USB has become a very popular interface over the years. Plenty of devices have been developed that provide a USB interface such as cameras, phones, music players, the list is endless. While this is a useful technology, some of these devices have also brought with them new threats to our computer systems that need to be mitigated.
The obvious threat everyone thinks about when mentioning USB security is the USB storage devices. This device is small, it is portable, it is inconspicuous enough to easily hide and it can store a lot of data. The obvious threat here comes in the form of a disgruntled employee copying your source code or client list before he leaves the company; however, it is not just that. It can introduce viruses, Trojans and even illegal software / media onto your network, and potentially go even further than that.
When U3 developed a system where a small partition on a USB storage drive is automatically treated by Windows as a CD ROM drive so that it can auto run programs on the USB drive, it opened the doors to a new attack vector. The USB Switchblade required that one simply inserts the USB drive on the target computer and it would automatically and silently steal information about the computer, password hashes and any other data.
That was the first generation and then came the USB Hacksaw. The problem with Switchblade was that you had limited time for the attack to be successful. It is easy to convince the victim to plug in USB storage in their system. They can be convinced by asking the victim to print a file on that USB drive or to look at something stored on that same USB drive, a report or pictures. While this is happening the USB would silently copy items but due to the time constraints the Switchblade attack could only copy files that resided in specific directories. There was no time to have the attacking program search all hard drives. Hacksaw fixed that. The first time the malicious USB drive containing the Hacksaw attack is plugged in; it will install a small program. This program will run automatically and will search the hard drive for interesting files such as documents and passwords. The attacker can then safely remove the drive within seconds. He then stays patient for an hour or two while the program on the victim’s computer gathers the files into its own folder. Once enough time passes the attacker goes back and inserts the USB drive again. This second time the program installed previously will copy all the data it found since it was first activated back to the USB drive. This was only the first version; futures implementations had software that simply sent the found files remotely by email and technically the same method can be used to deploy any malware including root kits and backdoors.
In order to protect against USB drive copying and switchblade attacks, the best option would be to disable USB access if this is not required. If USB is required then software that allows control and can restrict access to only devices which are allowed based on classes or even device serial number can be used.
USB Key Loggers
Key loggers have always been a threat to any business. They can be used to compromise passwords, steal source code, intelligence, credit card numbers and confidential company secrets. With software key loggers, some antivirus solutions and other anti malware software can be used to detect them. However it is not so easy with USB key loggers. These insidious devices connect between the keyboard and the computer’s USB port and they record every key press. They can store more than a year’s worth of key presses. Once installed they can be hard to detect, since they’re small and people do not generally go looking behind computers to see that nothing was added. However the risk is great. If a malicious employee wants to steal company information in most cases it would be trivial for him to install such a device and once he does it is very unlikely that he will get caught.
Mitigating this can be quite tricky. The best approach would be to ensure physical security on the machines by, for example, locking offices when people leave. Alternatively if the data is sensitive enough it might be possible to protect against such devices by actually installing a USB monitoring tool to block any device including input devices and simply whitelist the keyboard and mouse you want to use. However this would be quite labor intensive to do on each machine, but it’s probably the only sure way to protect against this device. Even this might not be 100% effective since future key loggers might simply clone the keyboard serial as well.
USB Wireless Devices
Wireless is another obvious device that can be a threat to the company. Risks here are both incidental and intentional. Incidental threats can come from employees hooking up a wireless access point to the network so that they can use their laptop wirelessly with the intention of actually increasing productivity. Intentional threats can include cases where malicious people hook up the access point with the intention of actually getting illegal access from outside the building where it is safer to operate. There are actually documented cases where this type of attack was actually carried out.
Back in 2004 a post office in Haifa, Israel was broken into. After an inventory found nothing missing the matter was dropped believing the thieves got scared and ran before taking anything. However a few days later large unauthorized transaction were detected and another inspection found a rouge access point. The thieves hadn’t run away with nothing, they had in fact planted a wireless access point to give them access from outside whenever they wanted.
Cases such as this – adding of unauthorized devices to the network indicate clearly the need to keep a hardware inventory. There are solutions that periodically scan the network and alert the administrator when new hardware is added or even removed. This allows an administrator to detect the change quickly and be able to act in a timely manner.
In all cases the hardest part for an attacker is delivery. Does an attacker only carry out inside jobs or does he need to break into a company to get physical access to his target? Obviously there are a lot of options for someone determined especially if this is a targeted attack. What if the attacker pays a janitor to hook up the USB drive to the highest ranking manager’s machine and then retrieve it the next day? During that day it would have copied countless credentials and if it key logged as well it would also have copied a lot of confidential information. If the attacker is particularly daring he might also open a backdoor on that machine; however, if the attacker doesn’t go that far it is a good bet that the whole operation can be completed without anyone ever discovering it.
If the attacker feels that bribing people is too risky there are other options. Purposely dropping a compromised USB drive using the hacksaw method in front of the company premises or during a conference that employees are attending might see one of them pick it up and there’s a good chance that the first thing they will do is insert it in their computer to see what it contains. At this stage it could gather data and send it by email or open a back door. The possibilities are endless and frightening.
There are various risks to a computer system through an attack targeting USB. A lot of these attacks are ideal for inside jobs but a clever attacker might find other ways to target a specific company or even a specific person. The threat posed by USB should not be underestimated. Physical security and USB management software can be a great help in protecting an organization from such attacks.