[BreachExchange] A USB Hack Can Occur Even Without a Flash Drive

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 8 18:41:04 EDT 2016


http://tech.co/usb-hack-flash-drive-2016-08

“Does dropping a USB in a parking lot really work?” was the question posed
by Elie Bursztein of Google’s Anti-Abuse Research Team when he took the
stage at BlackHat 2016 Las Vegas, NV. You might think you would never be
the victim of a USB hack, and I hope you’re right. But after watching
Bursztein’s presentation, I learned more about the various ways that
computers can be harmed through the USB drive.

Who Would Pick Up a USB Drive in a Parking Lot?

This parking lot scenario refers to the belief by hackers that end users
will pick up and plug in a USB flash drive they find lying around. Yes,
even a thumb drive found lying in the street – if you watched Season 1 of
Mr. Robot, you know what I’m talking about. In episode six, Darlene drops
USB flash drives in the parking lot of a prison in hopes that some employee
of the prison will pick up the drive and connect it to a computer inside
the prison. Spoiler Alert: It works.

Who would be idiot enough to plug a random USB into a computer? It turns
out, many people. Bursztein references a study he participated in to
identify the likelihood of a successful USB hack. The research team dropped
297 USB keys on the campus of the University of Illinois Urbana-Champaign
and found that 48 percent of the drives were plugged in and the users had
opened a file.

You Don’t Need Admin Rights to Plug in a USB

USB flash drives are easy to plug in and, usually, admin rights are not
needed to do so. Your curiosity can be easy to pique – especially if the
drive has been labeled with “test answers” or “private”.  You might think
you’re just going to look around, or even quickly format the drive to
repurpose it for personal use. You would never click a random .exe. You are
even savvy enough to avoid all files, like a Word document, since you
already know that Word documents can contain malicious macros.

Unfortunately, the risk doesn’t just start and end with the files on a
device. A USB hack can begin instantly, if it has a malicious autorun
payload. This will execute the moment you plug in the drive.

A USB Hack Only Needs a Port

But maybe you’re smarter than that. Maybe you are the person who would walk
right past that flash drive in the parking lot. But the risk isn’t just
with these drives. Hackers can also embed the USB drive into components
that need to be plugged in anyway: the end of a keyboard plug, for
instance, can be the perfect portal to take down an entire sensitive
network.

There have already been examples of hackers and researchers hosting malware
packages inside the firmware of a device like a mouse. Firmware is code
that lives in the read-only embedded memory of a device and tells the
hardware how to work. It’s meant to only run inside the device, but it’s
possible to change this code for malicious purposes. Oh, and it’s not
possible for antivirus programs to scan this type of code.

The takeaway? It’s time for hardware manufacturers to validate firmware in
order to protect consumers from these types of exploits. In the meantime,
educate anyone with access to your computers about awareness, and take
precaution to block the USB ports if you are concerned about lax security.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160808/11a14bb7/attachment.html>


More information about the BreachExchange mailing list