Tuesday, August 26, 2014

When USBs Attack!

   Sometimes it seems that the more things change, the more they stay the same.  In information security, we've known for a long time that if someone can get physical access to your system, there's a chance they can get into your system.  Once an attacker has possession of your computer, laptop, tablet or smartphone, they can take their time and try multiple attacks.  We can take some preventative measures like encryption, but it needs to be implemented well.

   Of course, it's best to keep your portable devices in your possession!  But they do get lost or stolen.

   Unfortunately, there's more than one way for an attacker to physically get to your system.  If you've ever been to a conference, or a state fair, or just about any kind of gathering with give-aways, you've probably seen free USB sticks (also called thumb drives).  These supposedly have programs, games or advertising files.  And they usually do.  But they can also contain viruses or other malware.  To make matters worse, USB systems have an auto-run feature to make (legitimately) running these files "easier".

   Scattering malicious USB sticks in parking lots has been used both by attackers and security testers!

   So, in effect, an attacker can use a malicious thumb drive to get "physical" access to your computer.

   That was all bad enough, but this attack has now gotten much worse.  There is a newly discovered flaw called BadUSB.  It modifies the USB system "firmware" so that the malware on the thumb drive (or other usb device) is undetectable.  This can be a major problem in that traditional mechanisms used to detect or prevent malware will likely not work.  The computer will run the virus because it thinks it is connecting with a usb keyboard, mouse or other device.  You can read more about this here, here or here.

   So what do we do about it?

   First, as I mentioned above, try to keep your portable devices in your possession.  Here are a few more tips:
  • don't use usb sticks that are given away, even from a vendor at a reputable conference.
  • don't connect your usb stick or device to an unknown computer (it can be used to infect your thumb drive).
  • At work: follow your workplace policies on portable equipment, and only use company-provided thumb drives on company-provided systems or for work.

No comments:

Post a Comment