Initially introduced on computers as a replacement for LPT, PS/2, or serial ports (e.g., printers, scanners, mouses), USB ports and USB devices have now been part of our life for more than 25 years already.
They are the standard when it comes to charging mobile and portable devices; we can find USB charging port/station pretty much anywhere, from a Starbucks to an airport.
USB memory (flash) sticks have largely replaced writeable discs as the medium to exchange all sorts of documents quickly, easily, and, to a certain extent, safely between devices. However, one must be careful what and where they “plug in,” as USB remains one of the easiest ways for hackers to get physical access to a system with the purpose of hacking it.
Don’t Use USB Just Anywhere
Although most charging stations or ports you find in public places are legitimate, some could have been tampered with to damage your device, or even include a micro-computer (e.g., Raspberry Pi) that would attempt to connect to your device and clone/retrieve data from it.
To avoid this, the best option remains using your own USB charger and plugging it into a power socket.
Ensure the USB is Trustworthy
The same goes for when connecting a USB stick or HDD into a computer to copy/download documents. Make sure you know who and where this USB device comes from and what it supposedly contains.
Ensure your device has some kind of virus/malware protection that will scan through it, looking for potential virus, trojan, or any other threats.
These attack vectors have been used in Hollywood as plot devices for movies and shows, for example, in a Mr. Robot episode, where the protagonist drops USB sticks in the parking lot of a police precinct with the goal to infiltrate a police department to alter prison records. The concept is that someone at the precinct would eventually pick up the USB stick and, out of curiosity, plug it into his computer. Like all great plot devices, the protagonist’s plan worked and can alter the records. However, in real life, hopefully the police’s security software would be able to detect the malware on time before an infection occurs.
Ideally, a dedicated computer, isolated from your local network, could be used to first plug in an unknown USB device and scan it. Then, if safe, documents could be copied over another trusted device to your computer. This may seem impractical, but it does, however, ensure that your main device does not fall victim to a USB kill device, which resembles a regular USB stick but sends high-voltage power surges into the device it is connected to, likely damaging hardware components.
These precautionary steps might sound like too much for a simple, seemingly innocuous USB key, but the hacking potential is well-established.
Protect Your Devices
One of the best measures you can take to ensure your data is not compromised is to secure your devices. From an enterprise perspective, you want to prevent any potential unauthorized access to any device, either personal-owned or corporate-owned, depending on where the corporate data resides.
Your UEM software should already include some USB related policies to control how the USB port can be used. Some examples include:
- Disable the USB port when the device is locked
- Require device password when connecting to a computer
- Only plug in trusted USB sticks
- Be wary of USB cords with an unnecessarily large hood
- Disable file transfer using Media Transfer Protocol (MTP)
- Disable USB OTG (host storage) so no external storage can be mounted
If you have any questions or concerns about how to improve your security posture, please feel free to contact us.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group