USB Exploits Pose Security Threats

Often when I am writing about cybersecurity, the situation seems worse than ever.  But its not more dangerous than its ever been, it dangerous in ways that its never been.

A team of Israeli researchers have cataloged 29 different USB exploits and attacks.  These attacks can come disguised as a smartphone charger connection, or may come hidden on a USB thumb drive.  Plugging an unknown USB drive to your computer can be a security risk, because it could be loaded with malware.  Similarly, using a public USB charging station, or a USB charger that you “found,” because if they have been tampered with, they can be part of an exploit.  For a complete list of the 29 exploits, take a look at the article on Prosyscom Technews.  The researchers categorized these exploits into 4 groups.

  • Re-programmable micro-controller USB attacks – In this exploit, the device looks like a familiar USB device, such as a battery charger or USB flash drive, but is programmed to perform as a different device, such as a keyboard, to provide keystroke injection.  These devices include:
    • Rubber Ducky – a commercially available keystroke injector.
    • USBdriveby – This flash drive key stroke injector exploit provides installation of backdoors and DNS replacement services on Apple devices running the OSX operating system.
  • Reprogrammed USB peripherals – These are everyday USB devices that have been intentionally reprogrammed by the attacker, usually through the firmware update process.
  • Unprogrammed USB device attacks – These attacks are generally about using a USB storage device or smartphone storage with special software or hidden partitions to ex-filtrate data from a network.  Many of these exploits are designed to get past “air-gapped” networks that are not accessible from the Internet.  Of the social engineering exploit of “baiting” is used to get authorized personnel to transport the flash drive on a secure facility.
  • Electrical attacks – This exploit uses the USB device to deliver a device killing electrical shock.

The take-away here is that we need to be carefully about attaching unknown or “found” USB devices to our computers or networks.  For more information and the complete list of 29 exploits, click through the following links.

More information:

 

 

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.
  Related Posts

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.