Friday from 14:00 – 15:50 in Sunset 4 at Planet Hollywood
Audience: Offense, Social Engineers, Hardware, Privacy Mike Rich

If you’ve never thought USB devices could become even less trustworthy, then this is the talk for you. We already know USB devices might try to automatically run code when connected, or act like a hyperactive keyboard and mouse, or attempt to physically destroy the host, or masquerade as an innocent charging/data cable. But it can, actually, get worse. Say hello to the Chaos Drive, a USB drive with just a little too much chaotic energy. I’ll demonstrate how a Linux-based USB mass storage device can be set up to change the storage it presents to the host based on a set of user-defined conditions. On the offensive side this can be used to circumvent USB scanning procedures and on the defensive side this can be used to store private files that will be undetectable without time-consuming analysis. Attendees will learn the steps I took to build the POC and see what it can do. For best results bring a USB OTG-capable device such as a Pi Zero or Pocketbeagle, an OTG cable, and some spare microSD cards to flash.

Mike Rich
I’m a blue-team lead professionally. I delight in thinking of ways to defeat my own processes and then admitting these flaws publicly. I spoke at DEF CON 24 about using copiers to load code on closed networks, at the Lockpick Village at DEF CON 26 about exploiting human laziness on multi-dial combination locks, and at BSidesLV 2018 on quantitative risk analysis. Lastly, I'm the only person I've ever met that's literally been bitten by an otter. You think they are cuddly and cute; I think they are underestimated aquatic apex predators.