USB Exploits Pose Security Threats

Often when I am writing about cybersecurity, the situation seems worse than ever.  But its not more dangerous than its ever been, it dangerous in ways that its never been.

A team of Israeli researchers have cataloged 29 different USB exploits and attacks.  These attacks can come disguised as a smartphone charger connection, or may come hidden on a USB thumb drive.  Plugging an unknown USB drive to your computer can be a security risk, because it could be loaded with malware.  Similarly, using a public USB charging station, or a USB charger that you “found,” because if they have been tampered with, they can be part of an exploit.  For a complete list of the 29 exploits, take a look at the article on Prosyscom Technews.  The researchers categorized these exploits into 4 groups.

  • Re-programmable micro-controller USB attacks – In this exploit, the device looks like a familiar USB device, such as a battery charger or USB flash drive, but is programmed to perform as a different device, such as a keyboard, to provide keystroke injection.  These devices include:
    • Rubber Ducky – a commercially available keystroke injector.
    • USBdriveby – This flash drive key stroke injector exploit provides installation of backdoors and DNS replacement services on Apple devices running the OSX operating system.
  • Reprogrammed USB peripherals – These are everyday USB devices that have been intentionally reprogrammed by the attacker, usually through the firmware update process.
  • Unprogrammed USB device attacks – These attacks are generally about using a USB storage device or smartphone storage with special software or hidden partitions to ex-filtrate data from a network.  Many of these exploits are designed to get past “air-gapped” networks that are not accessible from the Internet.  Of the social engineering exploit of “baiting” is used to get authorized personnel to transport the flash drive on a secure facility.
  • Electrical attacks – This exploit uses the USB device to deliver a device killing electrical shock.

The take-away here is that we need to be carefully about attaching unknown or “found” USB devices to our computers or networks.  For more information and the complete list of 29 exploits, click through the following links.

More information:

 

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.