Do you have thumb drives? What’s in it? Drawings, Plans, Photos? Is your USB stick encrypted? If you found a USB flash drive, and couldn’t find the owner, will you use it on your computer?
Not long ago, there is a post on reddit called “My evil USB stick drop test”. The author shared an experience of doing the USB drop “attacks” in the office. Originally, the author does not expect that there would not be too many people fall into the trap, because everyone practices social engineering. Surprisingly, everyone who found the USB flash drive will connect it to their own computer. One of them was an IT worker! Fortunately, the author did not set up any malicious program in the USB, otherwise the employees will get into trouble.
The Damage USB Attack may Cause
Not only does it steal privacy, it can also destroy or manipulate your system. It can destroy a factory, or even a city in such a way by no means an alarmist.
In 2009, Stuxnet attack on the Natanz uranium enrichment plant caused substantial damage to many uranium centrifuges, and sentenced the Iranian nuclear program to death.
The Attack of USB is Everywhere
Believe it or not, USB attacks not only appear in storage device, but also Human Interface Device (HID). All devices that use the USB protocol can be threatened, such as your mouse, charging cable, web camera, etc.
The forms of USB attacks are varied. Generally, they can be sorted into 4 categories:
- Re-programmablemicrocontroller USB attacks : Rubber Ducky.
Attackers can program a teeny microcontroller to act like keyboard. Once connected, it starts injecting key press, just like someone working on your computer.
- maliciously reprogrammed USB peripheralfirmware attacks : i See You
- attacks based on unprogrammed USB devices: Auto Run Exploits
- electrical attacks which permanently destroy equipment when a USB triggers a rapid electrical charge/discharge cycle.g.: USB Killer
Besides, you can easily Google BAD USB to buy one, or tutorial to make it. Imagine how simple and cheap it is to do bad things!
However, even if the USB device’s attack is so common, few people pay attention to its security measure.
Security in USB spec
The reality is always disappointing. There are very few USB security measures can be taken. Even the USB Implementers Forum (USB-IF) have introduced many specifications, it was not until the latest USB3.x, which is the third major version, that security was mentioned. The responsibility was even pushed to consumers and suppliers of USB devices.
Year 1996: USB 1.0 was launched. It is designed to reduce hard design and software configuration, as well as replacing a wide variety of device connectors. There is no word like “security” in the USB 1.x specification. The most relevant content was “error detection during transmission”.
Year 2000: USB 2.0 came out. The newer version supports more new devices (eg.: digital cameras, video cards, network adapters) and even has faster transfer rates (480 Mbps), which has contributed to the popularity of flash drives. However, the security measures are not mentioned in the 650-page long document, just the same with 1.x specification.
Year 2008: USB 3.0 was released. The focus remained on speed and device support.
Year 2013: USB 3.1 spec. Only at this year, the specification of the 3.1 has emerged a new thing. The updated USB Power Delivery (PD) specification, which supports up to 100W of power delivery, that paved the way for laptop charging via USB. Unfortunately, the 3.x specification still does not mention about security.
Year 2017: USB 3.2 was present. Even with USB 3.2, only the transmission rate was doubled to 20Gbit/s. No security.
They can Do Little
There are hardly any specifications about security measure during the development of the USB protocol. But it does not mean that USB-IF is not aware of it. As early as 2014, USB-IF had made it clear that security is beyond the scope of the USB specification. This is due to “In order for a USB device to be corrupted, the offender would need to have physical access to the USB device.” The responsibilities have been placed to USB’s users and manufacturers, refer to points below.
- “OEMs decide whether or not to implement these [security] capabilities in their products.”
- “Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices.”
Interesting enough, in year 2016, in response to the threat of rogue power chargers and cables enabled by the USB Type-C specification, the USB3.0 Promoter Group and the USB-IF introduced the USB Type-C Authentication (TCA) specification to Type-C products. TCA was officially implemented this year.
Research done by University of Florida and University of Illinois shows that correct authentication using the TCA protocol is possible only when the firmware is verified. The research also pointed out that “Type-C is based on an intrinsically broken design”. There are still a lot of problems, which means that USB attacks will still occur. However, the limitations of TCA are not surprising, since it was designed to solve the problem of low-quality charging cables.
WHAT CAN WE DO
At this stage, it may only like what have stated by USB-IF in year 2014, we as the user have to bear the consequences. Only buy USB devices through trusted channels, handle unknown devices with extra precautions, and never use what you find lying around. Lastly, not to forget to tell your boss or employees that this is not a trivial matter!
Do not trust by default! Choose a reputable shop to buy USB products.