USB Exploits Pose Security Threats

Often when I am writing about cybersecurity, the situation seems worse than ever.  But its not more dangerous than its ever been, it dangerous in ways that its never been.

A team of Israeli researchers have cataloged 29 different USB exploits and attacks.  These attacks can come disguised as a smartphone charger connection, or may come hidden on a USB thumb drive.  Plugging an unknown USB drive to your computer can be a security risk, because it could be loaded with malware.  Similarly, using a public USB charging station, or a USB charger that you “found,” because if they have been tampered with, they can be part of an exploit.  For a complete list of the 29 exploits, take a look at the article on Prosyscom Technews.  The researchers categorized these exploits into 4 groups.

  • Re-programmable micro-controller USB attacks – In this exploit, the device looks like a familiar USB device, such as a battery charger or USB flash drive, but is programmed to perform as a different device, such as a keyboard, to provide keystroke injection.  These devices include:
    • Rubber Ducky – a commercially available keystroke injector.
    • USBdriveby – This flash drive key stroke injector exploit provides installation of backdoors and DNS replacement services on Apple devices running the OSX operating system.
  • Reprogrammed USB peripherals – These are everyday USB devices that have been intentionally reprogrammed by the attacker, usually through the firmware update process.
  • Unprogrammed USB device attacks – These attacks are generally about using a USB storage device or smartphone storage with special software or hidden partitions to ex-filtrate data from a network.  Many of these exploits are designed to get past “air-gapped” networks that are not accessible from the Internet.  Of the social engineering exploit of “baiting” is used to get authorized personnel to transport the flash drive on a secure facility.
  • Electrical attacks – This exploit uses the USB device to deliver a device killing electrical shock.

The take-away here is that we need to be carefully about attaching unknown or “found” USB devices to our computers or networks.  For more information and the complete list of 29 exploits, click through the following links.

More information:

 

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment