A few weeks ago, we posted an article about the security risks presented by USB devices with hacked firmware in the controllers. Now there are reports that USB threats are even more pervasive. Inexpensive USB chargers marketed and designed for electronic cigarettes. Hackers are purportedly bundling malware onboard with USB chargers so that, when users connect them to their computers to charge their e-cigarettes, they get more than a nicotine hit.
According to a post on Reddit by Jrockilla, an executive at his company experienced a malware infection when he plugged a USB charger for his e-cigarette into his laptop. Allegedly, the low-cost Chinese-manufactured charger came complete with malware embedded on a chip inside the charger that executed when it was connected to the laptop.
While the post is anecdotal, and lacks a detailed breakdown of what happened or even what specific malware infected the machine, the scenario the author lays out is plausible and the threat is real. There is enough room inside a standard USB plug to embed a chip that will look like a removable storage device, and many systems by default will execute autorun.inf. If the storage is formatted as bootable, many systems will boot from an attached USB storage device by default. The chargers for many e-cigarettes are larger, and certainly have enough room to store a hacked USB controller to launch the more complicated firmware based attacks covered in the earlier post.
So what can you do to prevent this from happening to your users? Quite a few things. For starters, you could issue everyone USB charge only cables, or special USB plugs that only allow charging. The better approach, since that would still depend upon the user using them, is to deploy endpoint security so that when unknown devices are connected to a USB port, they are disabled. That way, you don’t have to worry about any accidents, ‘oopses’, or ‘I forgots’ getting you into trouble.
The Universal Security Breach The Universal Serial Bus interface continues to grow in popularity with more and more non-IT devices using USB to get power from conveniently placed ports. Whether you plug a malicious device into your computer, or you connect your phone/tablet to a malicious charging station, you can expect to see both more complex and more frequent security threats coming from untrusted and unmanaged devices. Securing your corporate assets with endpoint security is your best defense against any malicious device being plugged into a laptop, desktop, or server.
Learn how your organization can benefit from a good endpoint security solution.