We all love the “plug and play” convenience that USB ports and devices have brought to our digital lives. However, along with the ease of use comes significant security risks. Keep reading to learn more about the threat, the types of USB related attacks and how to defend against them.
The Threat
The crux of the problem is that operating systems blindly trust any device connecting through USB ports. Current security relies on users’ knowledge of the USB device and their ability to decipher whether it’s benign or malicious which, as you are about to read, is not exactly the best line of defense.
A Simple Start to an Attack
The most common and simple type of cyber-attack related to USB begins with a rogue flash drive placed in an office, parking lot or break room where an unsuspecting employee is likely to find it. Research shows that when people find what appears to be a misplaced flash drive, the urge is to plug it in to identify who it belongs to so the drive can be returned.
Attackers count on people finding the rogue flash drive and connecting it to their computer. Some attackers will even label the flash drive – i.e. Corporate Layoffs, Corporate Salaries – to entice curiosity and increase the chance it gets connected to a computer.
Several Types of Attacks
USB devices can be loaded with malware so that when the unsuspecting user plugs in the device, their computer becomes compromised.
Attacks like BadUSB can modify the device to emulate a keyboard, install malware onto the computer, perform DNS spoofing, spy on the user, or even create a communication link to exfiltrate data.
All of the attacks using a USB device rely on attaching an unknown interface without the user’s knowledge. An interface is an internal function on the USB device. For example, a normal headset has interfaces for the speaker, microphone, and volume controls.
As identified earlier, operating systems inherently trust USB devices when attached along with all of their interfaces. Once all the drivers are loaded, all interfaces are granted access to the host computer. All this is to say, USB devices present an attractive attack vector for cyber-attackers.
One Way to Defend
It is tough to tell a good interface from a bad one. Aside from the human defense, USB packets are difficult to analyze. Enter USBFILTER – a packet-level firewall for USB.
A research paper detailing USBFILTER was presented at the Usenix Security Symposium. The USBFILTER software gives administrators the ability to set rules for how interfaces on the USB device and the operating system interact with each other.
USBFILTER helps assess which packets are coming from which interface. The operating system can use this software to prevent unauthorized interfaces from connecting. USBFILTER can also be used to limit what functions the interfaces can perform and which applications with which they interact.
Practical Examples
Here are a few practical examples of USBFILTER at work:
USB Headset
A typical headset has multiple interfaces, as mentioned earlier – speaker, microphone, and volume controls. This could open up the possibility of an eavesdropping attack using the microphone interface. Some companies might ban the user of these headsets to prevent an attack.
With USBFILTER, administrators can set the protocols such that any incoming packets from the headset’s microphone are dropped. This means the headset’s microphone is disabled and cannot be enabled by users.
Disguised Keyboard
Many BadUSB attacks utilize devices that act as a Trojan horse; on the outset they appear to be a regular flash drive, but they secretly have other functions. Most of the time this secret function is a keyboard or mouse. Once connected, the device can send keystrokes to the computer and perform actions as the user.
With USBFILTER, administrators can whitelist the existing keyboard and mouse connected to the computer. This way, the computer will only run actions from the real keyboard and mouse and drop other packets trying to disguise themselves. Administrators can also configure it so that any packets other than storage functions are automatically dropped.
USB Webcams
Webcam attacks allow an attacker to exploit vulnerable applications to gain access to the user’s webcam. From there, the attacker is able to watch or listen to the area around the user’s computer.
Administrators can identify the webcam’s serial number so USBFILTER can recognize when other webcams are plugged in and prevent them from connecting. USBFILTER can also specify certain applications for the webcam to run on, such as Skype. So in practice, only the identified webcam can connect and turn on when the user is using Skype.
USB Charge-Only
Other BadUSB attacks allow the attacker to use a connected smartphone to perform DNS spoofing. When the smartphone is connected, it will automatically enable USB tethering and inject spoofed DNS replies to the computer. If all goes right, this results in a man-in-the-middle attack with the attacker gaining access to the computer’s network communications.
With USBFILTER, administrators can set the protocols such that any packets to and from the phone are dropped, rendering the phone solely a charging device. Additionally, USBFILTER can designate a specific port on the computer to only be used for charging.
Key Takeaway
USBFILTER is a solution that can give administrators better, granular control over the functionality of USB ports and devices. USBFILTER is open-sourced code, and posted here on GitHub. It’s currently written for Linux, but can be ported for Windows and Mac.