Blog

USB Security Risks | What is the Single Biggest Threat Posed by USB Technology?

Written by Corey Belanger | Aug 31, 2022 1:00:00 PM

USB technology offers a convenient, easy, and inexpensive way to transfer and store electronic data. Unfortunately, these same attributes make USB technologies an attractive target for attackers. USB drives are ubiquitous and small-sized, which makes it difficult to detect and prevent data leakages, unauthorized USB connections to sensitive information systems, and unauthorized transfer of confidential data to USB technologies. In addition, many companies face a serious challenge in detecting and preventing malware-infected USB technologies from compromising company systems and networks. 

Furthermore, USB-related security threats are not unique to tiny storage drives only. Any device with built-in USB technologies, including printers and phones, is an attack threat vector, increasing security risks to an organization. Therefore, due to the continued popularity of USB technologies, organizational cybersecurity programs must prioritize identifying and mitigating threats posed by USB technologies. 

 

USB Security Threats Have Doubled

A recent USB threat report indicates that USB cybersecurity threats doubled within twelve months. In particular, the report revealed that USB technologies are a significant threat and attack vector, with USB-borne malware remaining a high-potency security threat. Additionally, with USB technologies being ubiquitous and users being rather predictable, these factors combine to create a significant attack vector in the following ways:

  • Ubiquity:

    USB technologies are everywhere and will continue increasing. In fact, the USB technologies market is expected to register a compounded annual growth rate of 9.3% from 2021 to 2028. Unfortunately, since USB technologies are so convenient, highly portable, and easy to use, most individuals disregard their potential to cause catastrophic security incidents, positioning USB devices as one of the top attack vectors.
  • Expanded threat surface:

    USB technologies are often not what most perceive them to be. In addition to the USB storage drives, there are a plethora of innocuous other USB innovations, including devices that use USB ports for power, USB fans, vape chargers, phone chargers, and other devices with USB. Each is a threat vector, and the expanded threat surface places USB technologies among the highest attack vectors.
  • Lack of awareness:

    Most people lack awareness of the dangers of unknown USB devices. Unsurprisingly, a study by the University of Illinois researchers found that there is almost a 50% chance that people may pick up an unknown USB device and plug it into a computer. Unfortunately, attackers are aware of human curiosity. They often use USB drop attacks, where they place malware-infected drives with the intention that an unaware user will plug it into a company computer for the malware to spread.
  • Supply chain attacks:

    USB technologies may be compromised in the supply chain long before they reach the intended users. Attackers may infect USB devices before they are shipped to a specific country or organization and wait for someone to plug them into a computer before executing an attack. 

While at least 90% of employees worldwide use USB devices for work-related reasons, it is worrying that more than half of companies don’t allowlist flash drives or use USB port controls to manage USB connections or encrypt data stored in flash drives. The following are the top risks of using USB devices.

 

USB Technologies - The Biggest Threat to ICS

USB technologies pose the biggest threat to industrial control systems. Approximately nine out of ten industrial control engineers still rely on USB technologies to connect to plant machine operators. Although the internet and other innovations, such as SD-WAN and cloud technologies, have advanced rapidly in recent years, industrial control systems still rely heavily on USB technologies for various reasons. For example, not all industrial sites or plants are connected to the internet. In addition, USB technologies are sometimes the only method to install vendor updates. Finally, USBs are easy to use and quick, and policies banning USB technologies have proven inefficient.

 

Advanced USB Technologies Threats to ICS

  1. USBHarpoon and OMG Cables
The USB Harpoon and OMG cables, similar to a normal USB charging cable but malicious version, permit cybercriminals to reprogram a USB drive's controller chip. This is because the computer sees the modified USB drive as a human interface device. Also, attackers can modify the cable to allow data and power to pass through from a computer to a mobile phone or other devices. As a result, this makes it almost impossible for industrial control engineers to detect and stop any abnormal behavior. In addition, the OMG cable exposes industrial control systems to remote attacks executed via a Wi-Fi network since it hides a backdoor inside the USB connector's shelf.
  1. BadUSB and BadUSB2

BadUSB is designed to manipulate the firmware of a USB drive to behave as a hardware input device, such as a keyboard. Attackers program USB devices with malicious programs that use the programmed keystrokes to download malware into the target machine. Also, BadUSB2 is created to compromise computer systems similarly to BadUSB hardware implants, keyboard emulation, and key loggers. Furthermore, BadUSB2 can defeat one-time password systems implemented in industrial control systems by automatically replaying user credentials and acquiring the computer's system's interactive command shell over the USB device.

  1. Bash Bunny 

Bash Bunny consists of a computer running the Linux OS's features, capable of impersonating trusted serial devices or mass storage. The Debian Linux computer contains a USB interface that can execute malicious payloads once plugged into a target industrial control system. Bash Bunny is one of the most advanced USB attack platforms worldwide that can simultaneously mimic several trusted devices to steal sensitive information from a computer without triggering cybersecurity defenses. It is widely used to compromise industrial control systems to exfiltrate sensitive information, break locked machines, and plant backdoors to enable remote attacks. It can also be used to execute keystroke injection attacks and has a centralized repository for delivering payloads and a multi-position attack switch. Bash Bunny uses multiple attack vectors, including mass storage and serial devices, HID keyboard, and USB Ethernet.

  1. Rubber Ducky 

Rubber Ducky is ransomware distributed through infected USB devices. Developed in 2010, the primary aim of the Rubber Ducky USB drive is to encrypt a victim's files through pre-entered keystrokes. It acts as a keyboard and works on any operating system that identifies a keyboard, the USB thumb drive in this case, as the primary input device. Attackers can use the Rubber Ducky USB drive to hack a secure system, inject malicious payloads into the target computers, harvest credentials, and steal sensitive information. Hackers can use it to inject ransomware to encrypt all critical files in an industrial control system causing large-scale operational disruption.

 

History of Security Threats from USB Technologies

The critical industrial infrastructure components are among the most targeted due to their critical functions, and at least 56% of all malicious security incidents targeting these components involve USB technologies. As a result, attackers have used USB technologies in the past to execute many attacks. For example, when Microsoft introduced the AutoRun feature in 2005, which launches a program automatically once a USB is connected to a computer, it provided cybercriminals with the perfect opportunity of spreading malware. All they need to do is load malware into a USB drive, place it in a strategic location such as a hallway, and wait for someone to pick it up and plug it into a computer. Plugging an infected USB drive triggers malware programs to execute automatically. 

Also, the Stuxnet attack in 2010 is still fresh in most people's minds. Stuxnet was a worm developed to target an industrial system's supervisory control and data acquisition (SCADA) systems. It was used to attack Iran's Natanz uranium enrichment plant, causing widespread destruction and forcing Iran to halt its nuclear enrichment programs. The attack was reportedly launched when an insider threat plugged in an infected USB drive in the plant's control system. Allegedly, an Israeli operative working as a double agent smuggled the USB drive, and the attack's net result was significant damage to most uranium centrifuges. An unobtrusive, simple, and small USB drive caused the first malware attack that physically destroyed industrial control equipment, and this served as a wake-up call for industrial control plant operators that they can be targeted at any time.

In addition, malware dubbed Copperfield, distributed via infected USB drives, targeted the critical infrastructure in the Middle East in 2017. The infected USB drive connects to the target control system and installs the malware program automatically before it propagates to infect other systems and networks. Also, the Copperfield operators created the malware using a generic cryptographic tool called BronCoder to conceal it from being detected by signature-based antimalware/antivirus solutions. Furthermore, the attackers leveraged unique masquerading to hide the files of infected control systems, replacing them with malicious files that execute exactly as required but run malicious commands in the background. 

More recently, USB Killer attacks were used to damage computers beyond repair within seconds of plugging in an infected USB drive to a targeted workstation. The USB Killer comprises a capacitor bank charged when the USB drive is connected to the USB port. Once fully charged within a second, it dumps the electrical load to the data lines, severely damaging the hardware. For example, in 2019, a former student destroyed fifty-nine computers using USB killer, causing damages amounting to $50,000.