Data Leak Prevention Bypass
Last Update: 9th November 2010
Status: In Progress
I was testing the capabilities of Data Leak Prevention software which ran on a Windows PC and prevents the use of devices such as USB Drives so that files cannot be copied. The software side was easy enough to get around, more of the same old stuff, so I wanted to do something more interesting. I created a proof of concept hardware device to allow the copying of data from a locked down machine.
I first did this project back in 2008 but after getting it working and demonstratng the concept I didn’t get around to doing a writeup. I’m slowly working on polishing up the code and schematics so I can share it. As I do, I’ll upload it to this placeholder page.
How It Works
The DLP software prevents the use of certain types of devices on various ports, such as the obvious USB Mass Storage class of device. However, in most modern environments USB keyboards have to be allowed so the users can type.
I programmed a microcontroller to emulate a USB keyboard so when it is plugged in it is allowed to function (as a keyboard of course). USB keyboards communicate with the computer over the HID protocol. The HID protocol allows communication in both directions by sending and receiving reports and feature requests. I’ve utilised this control channel to allow the PC to transfer files over the HID protocol to the device, which writes the files to a MicroSD card. This doesn’t require any special drivers or admin rights but it does need a small custom written executable to communicate using our own protocol over HID. To get this executable onto the PC an old pentesting trick is used – since the device acts as a keyboard it types out a VBScript into Notepad which includes an encoded binary. When run, the VBScript can decode the binary and save it to disk from where it can be run. An alternative version is to create a .bat file which pipes a hex encoded binary into debug.com to create the binary.
The first prototype was made on stripboard using an ATMega168 and did USB all in software with the amazing V-USB library. Data sent from the PC was written to the eeprom (so storage was very limited).
The second prototype added a uALFAT-USB board so that the ATMega168 could write the data out to a USB stick with simple serial commands:
The next revision used a Teensy which has hardware USB on the microcontroller. It also utilised a MicroSD card in SPI mode for built-in storage.
After I finish sorting out the code, schematics and technical notes the next idea is to use audio to siphon data out of a very restricted environment. I’ve found some code that can be written in a text editor, run in a web browser and can output data as audio using FSK. As it happens I’d been working on an Arduino project to decode FSK. Combine the Arduino with a cellular module and you could transfer data out of a restricted environment by dialing a number on the desk phone and holding it up to the PC speaker.