Q&A
USB Security Attacks Are Still a Threat
While security experts must keep an eye out on evolving threats, old vectors of attacks should not be forgotten or ignored.
While new avenues for attacks pop up on almost a daily cadence, it's easy to overlook older attack vectors that remain just as dangerous as their newer counterparts.
Andy Milford, CEO of RDPSoft and a seasoned expert in Windows networking and security, warns that USB-based attacks are far from obsolete. As advanced persistent threats (APTs) continue to seek the easiest points of ingress into organizations, Milford stresses that IT teams must not ignore the serious risks posed by USB devices.
In an interview with Redmond, Milford highlights the enduring relevance of USB threats, citing recent FBI bulletins and high-profile incidents that demonstrate the ongoing dangers. From compromised public charging stations to the use of Human Interface Devices (HIDs) in employment fraud, the landscape of USB-based attacks is more diverse and dangerous than ever.
He'll also be delving deeper into these risks during his November Live! 360 session, "USBreached and USBroken." Register today to join us and Milford in Orlando, Fla. in November to learn valuable ways you can keep your organization safe. Save $400 when you register by the Super Early Bird deadline of September 27.
Redmond: It's been a while since USB-delivered attacks have made big headlines. What makes these sorts of threats especially pernicious, and what do IT teams risk by ignoring them?
Milford: Hackers and especially APTs (nation state attackers) are always looking for the easiest point of ingress into an organization to plant malware, ransomware and to steal/exfiltrate data. USB attack vectors remain serious enough that the FBI and other agencies are issuing warnings. As recently as April 2023, the FBI released a bulletin to NOT use public charging stations, as they could be compromised by bad actors. Earlier this year, the Federal Board of Revenue in Pakistan experienced an event where an employee copied documents to a USB drive, brought them to a local print shop to print hard copies and had the USB storage device compromised, leading to an incident at that agency when the worker brought the USB drive back onsite. In fact, the threat is serious enough that the latest version of Android now has a new feature that disables data transfer when a phone is charging via a USB cable.
Beyond just data theft, malware and ransomware, USB HIDs (Human Interface Devices) are now increasingly being used to commit employment fraud, by simulating mouse and keyboard clicks to circumvent business software that monitors employee productivity. Wells Fargo was in the news recently after it announced terminating employees caught using these types of devices.
While USB attacks may not get all of the headlines, IT and security professionals need to know the capabilities of these attacks and how to mitigate the damage. Knowledge is power!
Your session abstract mentions "USBKillers," "Juicejackers" and "Rubber Duckies." Without giving too much about your session away, can you briefly describe what each of these terms mean?
"USBKillers" are USB devices with in-built capacitors that, when plugged into a device with a USB port, receive the USB 5v charge, amplify the charge via the capacitor to a much higher voltage, and then discharge back into the target device, destroying it or rendering it inoperable. "Juice jackers" are specially compromised USB cables, or USB charging ports, that are designed to plant malware and/or steal data from connected devices. "Rubber Duckies" are USB drives that, rather than acting like a storage drive per se, are seen by the operating system as an HID (Human Interface Device) capable of sending keystrokes or mouse input. These devices can be used to simulate input (to defeat employee monitoring software), send commands to the connected system to plant malware and/or steal data and much more -- the possibilities are literally endless.
How are USB-based security compromises related to BYOD-related security issues? Is there any overlap between the two, both in terms of risk and mitigation strategies?
BYOD policies can be dangerous for organizations insofar as those IT Admins are allowing potentially un-sanitized user devices connected to the Internet to access the organization's network. This danger is only multiplied if users are not scrupulous about how they use/share/charge those BYOD devices and USB drives they connect to those BYOD devices. Many organizations are moving to a model where they issue the hardware to the worker, with endpoint protection software built into the issued hardware to mitigate this. Setting policies that prohibit USB use on those devices may be appropriate.
What other peripherals besides USB devices should IT pros be wary of from a security standpoint?
Next to USB devices, I would say Bluetooth peripherals are another significant attack vector.
From your perspective, has the move toward hybrid/remote work made a difference in USB-related threats?
I think it simply amplifies the threat. Once organizations adopt a BYOD policy, they lose control, to a degree, as to what is being done on the user's hardware and what devices are being connected to that hardware, unless they issue their own hardware to the worker and meticulously lock things down with BIOS settings, Group Policy/Intune Policies and Endpoint Security software.