Most stationary workstations have at least two USB devices plugged in all the time: a keyboard and a mouse. Apart from that, we occasionally connect mass storage devices, printers, scanners, and cameras, or simply charge our phones through USB. While it’s comfortable to use these devices, each connection can be a serious risk for an organization’s security. The reason is that USB devices can be infected with malware that attacks your corporate system once a device is connected.
Have you already included USB devices in your corporate security policy? How do you protect your corporate computers from infected USB devices? Let’s look closer at the most common types of USB drive dangers.
What dangers do USB devices store?
USB-related attacks are one of the most widespread types of cyber threats. In 2017, Kaspersky Lab’s antivirus software spotted 113.8 million threats from removable devices. It’s easy to connect a USB device and hard to monitor it, and a USB-based attack doesn’t require a hacker to penetrate the system they want to infect. In 2016, Google conducted an experiment: Google employees left 300 USB drives at the University of Illinois campus to see if people would stick an unknown device into their computers. The results were not encouraging: nearly half of those who found the USB devices connected them to a computer and tried to open the files they contained. That’s a dream come true for any hacker.
Recently, researchers from the Ben-Gurion University of the Negev in Israel published a paper on USB attack types. They pointed out 29 methods to exploit a computer via USB, dividing these methods into four categories:
- Reprogramming a device’s internal microcontroller — In this case, the device doesn’t act like it’s supposed to (e.g. a charger injects keystrokes upon connection).
- Reprogramming firmware to perform actions (starting data exfiltration, launching a cryptocurrency miner, infecting a computer with a Trojan, etc.)
- Exploiting flaws in USB protocols or standards (.exe files auto running, upgrading a driver using infected files)
- Electrical power surge attacks
29 types of USB attacks
Image credit – Beepingcomputer.com
Infected storage drives
Storage devices are convenient for employees who need to do some work from home, share data with partners at conferences, or use several computers. However, not all manufacturers of memory sticks and external hard drives can guarantee the safety of their devices. SR Lab researchers have revealed that firmware of thumb drives can potentially be modified and even infected with malware.
Moreover, during a 2018 data security expo in Taiwan, cybersecurity winners were awarded with infected storage devices. As it was revealed, these flash drives originated from an infected workstation in China and contained preinstalled malware that collected personal data and transmitted it to a specified server.
In addition, memory sticks can be consciously abused by careless or malicious employees. This happened to security solution provider Nyotron. One of its workers decided to watch “La La Land” during the night shift. Alongside the movie, his USB drive contained a piece of malware called Operation Copperfield. It bypassed the installed antivirus software and attacked the company’s infrastructure.
Data-stealing malware is much harder to detect. Once it gets inside the system, it masks itself as a harmless process. Depending on a hacker’s goal, it scans the network and steals browser forms, emails, and specific types of files. Some malware, like USB Thief Trojan, is programmed to target USB devices and erase all evidence of its work before exfiltration.
These types of attacks evolve with USB ports. Recently, researchers found a vulnerability in the Thunderbolt interface of USB-C ports. This type of connection allows low-level direct memory access, which makes it possible for malware to monitor keystrokes, network traffic, and even framebuffer data.
The simplest way to extract data with a USB device is to copy-paste it and quickly remove the flash drive. Such security violations can be easily mitigated with a user activity monitoring or file activity monitoring solution.
Cryptojacking isn’t a new type of malicious activity, but it has gained popularity over the last few years. According to a report by Kaspersky Lab, the most popular miner of 2017 was Trojan.Win32.Miner.ays. Nine percent of all removable media attacks were infections with this malware. It can be delivered both through the internet and via USB devices.
Another popular miner is the Otorum worm. It masks itself as a .ttf font file and replicates to any new USB device connected to an infected system.
Although miners don’t harm your system and steal your data, they exploit computer resources, slowing down performance.
Infected charging cables
It’s a common situation when an employee needs to charge their mobile phone and connects it to their corporate computer via a USB charging cable. However, this comes with a risk that your corporate system will be damaged. Recently, a team of security experts created USBHarpoon, a charging cable infected with malicious code. They reprogrammed the cable’s controller and made the charging cable capable of passing data along with power, which could allow a computer to be infected with a virus in an unnoticeable way.
And this isn’t the first case of turning a charging cable into a hacking weapon. Previously, researchers at Security Research Labs invented BadUSB, which is designed to carry out a Human Interface Device (HID) attack when plugged into a computer’s USB port. In 2016, researcher David Kierznowski upgraded it to BadUSB 2.0, adding a keylogger, spying, and data exfiltration functionality.
Though there are still no real-world cases of attacks with charging cables, they’re likely to appear in the near future as their attack vectors are difficult to detect.
Electrical USB killer
A storage device can do more than just infect your system with malware. The ol’booby-trapped-USB-trick can provide a negative 220-volt electric surge that immediately fries computer hardware.
Such devices exploit a well-known USB power surge vulnerability. Power and data lines aren’t protected well enough from voltage peaks. This is probably the only type of USB attack you can’t protect from.
Other USB devices
Cyber attackers can reprogram any USB device, not only storage drives and charging cables. There are numerous cases when hackers have taken control of routers and cameras and used them to collect data or conduct DoS attacks. This can happen because any such device has a microcontroller that’s responsible for communication. However, this microcontroller isn’t protected against code changes, so hackers can make it work in a completely different way than it was initially designed for. Many researchers confirm that USB attacks have a high rate of success because people often don’t pay enough attention to IT security.
To prevent HID attacks, you should definitely educate your employees about USB threats. Your corporate policy should disable autorun and prohibit the use of unknown or unprotected USB devices by all employees, including the managing director. In addition, it’s important to deploy USB management software like Ekran System that analyzes USB devices and informs you about all new devices connected to computers in your network.
How can Ekran System help?
In addition to its employee monitoring features, Ekran System can be used as effective USB management software. While it’s inconvenient to block all USB ports to protect against USB malware, Ekran System can provide you with a smart, adjustable solution.
Using its configuration rules, you can specify the types of USB devices to monitor and block. These rules can easily be customized for every client and client group.
You can create a whitelist and blacklist of USB devices, filtering them by vendor, hardware, and other parameters.
By default, the Ekran System USB management tool provides you with the following features:
- Monitoring of connected USB devices – The system collects logs of a specified class of USB devices along with all other user activity metadata.
- Alerts about connected USB devices – The system notifies security officers with real-time alerts when a potentially dangerous device is plugged into a USB port.
- Blocking of connected USB devices – The system blocks any devices marked as prohibited and optionally notifies the user with a pop-up message.
Finally, upon your request, Ekran System can generate a report that includes data about all events associated with USB devices.
USB devices can pose a serious threat to your company’s IT security unless they’re managed properly. A USB device can steal your data, infect your network, or even fry device electronics. The most reliable protection is devoted USB management software.
Ekran System offers an effective USB attack protection tool that can easily be customized to meet your requirements. Using its default and custom rules, you can protect from threats against USB-enabled devices on every computer in your corporate network.