The following presentation explores the ability to attack the USB vector using USB toolkits and HID devices. The presentation also looks at what is necessary to defend against these attacks
2. Quick Scope
● Information given with an emphasis on Windows 7
● Presentation will focus on USB attacks and
countermeasures
● Presentation will cover countermeasures tailored to USB
defense, rather than all potential defenses
3. Basic USB Process
● Device connected
● Address designation
● Descriptors read
● Configurations established
● Device is ready for use
5. USB Toolkits (USB Attacks)
● Easy To Use
● Modular
● Versatile
● Not Always Easily Detectable
6. USB Toolkits (USB Attacks cont.)
● Hacksaw
– Easy to set up
– Modular
– Most successful versions rely on U3 technology
● Katana
– Offers bootable OS
7. HID Devices (USB Attacks)
● Abuse the trust relationship between human and
machine
● Devices that rely on input device emulation
● Allows keyboard input at faster rates than humans
● Attacks generally work on anything with a USB port that
takes in input
8. HID Devices (USB Attacks)
● USB Rubber Ducky
– Open Source
– Configurable
– Offers opportunity to alter firmware to modify device
functionality
– Anything that can be done from a keyboard, can be
emulated by this device
10. Notable USB Malware
● Stuxnet
– Propagates mainly via USB
– Avoids network traffic
– Updates and acts via C&C
– Infects intelligently
– Made to infect SCADA and Windows systems using
zero day exploits (at least 4)
– Modified behavior based on AV vendors
12. Security Policy (Countermeasure)
● Who is allowed where
● Where USB devices are allowed/disallowed
● Specifications on what USB devices may be used
● Company provided USB drives
13. Personnel (Countermeasure)
● EDUCATION!!!
– Don't use dropped USB drives. TURN THEM IN!
– Don't use admin account when unnecessary
– If you're not using your computer, lock it!
– Use a password
– Educate why ALL of these things are important!
14. Physical (Countermeasure)
● Critical machines should
be in a locked and
monitored environment
● Personnel to ensure
device tampering doesn't
happen
● USB Port Locks
● Chassis Lock
21. Ecology based Countermeasures
● Military and Government Computers
● Enterprise Based Computers
● Public Computers
● Personal Computers
22. After Thoughts
● Security of Whitelisting: how secure is it?
● AV vs. Custom Malware
● Countermeasure effectiveness vs. convenience
● USB Banning vs. restricting
● How to spread this knowledge to those who don't know it
is needed?
● Is it possible to stop an attack, even with these
countermeasures in an espionage-prone environment?