Thumb drives are used pretty much everywhere nowadays. Whether a generic metallic memory stick, a branded giveaway at an event, or cleverly disguised as Yoda or some other pop culture icon, these devices are universally embraced as an easy way to transfer data.
Unfortunately, they’re also loved by cyber criminals, who can use thumb drives to attack your computer.
In a Universal Serial Bus (USB) drop attack, cyber criminals leave USB devices for people to find and plug into their computers. A Good Samaritan hoping to return the drive or a penny pincher hoping to pocket a new device for free inserts the “found” drive into his or her computer’s USB port. Then the trouble begins.
There are three main types of attack:
- Malicious code — In the most basic of USB drop attacks, the user clicks on one of the files on the drive. This unleashes a malicious code that automatically activates upon viewing and can download further malware from the Internet.
- Social engineering — The file takes the thumb drive user to a phishing site, which tricks them into handing over their login credentials.
- HID (Human Interface Device) spoofing — In a more sophisticated attack, the device looks like a USB stick but in fact will trick the computer into thinking a keyboard is attached. When plugged into a computer, it injects keystrokes to command the computer to give a hacker remote access to the victim’s computer. (We teach students a similar method in our Red Team Training!)
The most advanced attack by USB exploits a hole in computer software the vendor doesn’t know about until the attack is discovered. It’s known as a Zero Day attack because the hacker has acted before the developer has a chance to act to fix the vulnerability. These advanced cyber attacks can compromise a network in secret and provide an element of surprise.
USB attacks might sound like they’d be limited to personal devices, but the implications can in fact be much bigger.
A particularly well-known example of a USB drop attack is Stuxnet, a computer worm that infected software at industrial sites in Iran, including a uranium-enrichment plant. The virus targeted industrial control systems made by Siemens, compromised the system’s logic controllers, spied on the targeted systems, and provided false feedback to make detection even more difficult, and it all began with a USB stick infection.
The United States government, too, has fallen victim to flash drive attacks. In 2008 an infected flash drive was plugged into a US military laptop in the Middle East and established “a digital beachhead” for a foreign intelligence agency. The malicious code on the drive spread undetected on both classified and unclassified systems enabling data to be transferred to servers under foreign control.
In one test of how well a USB scam can work, Trustwave planted five USB drives decorated with the targeted company’s logos in the vicinity of the organization’s building. Two of the five “lost & found” drives were opened at the organization. One of the openings even enabled the researchers to glimpse software employed to control the organization’s physical security.
A company in Hong Kong has even developed a USB that could kill a computer. Collecting power from the USB line, it absorbs power until it reaches about 240 volts and then discharges that energy back into the data lines in devastating power surges. Oh, and the USB Kill drive is available for just $56 — in case you think this is only something someone could accomplish if they’re tech savvy and have deep pockets.
USB Baiting has even been seen in popular culture, with what’s known as a “Rubber Ducky” tool appearing in the show Mr. Robot in 2016. The USB key only needed a few seconds to get to work using HID spoofing to gather FBI passwords.
And if you’re a hacker, why not? Two of the best tools a malicious party can leverage are the human desire to help others and our blind trust. It’s not that hard to imagine what you might do if you came across a USB key left by the copy machine or the water cooler. You’d probably think someone in your office simply misplaced it, and the simple solution would be plugging it into your own computer to see if you could you can find identifying information.
Imagine, then, a file is on there labeled “Joe_Resume.pdf.” Wouldn’t that seem like a safe and useful file to open to help you return the device to its rightful owner? Except, as you now know, that same file could be set up to deliver malicious code to your machine.
Most average users are unaware of how to safely determine the ownership of a USB stick, so educate workers about the risk of found USB drives and urge them to hand in any found devices to IT.
USB Security Awareness
Think about the effort expended on telling children not to take candy from strangers. It’s the same idea with encouraging employees not to put found USB devices into their computers. One 2016 study dropped 297 USBs on a university campus. Of the 98% of found devices that were picked up, 45% were plugged into computers.
The thumb-sized USB drive has become increasingly commonplace, and that’s part of the problem. Today you might get one at a convention with a company’s logo and promises of promotional materials to download later. These “memory sticks” are small, cheap, and can store as much as 20 gigabytes of data.
“The more ubiquitous they’ve become, the greater the chances they’ll get lost or stolen or be used to spread malicious programs.” — Norton
These convenient drives are also easy to lose. In fact, one 2008 study found an estimated 9,000 memory sticks were found in people’s pant pockets at the dry cleaners. If the information on these left-behind drives is not encrypted and can be accessed by the wrong parties. This in and of itself represents a security risk.
So what’s to be done?
- Ensure that employees don’t store sensitive information on USB devices.
- If important data must be stored on a USB device, make sure it’s protected with encryption or another safety feature such as fingerprint authentication.
- Encourage employees to separate flash drives used at home from those used in the office.
- Institute policies for employees, and educate them accordingly, about what can and cannot be plugged into the company network.
- If employees are lax about securing their computer USB ports, you might even consider physically blocking the USB ports on sensitive computers to avoid attack.
- Further, it’s possible to restrict the type of USB authorized on a computer — using Windows or a USB kill code — to thwart unauthorized access.
- And of course, it’s always smart to keep your security policies and patches up to date.
It’s important to educate your workforce while also understanding the limits of your physical and network security protocols. Ready to find out what those are? Let RedTeam Security Consulting test your facility’s security today.
A brief history of USB drives
- The USB 1.0 standard was first introduced in 1995 with the goal of developing a standardized device-connection protocol. Before USB, computers used many different ports and drivers to connect devices and transfer data.
- Trek Technology produced the first commercially available USB drive in 2000. The drive could hold up to 8 megabytes of data.
- By 2002 there were dozens of companies marketing these flash drives and patent clashes abounded.
- In 2004, USB 2.0 standard devices were made widely available with the drive able to transfer data at about 30 MB/second as opposed to the 1 MB/second of the USB 1.0 devices.
- Some USB 3.0 devices were made available in 2010 offering a data transfer rate of 4.8 gigabits per second.
- USB flash drives — also known as thumb drives, pen drives, jump drives, or memory sticks — can typically endure close to a million data rewrites.