Attack of the Killer USBs: Don’t Be the Next Victim
Analyzing the threat ‘Killer USBs’ can be to a company’s sensitive data and networks
When cybersecurity practitioners think about USBs, it’s often in the context of social engineering. A nefarious actor perhaps drops a malicious USB in or around the office space, hoping that an unsuspecting employee will pick it up and plug it in.
The threat from USBs, however, is much more prevalent. Malicious USB drives made headlines after two arrests this year. Recall the Chinese woman who attempted to access Trump’s Mar-a-Lago without authorization. The woman reportedly had a USB drive on her person which a Secret Service agent plugged into a PC, a decision that confounded many in the security industry.
Shortly after came the news that Vishwanath Akuthota, a 27-year-old man from Albany, New York, pleaded guilty to damaging computers at his alma mater, the College of St. Rose. Both tales serve as reminders that security practitioners cannot overlook the need to fortify the physical perimeter.
Beware the ‘Killer USB Device’
The attack on the College of St. Rose that began on Feb. 14 culminated in Akuthota changing his plea to guilty April 16 after it was discovered that the accused had recorded himself inserting a Killer USB device “into 66 computers, as well as numerous computer monitors and computer-enhanced podiums, owned by the college in Albany,” the U.S. Attorney’s Office for the Northern District of New York wrote in a press release.
“The ‘USB Killer’ device, when inserted into a computer’s USB port, sends a command causing the computer’s on-board capacitors to rapidly charge and then discharge repeatedly, thereby overloading and physically destroying the computer’s USB port and electrical system,” the press release said.
As the physical and cyber worlds continue to converge, especially in critical infrastructure, threats to enterprise security are all around us, yet employees remain largely unaware of the dangers of malicious USB drives.
A new report from Honeywell found that “USBs continue to be one of the most convenient ways to share and update files, but they can be a serious security threat. An estimated 9 out of 10 maintenance engineers still use Universal Serial Bus (USB) as they connect to targeted plant machines (Honeywell research 2019).”
In fact, the study found that it is much easier to attack an organization with a malicious USB than it is for an attacker to try to bust through firewalls and other layers of network security. “USBs are so convenient to carry around and easy to use, most people tend to disregard their potential as a catastrophic security risk,” according to the report.
Defending Against Malicious USB Devices
In 2018, IBM reportedly issued an advisory to its employees stating that the company was, “… expanding the practice of prohibiting data transfer to all removable portable storage devices (eg: USB, SD card, flash drive),” according to The Register.
Though it may not be necessary to completely ban the use of USBs, organizations need to have policies and procedures in place that will protect them against new and emerging threats coming from the convergence of the physical and cyber worlds.
The Honeywell report cited a report published by researchers at Ben-Gurion University of the Negev in Israel, in which “researchers discovered 29 (yes, you read it correctly) ways someone can insert malware into your computer or smartphone via a USB port.”
Given the ease with which an attacker can compromise sensitive information using a USB, Kaspersky Lab recommends a multi-layered approach to security that puts ensuring physical security first, “so that unauthorized personnel cannot plug in random USB devices to industrial control systems. Also, physically block unused USB ports on such systems and prevent the removal of HIDs that are already plugged in.”
This step, combined with continuous and on-going employee training and proper network segmentation and the right security tools that have detection capabilities will help to mitigate risk.
