The ubiquitous USB thumbdrive. We’ve all used one to backup or move files from one computer to another. As I was going over the list of school supplies for my kids, I noticed each of them were required to own a thumbdrive. They are simple to use, relatively inexpensive, and found among the impulse items near retail registers.
There is certainly nothing about the thumbdrive that gives off the impression that it could be used for nefarious reasons, but that’s exactly what is happening.
A couple of years ago, 60 Minutes told the world about one of the most famous computer worms known as Stuxnet. In short, the Stuxnet worm attacked a programmable controller that is used in machinery, such as large centrifuges that separate nuclear material. Although we are not entirely sure who created Stuxnet, we have a good idea of the amount of the damage it caused to Iranian nuclear centrifuges. Stuxnet effectively crippled Iran’s quest for nuclear weapons.
One interesting wrinkle to the Stuxnet story is how someone was able to transport the worm into the secure area where the controller for the centrifuges resides. Attempting a break-in at such a secure facility would be foolish, but what if the Stuxnet creators could somehow infect the laptop of an individual that works at the facility? That’s exactly what happened when a USB flashdrive was found to have infected the laptop of an individual who then brought the worm to the facility where it spread to the controllers and ultimately damaged the centrifuges.
But this wouldn’t be the last time a USB flashdrive would make international headlines. Last year, a former system administrator for the CIA named Edward Snowden, copied classified documents to a flashdrive and then released them to media outlets around the world after fleeing to Russia. The documents provided details on a global surveillance program that involved organizations in the US and Europe. One might think a system administrator would use a more advanced technology than the thumbdrive, but it proved effective.
Both the Stuxnet and Snowden incidents illustrate how a technology as old as USB, can be used in unconventional, but effective ways. But a recently discovery could bring the threat even closer to home, because a group of hackers have shown researchers how an exploit named BadUSB can reprogram embedded firmware granting USB devices malicious capabilities.
BadUSB is loaded onto computers of unsuspecting victims in the same manner as Stuxnet was introduced to Iranian centrifuges: the USB flashdrive. Once BadUSB is loaded onto a computer, it can intercept key strokes or open a console and type harmful commands. At the Black Hat security conference in Vegas, hackers demonstrated how their technique will work on nearly any USB-enabled device including keyboards and web-cams.
One must have access to the physical USB port in order to introduce BadUSB. But once you have that, today’s operating systems extend a lot of trust, and that trust can be used abused. One might assume that antivirus products from companies such as Norton or McAfee would detect these type exploits, but that’s not the case. This is the primary reason BadUSB is considered so dangerous. Once the BadUSB updates the firmware, it’s nearly impossible to detect.
So what can system administrators do to protect their users and the devices they manage? Well, if you’re NSA you take the MacGyver approach and squirt rubber cement into the USB ports. I guess that’s one inelegant option, but others do exist such as this one from Microsoft detailing how to use Group Policy to prevent users from connecting USB storage.
One system administrator I spoke with told me that he’s been able to disable USB ports in the BIOS and then set a BIOS password on a newer laptops. This isn’t a permanent solution, but would make the laptops more difficult to exploit.
At Puget Systems we occasionally hear from soldiers serving in the military who are allowed to use laptops but only on the condition that both the webcam and microphone are removed. Simply disabling both is not allowed, so we began offering a webcam and microphone removal service on the laptops we sell.
But the best approach might also be the most difficult: education. IT departments can help reduce the harm caused by exploits by helping users understand the risks of leaving a laptop unattended, and also letting IT know if they notice any odd behavior.
Maybe one day Bluetooth or another technology will kick USB to the curb. Until then, be safe!