In the age of WikiLeaks and cyber crime, when all kinds of personal information can be accessed online, it is increasingly difficult to ignore the role that computer security plays in our social and personal lives. Unfortunately, it is all too easy to assume that once you’ve logged out of Facebook or an online banking account, your information is safely tucked away. It is exactly this false sense of security that Reid Cumbest, a junior majoring in computer science at the College of Arts and Sciences, set out to challenge.
Cumbest started work on his research, titled “Automated Hacking via USB Penetration,” in the fall of 2010. You may not have heard of hacking via USB penetration, but that is probably due to its very recent appearance on the radar of important threats to computer security. In fact, Cumbest is one of the first people to study it.
Back in October 2010, a fellow software developer named Eric Butler released a plug- in application for Firefox called Firesheep. The plug-in allows users to capture any unprotected username and password information from others on the same network who are logged on to unsecured sites, a process called “session jacking.” Butler released the application free and open-source to the Internet, making information theft easy for anyone who knows how to click the “Download” button.
Session jacking was not considered a huge threat to network users until the release of Firesheep. The noise made by Firesheep in the world of computer security inspired Cumbest to create his own program called “Plug-n-Pwn,” a play on Microsoft’s “Plug n’ Play,” that would test the threat posed by hacking via USB port.
Plug-n-Pwn is a relatively simple but effective program that could be used by malicious hackers, as Cumbest described it. “It can create a new user account or send everything in the user’s My Documents folder to a remote server,” Cumbest said. When plugged in, the program can be automatically detonated to wreak havoc on its victim’s information.
Once Plug-n-Pwn has been programmed onto the microcontroller, it can be disguised in any device that plugs into a USB port, which nearly all computers have. Cumbest masked his microcontrollers in regular flash drives and a USB-powered tesla coil, but he explained that they could be concealed in other devices, like USB-powered plasma globes, which could then be given as gifts to unsuspecting victims. Cumbest further camouflaged his program by soldering a light sensor onto the flash drive. The sensor would trigger the program to activate only when the lights were off in the room; as the hacker’s victim was turning out his or her office lights for the evening, Plug-n-Pwn would detonate without anyone there to notice.
Cumbest went to high school in southern Mississippi, where he grew up working with and being fascinated by computers. “We were so isolated that all I had to interact with was a computer since I was something like age 5,” Cumbest said. When he first came to AU, Cumbest was a German language and computer science double major; now, he has cut out German in favor of computer science.
So, is computer security a career path for Cumbest? These days, there are more and more jobs for clever hackers who can stress-test computer networks and catch weaknesses before the bad guys do. Cumbest said that while his research was interesting, computer security testing is something that he might choose to keep as a hobby.
“I’m not really looking for a career... I just want to do what I love. And right now, that’s assembly language programming,” Cumbest said. Assembly language programming, he explained, is just a few steps away from when computer code turns into nothing more than 0’s and 1’s.
The computer science major at AU is made up of a very small group of undergrads, but these students have their work cut out for them. “So long as there are bad programmers, there will be security holes for hackers to exploit,” said Cumbest.
In the meantime, companies and organizations often turn to “white-hat hackers” to help patch up the holes left behind by poor programming. White-hat hackers search out security risks that could be used as entry points by “black- hat” hackers, whose intentions are always malicious. Somewhere in between the two groups lie “ethical hackers,” who selectively hack into networks used by oppressive regimes or exploitative companies to make their operations more difficult, or to seize hold of otherwise classified information.
Cumbest presented his research at the College of Arts and Sciences Robyn Rafferty Mathias Conference on April 2, 2011. During his presentation, he performed multiple demonstrations of how easy it would be to carry out a successful attack. What is most disturbing about Plug-n-Pwn, Cumbest said, is that it does not take a computer scientist to know how to use it. The necessary hardware is readily accessible at your local Radio Shack; even the microcontrollers, new since 2005, cost only $15 to $25.
“If a program like Plug-n-Pwn were released online, it could wreak havoc,” Cumbest said. Cumbest’s research did not require the help of a grant and was completed within the span of a semester; nonetheless, Cumbest has opened up USB penetration as a topic for discussion in the world of computer security. And, while he may not be looking for a career in computer security, Cumbest said he looks forward to pursuing his research further over the summer and as a possible capstone a couple of years down the road. He would like the next step in his research to consist of developing a USB penetration testing framework, something that could determine whether what is plugged into a computer’s USB port is in fact a well- camouflaged attack.
Cumbest’s research on “Automated Hacking via USB Penetration” shows how quickly the game can change in the world of hacking and computer security–what was a trivial threat one day could be tomorrow’s biggest concern. It just goes to show that while hackers lurking in the tangle of Wi-Fi networks and USB flash drives loaded with malicious code might not be so tangible a threat as being robbed in the street, computer security is something that everyone in the modern era should be at least somewhat literate about. What makes computer security unique is that it is not about the threats we can see; rather, it is about what we cannot see. In a brief glimpse into the mind of a hacker, Cumbest recited a mantra amongst black-hat hackers: “The best hacker, no one knows at all.”