TicWatch Pro as a Keystroke Injector

TicWatch Pro as a Keystroke Injector

Loading

If you successfully installed NetHunter as described in previous blogs, we can start use its tools. In this blog, I will focus on Duck Hunter provided by NetHunter.

Using DuckHunter allows our TicWatch Pro smartwatches to behave as Rubber Ducky, also known as Bad USB, to perform human interface device (HID) attack. This means that once this attack will be triggered, our watches will behave as keyboard that inject predefined keys on devices we are connected to. You can see a quick demonstration in the video below.

Overview

In this blog you will learn how to use Duck Hunter, where from download each Rubber Ducky scripts, upload them on your TicWatch Pro and execute various scenarios that will help you understand how this could be misused by attacker with physical access to your computer.

In the section below, I will use rickroll ducky script payloads available at Hak5 GitHub.

Rickroll

As a first we need to change file permissions for hidg devices so then, NetHunter can control them and send keyboard signals. This must be done after every reboot of watches. Don’t worry if you forget about it, NetHunter will let you know with toast notification that your missed it after launching attack.

  1. Connect your TicWatch Pro to computer and enable ADB debugging.
  2. Copy your preferred script to watches. For this test purpose we will use rickroll payload and store it locally on our computer as rickroll. Scripts needs to be copied to exact location in our watches, so DuckHunter can see them. Use command: adb push rickroll /sdcard/nh_files/duckyscripts/
  3. [Optional] This step is optional, since the latest version of NetHunter automatically takes care of changing permissions. Set world-writable permissions on hidg* devices. Invoke sudo shell from computer and change permissions on hidg* devices: chmod 666 /dev/hidg* (see Figure 1.) Alternatively, if on the go, you can use NetHunter Terminal app, see Figure 2.
  4. Open NetHunter app, go to Settings, pick DuckHunter. From Convert tab, scroll down, and choose the rickroll script that we copied earlier. Either slide to left side or manually pick Preview tab. This action converts the supplied Rubber Ducky scripts like rickroll, into HID format. Press play icon to launch the script. Visible in Figure 3.
Figure 1 Change permissions for hidg* devices
Figure 2 Change permissions using NetHunter Terminal app
Figure 3 Execute DuckyHunter script

If you forget to change the permissions after reboot, you will be informed when launching attack with warning visible in Figure 4. When this happens, repeat point 3.

Figure 4 It is necessary to grant requested permissions to HID interface

Besides not granting world-writable permissions on HID interface, I haven’t experienced any other problem during my tests of DuckHunter.

Prevention

Detecting an HID attack can pose challenges because such a device masquerades as a legitimate keyboard to the host device, and the injected keystrokes may remain invisible to the user. However, several steps can aid in detecting and preventing HID attacks:

  1. Monitor for unusual activity: Be vigilant about unexpected pop-ups, system messages, or the execution of unfamiliar programs on your device.
  2. Utilize device control software: Control which devices can connect to your system and block unauthorized ones.
  3. Safeguard physical access: Rubber Ducky attacks often involve physically inserting the device into a USB port. Securing physical access helps prevent such attacks.

Don’t allow unauthorized people to charge their devices using your laptop.

Leave a Reply

Your email address will not be published. Required fields are marked *