USB Drive Security - Why You Should Be Worried About Your Team Using USB Drives

A serious design flaw in USB technology, identified by researchers at SR Labs, could mean that USB drives are a bigger security threat than was previously believed. But it isn't the content these devices might contain that should concern you. It's a fundamental flaw in the firmware that could spell serious trouble for your business's security.

If you or your employees use USB drives to store information or transfer files between computers, you'll want to read this!

What is USB?

USB stands for universal serial bus, a universal communication protocol that allows the connection of many different devices to a computer. Lots of hardware devices from keyboards and mice to charging cables, game controllers and Ethernet adapters connect to your computer via this universal port. In fact most computers have more than one port to accommodate multiple devices.

One of the most popular devices to connect via the USB port is the small, ultra-portable USB drive. Also known as flash drives, pen drives, thumb drives, memory sticks, USB keys or jump drives, USB drives are primarily used to store and transport files from one computer to another.

USB drives, like other devices connected to your computer, use a special type of software, known as firmware, to tell the computer what the device is and manage its functionality.

Typical firmware on a USB drive manages the transferring of files from the computer to the drive and vice versa. In a similar way, the firmware for a USB-connected keyboard converts key-presses on a keyboard to digital data that is sent over the computer's USB connection, enabling the keyboard to operate.

The key to USB technology's vulnerability lies in the fact that it was designed to work with a wide range of devices. The firmware identifies the device and the computer reacts accordingly.

But what if someone could alter the firmware of a USB drive to make it look like the device was actually a keyboard or an Ethernet adapter instead?

In 2014, researchers at SR Labs reverse-engineered the code of the basic firmware on many USB devices and found that the firmware could, in fact, be reprogrammed. This ability to reprogram the device's firmware, known as BadUSB, makes it possible for a USB drive to behave like a different device entirely, turning it into a potentially malicious device.

This is not the first time that the security of USB drives has been called into question. At one time users were warned never to connect a USB drive to their computer if they didn't know where the device originated. This was due to the frequent exploitation of the Windows Autorun function.

Created as a convenience for users, Windows computers (starting with the release of Windows 95) were programmed to recognize autorun.inf files on certain types of media, CDs and DVDs for example, and automatically play the music or movie, or run the program found on the device. This eliminated the need for consumers to figure out how to get the disk to work when it was inserted.

In 2005, Sony BMG took advantage of this feature, using it to install a subversive rootkit that circumvented a user's ability to rip content from their music CD's to their computer, effectively preventing unauthorized copies of music files.

But the AutoPlay feature wasn’t limited to CD and DVD drives. The functionality also worked from USB drives. Since it was easy to install autorun.inf files on these portable drives, it wasn't long before hackers began using Microsoft's built-in Autorun function to launch malware and viruses to infect users’ computers via USB drives.

Microsoft has since taken steps to limit or disable Autorun capabilities since the introduction of Windows Vista and subsequent operating systems.

The important thing to note here is that the Autorun vulnerability used the contents of the USB drive to infect a user's computer. The current threat creates the potential to circumvent the hardware itself, which is a much more serious concern.

What Could a Malicious USB Drive Do?

In theory, any vulnerable USB drive's firmware could be reprogrammed to:

• Act as a keyboard and send key-presses to the computer as if the perpetrator were sitting in front of the computer
• Could appear to function normally, then infect files as they leave the computer
• Could work as a USB Ethernet adapter and route traffic from your computer to malicious servers
• Modify or delete files on your computer
• Relay information from your computer or other connected device to an attacker
• Spread malware or viruses from the USB drive to your computer
• Act as a boot device, which would load the computer's operating system while installing an invasive rootkit underneath

If none of that is scary enough, consider that the most dangerous aspect of all of this is the possibility that any infected computer could be programmed to infect the firmware of a clean USB drive. An infected drive could then become a malicious device that would later infect other computers.

Scarier still is the fact that much of this could happen in the background, without a user ever being aware that it was happening. This is because USB devices can use multiple profiles.

For example, a USB drive's firmware could tell the computer it is any type of USB device - a keyboard, Ethernet adapter, or game controller. But it can also function normally as a storage device, while reserving the ability to perform other operations, such as the functions of a keyboard or Ethernet device, at a later time.

How serious is this problem?

While the concept of firmware reprogramming has been clearly demonstrated by concept proofs, there are no known applications that have surfaced in real life situations just yet.

According to an article published by Wired.com in 2014, "Hacker, Karsten Nohl, presented an update to his research on the fundamental insecurity of USB devices he's dubbed BadUSB. Nohl and his fellow researchers, Jakob Lell and Sascha Krissler, have analyzed every USB controller chip sold by the industry's eight biggest vendors to see if their hack would work against each of those slices of silicon. The results: Roughly half of the chips were immune to the attack."

So the good news is that as of 2014, the fatal flaw only affects 50% of the USB devices out there. But the bad news is that there is no way to know which USB drives contain the vulnerability, without taking them apart. In essence, there's no way to distinguish a good USB drive from a bad one.

However, one good thing about the discovery of this fatal flaw is that it will likely encourage USB drive manufacturers to take steps to bolster the security of the firmware on their disks in the future.

In the meantime, it is best to be cautious with USB drives and implement security policies to limit USB device use among your staff.

How to Protect Your Business

Educate Your Employees

One of the most important things you can do is educate your employees about the potential dangers of using USB drives on their work computers. You should also stress that USB drives that come from unknown sources should NEVER be used on any company computer.

Implement Security Processes Regarding USB Drive Use

Develop security policies that outline how USB drives will be used within the organization. This might include outlining situations where they might be necessary. For example, if employees are often located offsite with no access to an internet connection, it might be necessary for them to carry files on a USB drive.

Review Other Security Procedures

Make sure that you are following recommended security procedures on all computers and servers within your organization. Check your backup system to be certain it's working properly. Be sure you've implemented intrusion protection and installed anti-virus and anti-malware software on all devices that access your network. While these measures won't prevent problems with potentially malicious USB drives, they could help prevent infections that could be used to exploit clean USB drives.

Consider Using Cloud-Based Services to Store and Transfer Files

Cloud-based services are an excellent alternative for file transfer and storage and could eliminate the need to use USB drives. Cloud-based services like Dropbox, OneDrive, and Google Drive also have the added advantage of making files available from multiple devices and allow easier collaboration among your staff. Plus, these services are more affordable and accessible than ever.

While the fatal flaw in USB technology has not been exploited in the real world yet, the potential exists for serious damage to your network, your company's reputation, and the computer systems and data that you need to run your business. Educating yourself and your employees about the dangers and reducing or eliminating your dependence on these flawed devices should be an ongoing part of your IT security.

Have questions about USB drive security or other security-related concerns? FrogWorks has been helping businesses in the greater Washington DC area secure their networks against potential threats since 2002. Visit our site today to request a FREE onsite consultation or call us at 1-240-880-1944 to get started!