USB devices are so convenient. Whenever we need to store small amounts of data, we use a USB stick. Everyone owns one and we generally trust it to be safe. USB keys are one of the main ways to do industrial espionage, but attacks against random civilians and companies are also common.
The 2018 Honeywell report on USB threat to industrial operators analyzed a sample of 50 locations. Energy, chemical manufacturing, pulp & paper, oil & gas and other industrial facilities were concerned by the study. Among the locations targeted, 44% blocked a suspicious file originating from USB ports and 15% of the threats detected and blocked were high-profile threats, like Stuxnet, Wannacry and Mirai.
A 2016 experiment conducted on the University of Illinois Urbana-Champaign campus showed that from 297 USB sticks dropped around the university, students and staff members picked up 98% of them. By almost half of the USB drives picked up, someone plugged them in and clicked on a file.
A survey was then conducted on the persons who used the sticks. 68% of the respondents did not take any security measure when using the USB stick. 68% said they took the drive to give it back and 18% took it out of curiosity. This experiment shows how dangerous a simple USB device can be.
The same behavior can be observed in companies. Hopefully firms are asking more and more for social engineering training and pentests to raise awareness of their staff to such threats. Simply plugging an infected device can jeopardize the company’s security: Good intentions and curiosity can cause a lot of damage.
Goal of the attack
If old computers and terminals like ATMs which still run deprecated OS versions are particularly vulnerable, smartphones, IOT devices and up-to-date computers are targeted as well.
Here is a list of the many things that can be done with a simple USB key:
- Take remote control over the victim’s device
- Spy on people through their webcam, microphone and keyboard
- Steal passwords and personal information
- Encrypt data to demand a ransom
- Erase, modify or inject data and code
- Destroy hardware
A few years ago, a group of hackers managed to steal money from ATMs by making a hole in the machine and injecting code through a USB port. The newly implemented program allowed them to withdraw money whenever a 12-digits password was typed in.
Implementation
Once the attackers know its target and what they want to do to it (see list above), they must choose the appropriate load for their USB device. They have a wide range of options from ransomware to simple keyloggers. Devices that look like USB sticks can also be used. For example, USB Killer is a USB thumb drive-looking device that can send high-voltage through its USB port and damage hardware.
Attackers can put themselves a malware inside a USB key, but they can also buy already ready USB key. For instance, Rubber Duckey or Bash Bunny sticks, which performs more conventional attacks like reverse shell implementation, can be found for less than 100 euros.
Be aware that any kind of device with a USB port can be used to spread malware.
Then the attackers need a way for their USB drive or their device with a USB port to be plugged in the target device. They can either do it themselves or use social engineering to make someone else do it without this person being aware of it. USB sticks can be dropped in the streets, in offices, put in mailbox or given as gift during events, as it maybe happened during the 2013 G20 summit.
When the USB stick is plugged in, some malware will be executed immediately whereas other kinds need the user to click on a file to be surreptitiously launched. Malicious code can be hidden in directories, images or any sorts of files and the stick can even pose as a keyboard to avoid detection.
As part of a recent social engineering pentest, our pentesters dropped 10 USB drives in parking lots, toilets, meeting rooms and randomly outside the office building of our client. In a few hours 5 keys had been used and the malware – a reverse powershell – activated. A workstation was compromized and an admin session was accessible to our team for a whole day.
On a technical level, each stick contained a false link to a directory, a hidden nameless directory and a HTML file to track how many times the trap was activated. When the curious user clicked on the link, three things happened:
- A powershell script is executed to find Wi-Fi passwords stored on the computer and send them to the attacker’s server.
- A reverse shell is opened from the victim’s device, allowing complete control to the attacker.
- The hidden directory is opened displaying random JPEG and PDF files to the victim so as not to arouse suspicion. This directory also contained the malicious files but those are not visible.
Adopt good practices
A lot of things can be done to increase security when dealing with USB keys. Some are easy to implement but others are less practicable. We give you here some good practices and measures to take to keep information system safe:
- Keep personal and work-related USB sticks separate
- If you don’t know a USB key’s origin, do not use it
- Change your sticks occasionally
- Decontaminate your keys regularly
- Disable autorun features
- Use a buffer zone to test, scan and decontaminate your sticks safely
- If one is already plugged in:
- Disconnect the Internet to prevent download and upload of data
- Restart your device right away
- …
- Conduct Social Engineering Pentests and training
- (or never use USB sticks…but it’s less realistic)
If attacks can come from outside, keep in mind that most of them are linked to the staff, which most of the time doesn’t know about the risks of some behaviors. Training your team, especially to the different techniques of social engineering and to the current trends of attacks, strengthens efficiently the security level of the organization.