Introduction: What’s USB Ninja?
When someone mentions hacking, first thing that comes into mind is a guy sitting few continents away, across the ocean, tucked in his home, in his favorite chair, with coffee by his side, looking at several monitors and frenetically typing tones of stuff so he can penetrate you machine.
But USB Ninja doesn’t represent that type of hacking. It is stuff that we expect to be made by “Q” her majesty’s chief science officer of MI6 British intelligence agency. As it sounds like some very complex tech stuff, it is really simple, but still very, very high tech.
USB Ninja looks like an ordinary everyday USB cable, that someone uses for charging and data transfer, but with extraordinary function. It can be remotely activated and triggered to upload malicious payload onto Linux, Windows or MacOS machine.
USB Ninja: How it works?
It works very simple, you plug it into victim’s USB slot and execute payload attack.
First of all, you have to physically plug it into victim’s machine and you need to be very clever and resourceful attacker to do such thing. For example, if you want to get USB Ninja cable into someone’s organization you can do that by replacing someone’s USB cable with malicious one by physically entering into premises and replacing it on the spot. The other option is to give employee of targeted organization/individual a “present” in the form of a brand new Apple iPhone and replace original lightning cable with USB Ninja lightning cable. So you have to do some James Bond style spying things to successfully penetrate the organization.
If and when you do that, that’s when the fun starts.
USB Ninja [features, hardware specs, design]
USB Ninja is an information security and penetration testing tool that looks and functions just like an ordinary USB cable, but only until a wireless remote control triggers payload attack to the targeted machine.
It comes in 4 different packages.
Pro-Kit
Most expensive and comprehensive one – Pro-Kit, in which you’ll get mandatory high powered Bluetooth wireless remote and all of the three connector option cables: USB-C, MicroUSB, Lightning and programming ring.Standard-Kit
Standard package includes one cable with one connector option, Bluetooth wireless remote and programming ring.Individual
Individual package comes with one cable and programming ring WITHOUT Bluetooth wireless remote.In every package variant comes an USB Ninja driver, USB Ninja Programming Environment and Android app.
Componenets:
Cable Physical Characteristics
- Length: 1 m
- Color: white
- Connector options: Micro-USB, USB Type-C, Lightning
- Voltage range: 4-25 V (supports fast charging)
- Current consumption: 10 mA (typical)
- Full-rate USB data transmission
Remote Control
- High-powered Bluetooth wireless (customizable name and password)
- Battery: 3.6 V, 40 mAh, rechargeable
- Standby current: 80 μA
- Transmission current: 30 mA
- Range (under ideal conditions with antenna):
- 30 m with 2 dBi, 3 cm antenna
- 50 m with 3 dBi, 11 cm antenna
- 100 m with 18 dBi directional panel antenna
Mobile App
- Alternative to remote control for triggering payload
- Open source and freely available
Programming
- Payload programmable with standard Arduino IDE (Windows/Mac/Linux/Android)
- Access bootloader with non-contact magnetic ring
- Source code provided for example payload
Hacking Using USB Ninja
How to upload malicious script onto USB Ninja?
That is done in so called “Programming state”. Since USB Ninja is an “ordinary” USB cable, you’ll need to activate programming mode by physically touching host-side plug, using programming ring. Within three seconds of being plugged into targeted machine, once you activate it, your script will begin upload process via USB Ninja cable.
So, lets assume you somehow managed to trick someone to plug in your malware infected USB Ninja cable into his computer, your USB Ninja cable is entering “Deployed state”.
And now we are prepared to enter third operating state of USB Ninja cable, “Triggered state”.
There are two ways to deploy malicious script.
First way is through Bluetooth wireless remote – press the button and malicious script in the form of keystrokes are being uploaded onto victim’s machine. It can be anything like Trojan, worm, link to a phishing site, keystroke logger, rootkit, whatever you desire. In addition, there are two designated buttons on your Bluetooth remote so you can upload two different scripts at one try.
Second way – upload malicious script through an open source mobile app. Payload via smartphone trigger can be triggered no far than 7 meters and 50 meters through remote control trigger. This is good thing so you don’t infect every machine by default. Every time someone plugs in your malicious cable in their machine, you decide when to infect someone’s machine.
Conclusion
USB Ninja is very clever and dangerous piece of hardware. At the beginning it heavily depends on low tech penetrating methods, but once you manage to preform low tech actions, you will have arsenal for any high tech method imaginable. It can also be used as an essential tool in testing security measures and protocols in any given organization.