Spies can use USB devices for more than just malware
- April 25, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyber Crime, Cyberattack, Hacking, Industrial Control System Security, Mobile Devices, Posts with image, Smart Devices, Supply Chain Security
After the alleged spy case at Mar-a-Lago, where federal agents say a woman lied to bring herself and a USB drive onto the grounds of the President’s private club, many people know that USBs can carry malware.
But security experts say USB things can hide deeper, more dangerous attacks — and most people are not paying attention.
“Smoking is Bad for your Computer”
Eric Knapp is trying to give a presentation on his laptop at the 2019 RSA security conference in San Francisco.
But a little USB device, an e-cigarette charger plugged into the side of his computer, is on the hunt for victims.
It takes over the presentation, deleting words on the screen and replacing them with its own.
“Who is this guy?” it re-writes in his presentation slide. “You shouldn’t vape in public. Smoking is bad for your computer.”
“In this case, it is,” laughs Knapp, with Honeywell Industrial Cyber Security, who created the USB device that he calls the Vape-inator.
“This attack is funny,” he told Archer News. “But they could also be potentially really dangerous.”
Knapp made the device himself in his hotel room, in about 20 minutes.
“It was surprisingly easy,” he said. “You simply add things inside the plastic enclosure, right? You’re hiding stuff. It’s arts and crafts, really.”
He’s hiding technology that can turn the USB device into an attack device, and attackers can do far more than mess with presentation slides.
“Any USB device could be modified or manipulated to act like a keyboard. Keyboards can type things,” Knapp explained. “But if you’re typing the right things on the right computer with the right privileges, you could do almost anything.”
“Take over,” he added.
Researchers at Ben Gurion University in Israel said in 2017 that attackers are using these kinds of USB tricks more and more.
A former student just pleaded guilty this month to destroying more than 50 computers at a college in New York with a plug-in USB device called the USB Killer.
Security company Kaspersky say crooks secretly planted USB devices on computers at big European banks in 2017 and 2018, causing millions in damages.
Attackers famously used a USB drive to do damage at Iran’s Natanz nuclear plant and beyond with the Stuxnet attack, first identified in 2010.
And researcher Luca Bongiorni of Bentley Systems says USBs are prime sources for malware on industrial control systems — the systems that help run critical infrastructure.
“USB devices are still one of the main sources of malware in the ICS [industrial control systems] worldwide,” he said at the 2018 Kaspersky industrial cybersecurity conference in Sochi.
Bogiorni says he’s working on a project showing how attackers can use USB devices to take over and remotely industrial control cranes.
He showed part of his project on Twitter under the @WHID_Injector account:
Hey! Pssst! Wanna see what new PoC I am working on? 🔥#WHIDelite #OneWHID2PwnThemAll
Imagine… #WHIDelite + #DRONE flying around your city while #Sniffing & #Replaying CRANES RF packets… 🏴☠️🔥 pic.twitter.com/JiSEXgU6Fj
— WHID Injector (@WHID_Injector) March 26, 2019
Don’t USB Sorry
You may be wise to the old stick-on-the-ground trick, where bad guys sprinkle USB drives in parking lots, curious people plug them in — and launch malware.
But Bongiorni and Knapp show us that USB attack devices don’t have to look like thumb drives.
Bongiorni has warned people about malicious USB mini-fridges, cup warmers and mini-fans, among other devices.
“We all use USB devices,” Knapp said. “They’re everywhere.”
“I saw somebody last week. I’m not making this up. They had a water bottle with a USB interface on it. I have no idea what it was for. But I know everything is USB now,” he said.
Do we need to be concerned about it? Archer News asked him.
“We need to be aware of it,” Knapp answered.
USBs at Work
Your company may have policies telling you not to plug in at work.
Not everyone follows them.
“If I’m a smoker and I have an e-cigarette — because I know I’m already breaking one policy, I’m still vaping in the restroom,” Knapp said. “My battery is dead and I need a nicotine hit. It’s one of the most addictive chemicals on the planet. I’m going to charge that device. I’m not going to wait till the end of the workday, go home. I’m going to do it right there.”
“Even the best intended policies will be bypassed by by human nature,” he explained.
What to Do?
Experts say companies need to:
—Pay more attention to what USB devices people are using.
—Disable some USB ports if necessary.
—Use technology if necessary to analyze USBs before they can do damage.
And for all of us reading this story, just thinking about the problem can help you — maybe making the difference between your digital world staying safe or going up in smoke.
“Don’t just inherently trust anything.You see a USB drive lying on the floor of a cubicle. Don’t assume it was left there accidentally. It could have been put there on purpose, hoping that you would pick it up and use it,” Knapp said.
“The number one defense is awareness,” he said.
One security researcher compared a USB drive to a syringe — you see one on the ground, you wouldn’t pick it up and stick in it your arm.
Some security experts use SD cards to transfer data instead of thumb drives, saying SD cards don’t attach to your system in the same way a USB does, so they’re generally safer.
Also, remember that USB attacks can go both ways.
So, you will want to carry a plug cube to charge your phone, rather than simply sticking your cable into a public USB port.
You can also use cables that only carry power to charge your phone or other device, not data.
“Just be cognizant of what you’re doing,” emphasized Knapp.
Main image: Eric Knapp’s USB e-cigarette charger attack device. Image: Archer News