Attacking the USB Vector

Brandon Greene

Quick Scope

● Information given with an emphasis on Windows 7

● Presentation will focus on USB attacks and countermeasures

● Presentation will cover countermeasures tailored to USB defense, rather than all potential defenses

Basic USB Process

● Device connected

● Address designation

● Descriptors read

● Configurations established

● Device is ready for use

USB Attacks

● USB Toolkit

● HID USB Devices

USB Toolkits (USB Attacks)

● Easy To Use

● Modular

● Versatile

● Not Always Easily Detectable

USB Toolkits (USB Attacks cont.)

● Hacksaw

– Easy to set up

– Modular

– Most successful versions rely on U3 technology

● Katana

– Offers bootable OS

HID Devices (USB Attacks)

● Abuse the trust relationship between human and machine

● Devices that rely on input device emulation

● Allows keyboard input at faster rates than humans

● Attacks generally work on anything with a USB port that takes in input

HID Devices (USB Attacks)

● USB Rubber Ducky

– Open Source

– Configurable

– Offers opportunity to alter firmware to modify device functionality

– Anything that can be done from a keyboard, can be emulated by this device

Attack Device Demo

Notable USB Malware

● Stuxnet

– Propagates mainly via USB

– Avoids network traffic

– Updates and acts via C&C

– Infects intelligently

– Made to infect SCADA and Windows systems using zero day exploits (at least 4)

– Modified behavior based on AV vendors

Countermeasures

● Security Policy

● Personnel

● Physical

● Firmware

● Software

● System Policy

● Host/Network Specific

Security Policy (Countermeasure)

● Who is allowed where

● Where USB devices are allowed/disallowed

● Specifications on what USB devices may be used

● Company provided USB drives

Personnel (Countermeasure)

● EDUCATION!!!

– Don't use dropped USB drives. TURN THEM IN!

– Don't use admin account when unnecessary

– If you're not using your computer, lock it!

– Use a password

– Educate why ALL of these things are important!

Physical (Countermeasure)

● Critical machines should be in a locked and monitored environment

● Personnel to ensure device tampering doesn't happen

● USB Port Locks

● Chassis Lock

Firmware (Countermeasure)

● Password Firmware Access

● Lower USB on the Boot Order

Firmware (Countermeasure)

● Disable USB If It Is Not Needed

Firmware (Countermeasure)

● Chassis Intrusion Detection

Software (Countermeasure)

● AV

– Password the AV where possible ● USB port scan software

Policy (Countermeasure)

● Disable Autorun for all

● Enforce UAC

● Whitelisting/Blacklisting

● Autorun.inf parsing

Host/Network Specific (Countermeasures)

● Network AV

● Firewalls

● HIDS/HIPS

Ecology based Countermeasures

● Military and Government Computers

● Enterprise Based Computers

● Public Computers

● Personal Computers

After Thoughts

● Security of Whitelisting: how secure is it?

● AV vs. Custom Malware

● Countermeasure effectiveness vs. convenience

● USB Banning vs. restricting

● How to spread this knowledge to those who don't know it is needed?

● Is it possible to stop an attack, even with these countermeasures in an espionage-prone environment?

Why Should You Care?