USB (Universal Serial Bus) has gained wide industry acceptance over the past fifteen years. Device manufacturers have adopted this protocol as the primary method used to connect peripheral devices (cell phones, keyboards, flash drives, etc.) to a computer or power source. While USB’s versatility, acceptance, and ease of use is one of its greatest benefits, it also has been shown to be one of its greatest risks.
In a 2014 Black Hat presentation entitled ‘BadUSB – On Accessories that Turn Evil’, two German researchers presented a proof of concept demonstration, research, and findings on discovered vulnerabilities that exist within this protocol. The researchers discovered that many USB device controller chips, including those used in thumb drives, can be reprogrammed. Once reprogrammed these devices can be used to perform the following malicious acts:
- A device could emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device could spoof a network card and change the computer’s DNS setting to redirect traffic.
- A modified thumb drive or external hard disk could – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
These were just a few of the potential exploits discussed. And to make things worse, the researchers emphasized that there are no effective defenses from this risk. Antivirus and malware products are not able to identify infected devices and simply reinstalling the operating system will not correct the issue as the operating system will get re-infected when the infected USB device is inserted.
So what can you do? Be vigilant and monitor the USB devices that are permitted for use. Businesses should consider developing and implementing policies and procedures on the use of USB devices. This includes if phones and other USB devices are permitted to be connected to enterprise machines. You can also consider limiting your risk by whitelisting USB devices through the use of a third-party application.
While there is no single fix to USB security issues, taking precautions can reduce your risks.