Evolving tactics used by cybercriminals, often highlighted in the news related to large-scale attacks, bring attention to the importance of protecting the companies we work for and ourselves personally. But over time, we tend to forget about other, more low-tech, attacks that are still quite impactful. Physical security, including the use of USB storage devices, has been a security topic for the better part of a decade. Recommendations around blocking USB devices, not only for compliance, but also to limit the loss of sensitive data, are now considered industry best practice. However, many organizations still remain vulnerable due to the lack of established policies and procedures around the use of USB devices. Researchers from Ben-Gurion University in Israel recently released a report of 29 different attack methods via USB that attackers could use to compromise a user’s computer. The researchers categorize these attacks into four unique categories depending on how the attack is executed. Once executed, the attacker is able to gain control of the victim’s computer, utilizing the system to execute malicious attacks or steal sensitive information.
REPROGRAMMABLE MICROCONTROLLER USB ATTACKS
The first category, reprogrammable microcontroller USB attacks, involves the use of a small programmable chip that is able to “mimic” a normal USB device, but that is programmed to directly interact with the computer just as if the attacker were sitting at the keyboard and monitor. This type of controller attack has been around since 2010 and is designed to execute malicious keystrokes in order to install malicious software that aids in the theft of passwords or other sensitive information.
REPROGRAMMED USB PERIPHERALS
Similarly, the second category focuses on reprogrammed USB peripherals that have had their internal software, also known as firmware, changed to include malicious instructions that the host computer then executes. This type of attack can result in the loss of data or the covert use of web cameras to capture video without the user even knowing. For example, Siemens, the global electronic controls company, found malware posing as legitimate software updates for control systems that ended up infecting the programmable logic controls of industrial systems.
SOFTWARE ON THE USB DEVICE
While reprogramming USB devices is technically complicated, the third category utilizes software on the USB device that simply executes to conduct the malicious activity. Considered the world’s first digital weapon, Stuxnet, released in 2014, utilized software installed on a USB storage device to execute a computer worm that targeted SCADA systems. Stuxnet made a name for itself due to the substantial damage it did to Iran’s nuclear program. In another example, in 2017, IBM had to publicly announce that a number of USB flash drives had been shipped with Trojan malware that impacted Storwize storage systems.
The last category of attacks is quite simple, and is called an electrical attack. The idea behind this attack is to cause irreparable harm to a computer system by triggering an electrical surge.
HOW TO PROTECT YOUR DATA
The good news in all of this is that there are a number of simple rules that can help reduce your attack surface and protect your company’s sensitive data and technology investments. Generally speaking, in order to protect your organization, standard policies should be in place that disable USB storage devices, and all endpoint devices should be patched and have good anti-malware software installed. Additionally, employees should be trained to not inherently trust all technology devices. If they don’t know for sure that a USB device is clean, they shouldn’t plug it in. This includes not only USB tokens found in parking lots, but also extends to public charging stations that can be commonly utilized to charge smartphones. Employees should be instructed to always use their own chargers, use their own USB devices, and to distrust public Wi-Fi networks. These simple steps can help reduce the impact of rogue USB devices if they are introduced into your company’s environment. For any questions regarding the information contained in this article, or about the cybersecurity services that Richey May provides, please contact JT Gaietto, Executive Director, Cybersecurity Services.