want than I can give. So if you just re-share
the blog post, I know you're interested and
then when I'm coming back to San Francisco Monday, I will pick a few people and
we'll just mail them to you. And don't worry, the payload
is absolutely innocuous, don't worry, you can
absolutely flag it. So the thing that came to mind
when we were working on this project was the idea that we might
create more advanced HID keys. We haven't just got
to the bottom of it. We can probably imagine something
which bridge air gap with a GSM and WiFi
(inaudible) module, (BREAK IN AUDIO). But inside of that, we need a lot of people who are
interested in having those keys, so if you are,
please let me know and then if we have
enough people we'll probably do a Kickstarter
and we'll try to build those. So, thank you very much
for attending the talk. I know it was a short talk,
but I hope you liked it. I will take questions. I also wanted to leave a few
minutes for people to come on stage and see the keys
themselves if you are interested. So that's why it was so short. Don't forget to fill out
your questionnaire. They're going to give an award
and they forgot to do it, so please if you're happy
with the talk, let them know. I will know as well, thank you very much.
