Skip to content
 
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Dark Reading)   USB devices have been a grave security threat ever since they were first introduced   (darkreading.com) divider line
    More: Facepalm, USB flash drive, Attack, air gap, malware frameworks, Universal Serial Bus, Computer virus, Attack!, Stuxnet attack  
•       •       •

958 clicks; posted to STEM » on 07 Dec 2021 at 12:17 AM (6 weeks ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook



26 Comments     (+0 »)
View Voting Results: Smartest and Funniest
 
2021-12-06 11:00:22 PM  
We ran into this problem quite a bit at my last place of employment. Password protecting the firmware to prevent turning USB ports back on is "kinda" good enough, but I think firmware has to evolve to something better or we're never going to solve this.

And no, you can't count on the operating system to control access to the USB port. At that point, it's way too late.
 
2021-12-07 12:46:04 AM  

Lsherm: We ran into this problem quite a bit at my last place of employment. Password protecting the firmware to prevent turning USB ports back on is "kinda" good enough, but I think firmware has to evolve to something better or we're never going to solve this.

And no, you can't count on the operating system to control access to the USB port. At that point, it's way too late.


Hot glue gun?
 
2021-12-07 12:52:39 AM  

Mad_Radhu: Lsherm: We ran into this problem quite a bit at my last place of employment. Password protecting the firmware to prevent turning USB ports back on is "kinda" good enough, but I think firmware has to evolve to something better or we're never going to solve this.

And no, you can't count on the operating system to control access to the USB port. At that point, it's way too late.

Hot glue gun?


Meh, it's everything. Your hot glue gun is only part of it. ;)
 
2021-12-07 12:59:39 AM  

Lsherm: Mad_Radhu: Lsherm: We ran into this problem quite a bit at my last place of employment. Password protecting the firmware to prevent turning USB ports back on is "kinda" good enough, but I think firmware has to evolve to something better or we're never going to solve this.

And no, you can't count on the operating system to control access to the USB port. At that point, it's way too late.

Hot glue gun?

Meh, it's everything. Your hot glue gun is only part of it. ;)


The most important part is immunizing your system against humans, which is impossible if humans need to use it

/USB device introduced crap wouldn't even be an issue if people weren't farking idiots
 
2021-12-07 1:07:11 AM  
17 in a decade isn't bad, although I realize they didn't claim to look at all of them.

The air gap is still fairly effective, statistically.

At my job, some production equipment is touch-screen with built in keyboard only, no usb ports or Bluetooth.  Well, at least not without some real effort to take things apart.
 
2021-12-07 1:28:25 AM  
A USB port-launched attack means the attacker has physical access to the machine, and there isn't a whole lot you can do in that case.

If you're worried about virii and such coming in as hitchhikers, same rules apply as on things like email. Don't let anything run without explicit permission.
 
2021-12-07 1:34:41 AM  
USB attacks have come a long way. I have a normal looking USB-C cable that has a wifi access point built right into the cable, that's farking wild.
 
2021-12-07 1:35:12 AM  
If you want to know if a USB device is potentially malicious, plug it into a Windows machine that has no network connection and inspect the most recent entries in C:\Windows\INF\setupapi.dev.log to see what the Plug and Play subsystem enumerated from the device. A sophisticated attacker might create their malicious USB device to play possum for its first n hours of operation before suddenly making a malicious endpoint appear, but that would probably require nation-state sponsorship to accomplish.

/Windows Device Manager View menu "Devices by connection" option is also your friend
 
2021-12-07 1:35:42 AM  
A company a few many years ago thought that unplugging the computer's speaker would relate to more output.
 
2021-12-07 2:06:54 AM  

solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.


...what?
 
2021-12-07 2:19:22 AM  

Smoking GNU: solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.

...what?


I know. Something about listening to music or something. Idiot admins. Like listening to music made you work slower or the network was so lame it could not handle it.
 
2021-12-07 2:20:42 AM  
"USB devices have been..."
thats a funny way to spell 'users' submitter

if its not your company usb device stop plugging it into shiat.  this includes, but it not limited to:
your kids usb
your friends usb
that usb you found in your drawer randomly

if its not YOUR usb that you know exactly what it is and know every PC its been plugged into fark off with it.  dont plug it into work PCs.
 
2021-12-07 2:44:21 AM  

solokumba: Smoking GNU: solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.

...what?

I know. Something about listening to music or something. Idiot admins. Like listening to music made you work slower or the network was so lame it could not handle it.


Oh, they were just being idiot assholes. Thought they were spouting nonsense about the PCs I/O system.
 
2021-12-07 5:26:07 AM  

solokumba: Smoking GNU: solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.

...what?

I know. Something about listening to music or something. Idiot admins. Like listening to music made you work slower or the network was so lame it could not handle it.


Actually scienctific studies have shown time and again that listening to music slows your pace
 
2021-12-07 6:09:12 AM  
Humans* have been a grave security threat ever since they were introduced.

You can secure your system as much as you want, but if Joanne in accounting and Carl in maintenance want to trade pictures from the office party last week, best of luck.
 
2021-12-07 6:26:37 AM  

lifeslammer: solokumba: Smoking GNU: solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.

...what?

I know. Something about listening to music or something. Idiot admins. Like listening to music made you work slower or the network was so lame it could not handle it.

Actually scienctific studies have shown time and again that listening to music slows your pace


I'm sure you have links to all the studies you are referring to...
 
2021-12-07 6:59:35 AM  
Nearly every data center will have loaner screens and keyboards for techs to use when systems are broken.

When a keyboard plugs in, it creates a virtual channel and then the keyboard gets put on a sub channel.  At any time the keyboard can ask the host to renumber of the sub channels. That means a sleeper device can be built into a stock standard USB device like a keyboard or mouse or whatever and look like legit.  Once it is triggered it can do stuff like bring up a hard disk storage device which the OS should ignore but since the main channel is open, if it shows up on the say the 10th sub channel, there is a chance that it will "just work".  The extra cool part about this is the device can pretend to be something like but not quite like a storage device.  There are standards for things like BIOS like loaders and the provision for drivers to be auto loaded.

This isn't as bad as the stuff firewire used to do which allows full memory of the host by the device.

As far as software complexity, the USB software stack is way more complex than the TCP/IP network stack. There will always be nasty bugs hiding all over it.
 
2021-12-07 7:12:11 AM  
A new study of 17 malware frameworks shows threat actors always use USB drives to sneak malware into air-gapped environments and then steal data from there.

They actually had to put together a study to figure that out?
 
2021-12-07 7:47:26 AM  

DON.MAC: Nearly every data center will have loaner screens and keyboards for techs to use when systems are broken.

When a keyboard plugs in, it creates a virtual channel and then the keyboard gets put on a sub channel.  At any time the keyboard can ask the host to renumber of the sub channels. That means a sleeper device can be built into a stock standard USB device like a keyboard or mouse or whatever and look like legit.  Once it is triggered it can do stuff like bring up a hard disk storage device which the OS should ignore but since the main channel is open, if it shows up on the say the 10th sub channel, there is a chance that it will "just work".  The extra cool part about this is the device can pretend to be something like but not quite like a storage device.  There are standards for things like BIOS like loaders and the provision for drivers to be auto loaded.

This isn't as bad as the stuff firewire used to do which allows full memory of the host by the device.

As far as software complexity, the USB software stack is way more complex than the TCP/IP network stack. There will always be nasty bugs hiding all over it.


Isn't there a Razer mouse for that?
 
2021-12-07 7:54:40 AM  

trerro: A USB port-launched attack means the attacker has physical access to the machine, and there isn't a whole lot you can do in that case.

If you're worried about virii and such coming in as hitchhikers, same rules apply as on things like email. Don't let anything run without explicit permission.


Not necessarily.  One social engineering tactic an attacker can use is to drop a few infected USB sticks around a parking lot of the target.  Perfect bait for the average employee to say, "Hmmmm.  I wonder who lost this" and will bring it inside the building and plug it into a machine that's connected to the network.  I've worked in IT close to 30 years, and the dumb things the average user does is beyond belief.  I've witnessed IT pros being even dumber.
 
2021-12-07 8:42:17 AM  

solokumba: Smoking GNU: solokumba: A company a few many years ago thought that unplugging the computer's speaker would relate to more output.

...what?

I know. Something about listening to music or something. Idiot admins. Like listening to music made you work slower or the network was so lame it could not handle it.


I think the "what?" was more about your incomprehensible grammar.
 
2021-12-07 9:40:12 AM  

Chief Superintendent Lookout: trerro: A USB port-launched attack means the attacker has physical access to the machine, and there isn't a whole lot you can do in that case.

If you're worried about virii and such coming in as hitchhikers, same rules apply as on things like email. Don't let anything run without explicit permission.

Not necessarily.  One social engineering tactic an attacker can use is to drop a few infected USB sticks around a parking lot of the target.  Perfect bait for the average employee to say, "Hmmmm.  I wonder who lost this" and will bring it inside the building and plug it into a machine that's connected to the network.  I've worked in IT close to 30 years, and the dumb things the average user does is beyond belief.  I've witnessed IT pros being even dumber.


It gets worse when you consider some vendor devices use USB sticks as security tokens or as boot disks. A lot of lab devices still do this.
 
2021-12-07 10:14:19 AM  
It's simply the U in USB - universal.  If there were other means of input, those channels would be exploitable.

You can only hope to make an attacker's job harder.  If you can't eliminate USB ports (because you need keyboards/mice/whatever), perhaps try to lock down what kinds of devices are accepted on certain ports.  Even that won't save you - I've seen promotional USB devices that pretend to be keyboards - press a button on them and they send the keystrokes to open a web browser and go to a programmable URL.  Maybe if you added cryptographic signatures to connection protocols so that only approved devices are allowed - but a truly determined attacker (which is what all of these scenarios have in common) will simply focus their efforts down the supply chain to compromise your trusted components.

And none of that will matter as soon as some farkwit in Redmond says "hey, you know what would be a cool piece of functionality?" and you get some USB version of ActiveX that does an end run around your security measures.
 
2021-12-07 10:50:25 AM  

akallen404: Chief Superintendent Lookout: trerro: A USB port-launched attack means the attacker has physical access to the machine, and there isn't a whole lot you can do in that case.

If you're worried about virii and such coming in as hitchhikers, same rules apply as on things like email. Don't let anything run without explicit permission.

Not necessarily.  One social engineering tactic an attacker can use is to drop a few infected USB sticks around a parking lot of the target.  Perfect bait for the average employee to say, "Hmmmm.  I wonder who lost this" and will bring it inside the building and plug it into a machine that's connected to the network.  I've worked in IT close to 30 years, and the dumb things the average user does is beyond belief.  I've witnessed IT pros being even dumber.

It gets worse when you consider some vendor devices use USB sticks as security tokens or as boot disks. A lot of lab devices still do this.


I don't think the threat of pirating software is great enough for anything to warrant having a security dongle. Get over yourselves, laboratory equipment manufacturers.
 
2021-12-07 11:56:19 AM  

akallen404: Chief Superintendent Lookout: trerro: A USB port-launched attack means the attacker has physical access to the machine, and there isn't a whole lot you can do in that case.

If you're worried about virii and such coming in as hitchhikers, same rules apply as on things like email. Don't let anything run without explicit permission.

Not necessarily.  One social engineering tactic an attacker can use is to drop a few infected USB sticks around a parking lot of the target.  Perfect bait for the average employee to say, "Hmmmm.  I wonder who lost this" and will bring it inside the building and plug it into a machine that's connected to the network.  I've worked in IT close to 30 years, and the dumb things the average user does is beyond belief.  I've witnessed IT pros being even dumber.

It gets worse when you consider some vendor devices use USB sticks as security tokens or as boot disks. A lot of lab devices still do this.


DaVinci Resolve has that option. A usb dongle, or an activation number you have to use when changing computers or logging in to the software.
 
2021-12-07 8:10:52 PM  
"Cyberattacks on air gapped systems, including the sophisticated and dangerous 2010 Stuxnet attack that crippled a uranium enrichment facility, all have one thing in common: a USB stick."

That's like saying that most robberies involved cars, and blaming the car. Don't blame the USB stick. Blame the lack of physical security of said servers, or the servers themselves having electrically operatable USB ports.
 
Displayed 26 of 26 comments

View Voting Results: Smartest and Funniest

This thread is closed to new comments.

Continue Farking




On Twitter


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.