You would expect that USBs should be the least of our worries when it comes to cyber attacks. But as any cybersecurity company can confirm, it turns out these mostly underrated devices are some of the 'sweetest' attack avenues for cyber criminals. Aware that human beings are curious by nature, the attackers capitalize on this basic human weakness to tempt us into plugging and opening unknown USB devices with the sole intention of fulfilling our curiosities.
This is an interesting type of attack. It normally starts with innocent questions such as «What might be inside here?, whose USB is this?», and ends with the monumental regret of «I wish I never opened the USB». Since it's impossible to reign on human curiosity in a strict sense, the best recourse for security managers is to understand this threat and enforce strong protection measures.
What is a USB drop attack?
A USB drop attack is a type of cyber attack in which an attacker intentionally drops or leaves an infected USB drive in a strategic public place in the hopes that someone will find it and plug it into their work computer. USB drives can be disguised as anything from a pen drive to a key fob, so victims are often unaware that they are being targeted. Attackers can also plug the USBs into the victim's computers and hope that the victim will notice it and seek to know its contents. This is commonly executed by internal attackers. Once plugged in, the USB automatically executes malicious commands.
There is also the indirect approach where instead of dropping the physical USB device or plugging it into the victim’s computer, the attackers use the USB charging ports. They can leave malicious programs in the charging ports or pretend to have forgotten their own USB charging cables in the ports. When an innocent user comes and is excited to have finally found a port to rescue the diminishing charge on their devices, little do they know that the port or cable they are about to use is infected and will in turn infect their device.
Unfortunately, USB drop attacks are often overlooked by organizations, leaving them vulnerable to this type of attack.
There are various ways criminals can shape the attack. But these are the most common:
- Reprogrammed firmware: The USB's internal firmware is reprogrammed in a way that it automatically runs a code as soon as a victim connects the malicious USB to their device. The code can unleash all manner of attacks, from stealing data to installing malware that can crash devices in the company's network. In some cases, the USB can automatically turn into a keyboard and start keying damaging instructions to the device.
- USB killer: The connected USB will soak up a lot of power. Once this power reaches the threshold as set by the attackers, the USB discharges the power back to the affected device in one go. This will automatically create a power surge that will destroy the machine and even more in the network.
A company in Hong Kong has created an ethical USBKill device that is used by penetration testers to test the strength of data-lines by actually disabling or ‘killing’ vulnerable devices that hold critical data. While such devices are created to help companies test and protect their systems, malicious attackers can also get hold of the same devices and use them to harm systems. With plans starting as low as $100, even the most basic attacker can kill your systems.
How to protect your company against USB drop attacks?
While there's no way to 100% prevent USB drop attacks, there are plenty of things you can do to make it harder for an attacker to succeed. Use the following tips to protect your company.
1. Disable autorun
You can help prevent USB drop attacks on your company's computers by disabling the autorun feature in all computers. This will stop malicious software from automatically running when a USB drive is inserted into any computer that is running in the network.
2. Identify common places where USB drop attacks can happen
USB drop attacks can happen anywhere in your company. But some places happen to be more common than others.
For example, the server room is a popular target for hackers. That's because servers often contain sensitive information, such as usernames, passwords, and credit card numbers. So if someone manages to gain access to your server room, they could potentially steal or compromise your company's sensitive data.
Other common places where USB drop attacks can happen include:
- The breakroom
- The parking lot
- The copy room
- The supply closet
Once you identify these common areas, next is to deploy extra vigilant measures to consistently watch out for and root out strange USBs.
3. Physical security measures
- Install security cameras in high-traffic areas. This will help you keep an eye on everyone who enters and leaves your office.
- Make sure your reception area is well-staffed and alert. You want to make sure that there's always someone there who can greet guests and keep an eye on their belongings.
- Keep your office locked down. Make sure everyone has a key or access card to get into the building, and be sure to monitor who's coming and going.
- USB port blockers or covers. These little devices fit over the ports of computers and block any unauthorized devices from being plugged in. They're not 100% foolproof, but they're a good way to add an extra layer of security to your devices. You can also use a combination of blockers and passwords to lock out unauthorized USBs.
4. Employees should not plug unknown USBs
This may seem like common sense, but you would be surprised at how many people forget this rule—or just choose to ignore it. And when employees are allowed to plug in whatever they want, that's when USB drop attacks can happen.
Train employees and make sure they are aware of the risks, and remind them regularly. You can even go as far as putting up signs that remind them not to plug in unknown USBs. Unknown means any USB that is not sanctioned for use in the company and therefore amounts to shadow IT, including employees’ personal thumb drives .
It’s also important to keep only essential USB devices in the office. By essential, we mean USBs that are absolutely necessary for the company to run. Everything else should be locked away in a storage room.
5. Virtual computers
You can create a virtual machine to act as a separate computer on your physical computer, completely isolated from the rest of the host computer’s system. This virtual computer can always be used to open suspect USBs.
If a USB is infected, it can only affect the virtual computer and this will not have any effect on the company’s systems since the virtual computer is fully isolated from the rest.
6. Air-gapped computers
An air-gapped computer is one that is neither connected to the internet nor the company’s internal network. You can designate this computer as the only one that can be used to open USBs that are considered strange to the company.
Opening foreign USBs from an air-gapped computer limits any potential damages from the USB to this computer only. Since it holds nothing of importance and neither is it associated with the network, an attack will just be that- an attack without consequences..
7. Antivirus updates
Perhaps this needs no mention. But sometimes it helps to repeat the obvious: that antivirus programs must be updated, consistently. This is a primary defensive security practice that has existed for ages, even before cyber security became huge. It's still a fundamental practice and one should never be ignored in the company.
An outdated antivirus program will never guard your company against any type of attack, leave alone a USB drop attack. In fact, it might even leave your networks vulnerable to more advanced attacks.
Also read: defensive vs. offensive security
8. Take action against lost and found USBs
Companies should have a policy that guides all staff on how to treat lost and found USBs. Of course, we are assuming that you already have measures in place for lost or stolen devices. But what happens when some are found? How should employees handle a device that was lost but has been found?
First, ensure that no lost and found USB is used on any device in the network before being declared to the security department as having been found. Second, any lost and found USB device must be handed over to the security teams for thorough scrutiny and ‘cleaning before returning to the network.
In 2008, the US military was hit with a USB drop attack on its computer networks. It started with a simple insertion of a USB flash drive into the military laptop in one of its Middle East bases. The flash drive unleashed malicious code from a foreign agency. This code uploaded itself into the Central Command network and caused the transfer of both classified and unclassified data to foreign servers. If the US military can be a victim, what about an ordinary business?
The simplicity of these attacks makes them much worse because the magnitude of the attacks is not even influenced by the financial might of the attacker. Anyone with a few dollars can execute some form of USB drop attack with significant consequences.
As for curiosity, human beings will always be curious even when trained not to. It's not something you can easily control among your teams, no company has succeeded. From the manager to the floor worker, we all have this nagging urge to always want to “open” and see what’s inside. It means as a company, strict security policies are your best bet in countering these attacks.