Often when I am writing about cybersecurity, the situation seems worse than ever. But its not more dangerous than its ever been, it dangerous in ways that its never been.
A team of Israeli researchers have cataloged 29 different USB exploits and attacks. These attacks can come disguised as a smartphone charger connection, or may come hidden on a USB thumb drive. Plugging an unknown USB drive to your computer can be a security risk, because it could be loaded with malware. Similarly, using a public USB charging station, or a USB charger that you “found,” because if they have been tampered with, they can be part of an exploit. For a complete list of the 29 exploits, take a look at the article on Prosyscom Technews. The researchers categorized these exploits into 4 groups.
- Re-programmable micro-controller USB attacks – In this exploit, the device looks like a familiar USB device, such as a battery charger or USB flash drive, but is programmed to perform as a different device, such as a keyboard, to provide keystroke injection. These devices include:
- Rubber Ducky – a commercially available keystroke injector.
- USBdriveby – This flash drive key stroke injector exploit provides installation of backdoors and DNS replacement services on Apple devices running the OSX operating system.
- Reprogrammed USB peripherals – These are everyday USB devices that have been intentionally reprogrammed by the attacker, usually through the firmware update process.
- Unprogrammed USB device attacks – These attacks are generally about using a USB storage device or smartphone storage with special software or hidden partitions to ex-filtrate data from a network. Many of these exploits are designed to get past “air-gapped” networks that are not accessible from the Internet. Of the social engineering exploit of “baiting” is used to get authorized personnel to transport the flash drive on a secure facility.
- Electrical attacks – This exploit uses the USB device to deliver a device killing electrical shock.
The take-away here is that we need to be carefully about attaching unknown or “found” USB devices to our computers or networks. For more information and the complete list of 29 exploits, click through the following links.
More information:
Share
MAR
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com