Last year, computers in a public meeting area of the International Atomic Energy Agency (IAEA) headquarters in Vienna, Austria compromised data on USB drives that visitors connected to the computers. In 2010, the Stuxnet attack on Iranian nuclear centrifuges is believed to have been implemented with an infected USB stick. It’s safe to assume these events created a bad day at the office for the respective IT service desks.
Today, it is believed that USB devices that may appear to be completely empty can contain malware even if they’ve been formatted.
This means it’s possible to hide attacks on any USB-connected device, including smartphones. In other words, computers can compromise data on USB sticks, and USB sticks can compromise data on computers.
USB sticks are inexpensive, versatile, handy, and potentially dangerous.
BYOD Plus USB Equals Risk
The rise of the BYOD work environment means more employees plug in USB-connected devices at work. Everyone, especially IT service desk teams, are aware of the major risks inherent in a BYOD environment, and most organizations work hard to mitigate those risks. An information security officer for a division of the National Health Service in the UK named Derrick Bates calls BYOD “the scariest thing to happen in IT security since the USB stick.”
USB sticks are amazingly handy. You can carry around an entire photo library on a device the size of a Starburst candy. And USB devices are connected to or built into just about all computers. It’s a powerful, versatile technology with an interface that’s standard everywhere. You can even charge up devices by connecting them to a USB port. But that very ubiquity and versatility makes it easy to transmit malicious code.
A “Family” of Possible Attacks
Berlin-based SR labs defines a family of possible attacks that include keyboard emulation, USB boot sector viruses, and spoofing of network cards, and right now there’s no clear way of disinfecting USB devices. One possible scenario is malicious code on a USB stick tricking a computer into thinking a keyboard has been plugged in. This “keyboard” could issue commands to download malware from the internet.
Another scenario described by SR labs involves plugging a phone in to charge, after which the phone makes the computer think it’s a network card. So when a user goes online, their browsing could be secretly hijacked. SR was able to make a fake copy of PayPal’s website and steal user credentials. And there’s no obvious clue to the user that that he’s under threat.
These problems can’t be patched, because they change the firmware on the USB devices rather than being stored in the USB memory. Since USB devices have similar firmware, such a threat could be used on just about anything designed to be plugged into a USB port.
Countering the Threat
One small bit of good news is that many USB sticks don’t have reprogrammable firmware, which effectively short circuits this vulnerability. That makes it easier for organizations to protect themselves with appropriate controls. Moreover, some threats could not be done using just the memory available to a typical USB controller chip. Experts think that hacks run code stored invisibly in a USB stick’s flash memory, and if that’s the case, a USB stick with minimal storage would probably be less of a threat.
However, user security awareness is essential. End-users of USB devices need to understand the risks, and understand why certain behaviors are risky. They need to be taught the dangers of “USB promiscuity” and the importance of backing up critical information should a USB stick become infected.
Many peripherals incorporate USB controller chips that can be reprogrammed in malicious ways. Currently there are no protections that prevent an attacker from manipulating a USB controller chip. This type of attack could enable a USB stick to inject malware onto a computer, which could potentially manipulate firmware in other peripheral devices plugged in at a later time. Conversely, computers themselves can corrupt data on USB chips, as the IAEA incident last year shows. Security experts are calling on the IT industry to improve the USB standard to counter this threat, but until that happens, education and smart USB practices will do the job.