When hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer, they knew they had their work cut out. The client specifically ruled out the use of social networks, telephones, and other social-engineering vectors, and gaining unauthorized physical access to computers was also off limits.
Deprived of the low-hanging fruit attackers typically rely on to get a toe-hold onto their target, Netragard CTO Adriel Desautels borrowed a technique straight out of a plot from Mission Impossible: He modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it.
For the attack to work, the booby-trapped USB Logitech mouse had to look and behave precisely the same as a normal device. But it also needed to include secret capabilities that allowed the mouse to do things no user would ever dream possible.
“The microcontroller acts as if there’s a person sitting at the keyboard typing,” Desautels told The Reg. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands in on the keyboard or the mouse.”