USB is a wonderful technology — it allows us to be platform-agnostic, gives us compatibility, ease of use, and more durability than some previous connectors we have used in the past. It also presents a very difficult security challenge to security professionals. USB devices have become so ubiquitous, we don’t think twice about just plugging one into a computer. We have USB plasma balls, drink refrigerators, coffee heaters, thumb drives, keyboards, mice…the list goes on.
What happens when the device you plug into the computer is a little less than trustworthy? Sure, we’ve all heard of the dangers of malware propagation through USB and autorun, but lets throw those away with their associated vulnerabilities and focus just on the hardware itself. For example, did you know that it is possible to emulate a USB keyboard using a microcontroller?
There are all sorts of interesting things that you can do with this power — like make a keyboard emulator that presses all of the keystrokes from a text file in its flash memory. Perhaps this contains a funny message that it types by opening up notepad from a keyboard shortcut. Perhaps it takes that a step further and copies a script to a file and then automatically runs it. Maybe that script fetches a virus, launches an exploit, or takes you to a malicious website. Perhaps it adds a remote user to the computer so quickly you don’t realize that anything out of the ordinary has taken place.
That may be a lot of maybes but this technique has been around for a year, and it really illustrates the importance of remaining vigilant. While only skilled hackers with time and monetary resources would attempt to run a hack involving a rouge emulator device, USB devices are routinely abused because of their status in computing environments. The same ease of use that makes them ubiquitous makes them prime targets because people don’t think twice about using them. A good example of this is the Energizer Duo, a USB charger that was infected with a trojan horse. Conficker (as well as countless other malware samples) used USB autorun to spread itself. USB devices have been responsible for major, widespread government security breaches in the DoD. Removable media was used to remove the diplomatic cables from secured government computers for use at Wikileaks. I’ve also heard horror stories about free USB drives being handed out at Government security conferences with malware pre-installed on them.
This is a problem, and one that is best solved (as most computer security problems usually are) by a blend of digital and human policy. Tell your employees not to used unknown, untrusted (not company-provided) USB hardware and lock down USB device usages and ports with active directory policies. While Active Directory might not stop keyboard emulation, informed, security-conscious and policy-compliant employees make for a more secure computing environment.