Project update 7 of 7
Good morning everyone!
I am very excited to unveil our latest stealth feature, Spectre, which takes Diabolic Drive’s wireless keystroke-injection mechanism to a whole new level. Previously, when connected to a computer, Diabolic Drive would present simultaneously as an HID interface and as a 64-GB flash drive. This design was already cutting edge, in terms of evading detection, because a flash drive is precisely what one would expect to see when plugging in a device like this. (And the target computer would produce only a single audible alert, which further reduces suspicion by mimicking the behavior of a typical flash drive.)
Now, rather than entering the "active" state immediately when inserted, Diabolic Drive defaults to the "spectre" state, which presents only as a flash drive…right up until you deem it safe to expose the HID interface and begin injecting keystrokes, at which point you can initiate the attack remotely over a Wi-Fi connection! Until then, the HID interface will remain completely dormant, with no unexpected behavior to detect and no abnormal logs generated.
Spectre is compatible with Diabolic Drive’s other stealth features, as well, so you can still use Stealth Mode to hide the device’s Arduino bootloader by disabling the COM port of its onboard ATMEGA32u4, and you can still set custom vendor-ID (VID) and product-ID (PID) values—for both the flash drive and the HID interface—to match the branding of your chosen enclosure or to prevent additional pop-up notifications by masquerading as previously used hardware.
The video below shows a proof-of-concept demonstration of this new feature in action:
Human nature is such that, when we see a notification over and over again, we tend to stop paying attention to it (or to anything that resembles it). This is one of the reasons why Diabolic Drive was already an effective red-teaming tool, even before Spectre. Most targets won’t notice if, one day, a pop-up that normally mentions a flash drive suddenly includes an inscrutable message about a "keyboard" as well. And, even if they do notice, they’ll probably just think their operating system is confused. (Because, let’s face it, operating systems get confused all the time.) They hear what they expect—a single chime—and they see almost what they expect—a pop-up notification with some text on it—so most people just go about their business.
Now, a particularly wary target might start paying attention if the notification explicitly states that a new keyboard is being configured, but that’s why we support PID and VID spoofing regardless of whether the keystroke-injection attack is run immediately or delayed for remote activation. (It’s worth noting, however, that Spectre can help address this challenge as well, for engagements where it’s not possible to determine a previously used PID and VID in advance. If the attack can be triggered while the target is away from their computer—with their screen unlocked—even an unexpected notification is unlikely to generate suspicion. And if it does, the target is still unlikely to blame the USB device they plugged in minutes, hours, or days earlier. And finally, even if they do get spooked enough to unplug Diabolic Drive and plug it back in again, as a test, it will revert to its "spectre" state, with a dormant HID interface, and present as a regular flash drive once again.)
I was already pretty happy with the stealthiness of Diabolic Drive, but I knew I could do better, and I was eager to provide this new feature to my backers. Doing so required an updated PCB design, custom firmware, additions to the Web-based configuration software, and tweaks to the ATMGA32u4 bootloader, which is now a modified version of the Arduino Leonardo bootloader. The current implementation is a very early beta, and I will continue working on it between now and when we ship, but I couldn’t be happier with the hardware revisions and the proof of concept firmware!