Security risk of emulating hid devices with ATmega32U4 devices

Recently i wrote an automation script with python that automates task such as opening websites, operating office programs, ect, and it does this maily by capturing the screen and checking if certain images are there.
Since some applications block clicks and keyboard presses which are coming from pyautogui (the python module i was using to the the clicks and the presses), i programmed a leonardo to receive the coordinates or the key presses via the serial interface and used the HID emulation libraries to to the clicking and the key presses.
This system works indeed quite well on those application which didn't work with pyautogui, and in fact i can even click on things such as as the UAC ( User Account Control), which could give a hacker administrative access to the pc.
So my concern is this, is it safe to have an arduino programmed in this way connected to the pc? There is also the fact that these are automation scripts that run for hours while i'm afk.

in order for someone to replace the python scripts or the code of the Arduino, they would need to gain access to your computer in the active session. So once they are there, all bets are off anyway, they control your PC and there are worse things they can do :cold_face:

Someone could replace the Arduino with another one doing something else but that requires knowledge of your communication protocol and physical access to your PC (and possibly the com port would change if you swap the Arduino)

I'd say it is a big risk. I don't let my IOT devices generally contact the internet except via very specific hosts or very specific services like NTP. Nor can they contact each other, at least not over my WLAN. Even that is not foolproof. A rogue NTP server could use some exploits or the devices could build their own wireless connections to hop across each other into less protected networks to download malware.

I have a recent video (not yet published) of my Chinese FTDI adapter clone seemingly randomly opening windows on the attached PC and closing them again at a fast rate.

would love to see this !

FTDI adapters like those ones you use to flash other boards?

It was this one from the retailer Alice (TXhang) :

It was used to view the serial monitor of a device when it began to exhibit this strange behaviour I have described.

Point noted.

This is actually a very well known attack approach. If you can get physical access to a USB port on a unlocked computer (or perhaps even a locked one given enough time), then you can use a keystroke injection device to do anything that can be accomplished by a human with a keyboard and mouse, only more quickly and discretely. You'll find a ton of Arduino projects for this sort of "USB Rubber Ducky" attack. I suppose it's an essential tool for every penetration tester to own.

But this is all contingent on an attacker having physical access to the USB port. As for it making your computer more vulnerable to remote attackers, I'm in agreement with J-M-L's opinion

I don't see any indication that this Leonardo is connected to the Internet.

I'd say that in the scenario where a rogue IOT device somehow acquires malware (e.g. via it's development kit, via an attack on the network it is/was connected to, possibly refreshed from something it collects via the internet etc. etc.), then waits until it is connected to a PC via an HID capable adapter for user programming etc., the stated requirement of having physical access to the PC under attack has already been fulfilled. The user has quite simply given it such access.

Certainly something to contemplate since many of the Arduino boards with built-in network connectivity do have native USB capabilities.

At the moment, I think that Arduino-based IoT devices are not likely to be targeted by black hat hackers. The reason is that there are a small number of these devices and within that number a great diversity of firmware. The potential payoff is immensely more for hacking a mass marketed consumer IoT product. At the present time the security of many of those products is not much (if at all) better than on a hobbyist Arduino-based device, so the effort required to accomplish it is about the same.

The situation might be different in the future if we start seeing more widespread use and standardization of Arduino-based IoT devices, but the security practices in this space will likely also improve as time goes on.

we see a proliferation of esp32 or esp8266 based consumer modules (relays etc). I have very limited trust in those.

I’ve seen Trojans embedded pretty low in silicon or hidden firmware (eg hard drive, thumb drive) and reasonable doubt and caution should always be the norm.

At home i have two separate networks - one for home stuff and one for tinkering. I never connect one to the other not do I attach anything I do not trust (which is not foolproof) to the home network and try to keep it tight.

Send a PM with a contact address.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.