A number of security hacks using USB devices have been demonstrated recently at various security conferences, highlighting the dangers that these portable devices pose to any user or organization. USB security hacks are not new. A few years ago GFI had demonstrated how easy it is to steal data using a USB memory stick. What is new this time round? Researchers have come up with new modes of attack and all the user has to do is plug in the USB device. These are not autorun attacks, nor are they the more well-known “salarylist.xlsx.exe” type attacks that we’ve seen in the past. These are quite insidious attacks that involve altering the firmware of the USB controller on the key, and then doing things like emulating a keyboard to pass keystrokes to the host PC without the user taking any action.
Back in August at the Black Hat conference held in Las Vegas, a team from SRLabs demonstrated proof-of-concept attacks using USB keys and USB keyboards. “BADUSB-On Accessories That Turn Evil” was presented by Karsten Nohl and Jakob Lell. In some of the attacks, the devices had bootable partitions that the PC would boot from on next start up, booting into a minimal Linux system long enough to infect the bootloader. In others, the USB device acts like a network card, which cleverly receives a DHCP assigned address with DNS servers, but without default gateway. This enables compromise of the host machine by sending all DNS requests to a compromised system but does not change the network routing. The researchers from SRLabs did not release any proof of concept code, in part because there is no easy fix. You can see their presentation on YouTube.
Adam Caudill and Brandon Wilson, who are also security researchers, demonstrated BADUSB and additional attacks at Derbycon in October, which can be seen here. They have also released the tools to replicate the attacks, including updates, payloads, and documentation. It likely won’t be long before someone packages all the hard work into a plug-and-play attack packager.
Since the attack code works against Phison controllers, which are the most common USB controllers in use, there are thousands of potential USB keys, drives, keyboards, mice, webcams, and more that could be used to deliver an attack. In an environment where users might bring in a USB device from home, or attackers might have, even if only momentarily, physical access to your machines, end point security and lockdown become critical defensive measures. Tamperproof protections including disabling USB devices entirely, or only allowing known devices, and reporting to a central console on all USB device usage are both good ways to mitigate these threats, and neither requires you to epoxy closed all the USB ports on your systems! If you’re looking for software that can help you block unauthorized portable devices, try GFI EndPointSecurity.