Will we ever fix ‘broken’ USB stick security?

In a recent study, researchers from Google and the universities of Illinois and Michigan dropped nearly 300 USB sticks off at the University of Illinois Urbana-Champaign campus and measured how many of these were plugged into student machines.

The findings were alarming, and indicative of just how dangerous USBs can be. “We found that users picked up, plugged in, and clicked on files in 48% of the drives we dropped,” the authors of the report commented. “They did so quickly: the first drive was connected in less than six minutes.”

A small number, just 32%, took precautions to protect themselves from possible threats. For those respondents who considered protective measures, 16% scanned the drive with their antivirus software while 8% believed that their operating system or security software would protect them.

More surprisingly perhaps, another 8% ‘sacrificed’ a personal computer or used university resources to protect their personal equipment.

“These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks than their peers,” the report’s authors explained.

“We conclude with lessons learned and discussion on how social engineering attacks – while less technical – continue to be an effective attack vector that our community has yet to successfully address.”

USB stick security is flawed

USB

This is the sign that people continue to let their intrigue get the better of them, plugging in USB sticks with little thought or concern for the possible after-effects.

And there have been some notorious examples where USBs have already caused significant damage – the infamous Stuxnet malware spread across Iranian centrifuges via an infected USB flash drive, while last month it was emerged that 18 malware-ridden USB thumb drives were found at a nuclear site in Germany.

The issue here is that USB malware is growing in potency and popularity in the underground market. Cybercriminals recognize that it’s an easy way of compromising an individual or business.

A common tactic of cybercriminals is to hide malicious code on a USB drive so that when it is plugged in, the code executes and installs itself on the computer without the user’s knowledge. The malware then spreads across connected computers and allows criminals to access the user’s data or use their computers to help them attack their ultimate target.

Some USB malware is worse than others. For example, the BadUSB malware can enable a cybercriminal to take control of a computer, invisibly alter files or even direct the user’s internet traffic – a useful way of delivering an additional payload.

A newer version, dubbed USB Killer and developed by researcher Dark Purple, could apparently “fry” a computer’s motherboard seconds after the dongle had been inserted in the USB port.

Some have gone on to argue that USBs are insecure by design; Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs, has previously said that the majority of USB thumb drives do not protect their firmware, the software that runs on the microcontroller inside them.

This means that a malware program could replace the firmware and suggests its own commands to USB devices, like a keyboard for example.

Missing USBs not a new problem

The issue is not only that this drop-attack is a common technique employed by varying levels of cybercriminals, but also that USB sticks continue to be lost or stolen. They can end up in all places – although often governments and police departments are the worst offenders.

A study ESET carried out at the start of the year revealed that over 22,000 USB memory sticks end up in dry cleaners alone, with 45% of these never getting returned to their owners.

They also end up on public transport, in particular trains. Many of these remain lost forever, but a few end up in the hands of criminals and opportunistic individuals.

Education required

USB

The problem that continues to engulf USB devices is that people are still largely unaware of the dangers involved. This is also, perhaps more surprisingly, even the case in business.

In 2011, a study conducted by the Ponemon Institute showed that an alarming number of companies do not consider protection of information on a USB drive to be high priority. Meanwhile, less than one-third of organizations believed they had adequate policies to prevent USB misuse.

In contrast, nearly half of large organizations have lost sensitive or confidential information on USB drives in just the past two years, and the rate is climbing significantly. Statistically, an average of 12,000 customer records are lost per organization due to missing USB drives.

Security experts say that end users must be educated on the dangers, as well as informed about good practice. The latter can usually be done through security awareness campaigns.

Other firms take a more aggressive approach, banning USB drives from their environment, even gluing up USB ports or preventing untrusted memory sticks from connecting to external devices.

People could encrypt information on flash drives, in the event of losing them, although this still doesn’t guard against the risk of an external attack.

USBs will, sadly, continue to be a security risk; people are prone to losing such devices, whilst the success of social engineering USB attacks (like leaving random keys in car parking lots as above) means that cybercriminals will continue to see this as an easy way into organizations.

However, with more security training, more secure USB drives and an increasing awareness around cybercrime tactics, you can make sure you don’t fall victim to this surprising common cyberattack.

Author , ESET

  • sproggit

    What this article tells us is that human behaviour actually hasn’t changed since USB sticks were first introduced. In other words, the problem isn’t “USB stick security” at all. The problem is that Operating Systems / Computers, faced with the presence of a USB stick, have default configurations which permit stupid things to happen.

    I own a tiny, fanless computer system that uses a Core i5 processor and which has no optical drive. I was able to install my OS of choice [Mint Linux] on this machine simply by creating a Mint “bootable USB stick” and configuring the system BIOS to boot from USB. The thing is, although the BIOS was intelligent enough to allow me to boot from the device, it actually gives me limited opportunities for “human intervention”.

    For example, the BIOS could be configured to detect the USB stick, look for a file called “sha2sum.txt” in the root folder, then compute a hash of the entire drive and compare it to the provided one, reporting the results to me in the manner of, “Bootable USB with SHA2 Hash detected. Checksum verified and signed by ‘Linux Mint Distribution’. OK to proceed with boot (Y/N)?” … But it doesn’t…

    Achieving something equally or more secure once a native OS is up and running would be even easier, with all the resources of a full OS [not just a BIOS] to draw on. Unfortunately, however, the fact remains that [to the best of my knowledge] no current BIOS has any form of “security capability” to check the integrity of “installation media”, nor do any existing common OS platforms mandate security/integrity checks of any inserted removable media.

    Both of these safeguards would be relatively easy [if not trivially easy] to implement.

    Curiously, UEFI is a sort-of solution to the boot/installation problem, but it is not as flexible as it needs to be [and seems on the face of it to have been designed to make it specifically difficult for end users to install non-Windows OS types. That sort of thing isn’t actually going to help security…

    But back to the discussion of the article. USB devices are not the security risk. One aspect of the issue is lack of security-aware users, but the *issue* amount to utterly stupid design decisions in modern operating systems, that allow auto-mounting of unknown media without mandating basic security checks.

Follow us

Copyright © 2018 ESET, All Rights Reserved.