Case Study 4: USB Devices As Sources of Malware

Posted by Julie Walker on Thursday, October 15, 2015 in News.

This is the fourth of a series of case studies to be released during October for National Cybersecurity Awareness Month. Vanderbilt IT will publish new case studies Mondays and Thursdays throughout the month.

Drive-by downloads. Spear phishing. Buffer overflows. Clickjacking. While there are countless ways for malware from the Internet to infect you, you can also be compromised without ever opening a web browser or e-mail.

In early 2010, inspectors for the International Atomic Energy Agency realized that centrifuges at Iran’s Natanz nuclear facility were failing at an unprecedented rate. Five months later, the cause was discovered: Stuxnet. Stuxnet was a malware so highly advanced that it was thought to have been created by a nation-state. The source? Infected USB thumb/flash drives used by contractors connected with Iran’s nuclear program.[i]

In September 2013, world leaders came together at the annual G20 Summit in St. Petersburg, Russia. The conference was largely uneventful, but, as world leaders left, they received commemorative gift bags containing attractive USB flash drives and cell phone chargers emblazoned with the G20 logo. At the request of one attendee, German Intelligence analyzed the devices. Both were infected with malware that could silently upload data to and download data from any connected device.[ii]

In late 2007, a U.S. Department of Defense (DoD) employee stationed in the Middle East found a USB thumb drive in the base parking lot. When connected to his laptop, the drive uploaded a worm known as agent.btz. For more than a year, it spread throughout Pentagon networks, transmitting top-secret information to an unknown foreign server. Two years after the initial infection, the worm was finally eradicated.[iii] In 2011, the U.S. Department of Homeland Security secretly dropped USB thumb drives in the parking lots of government buildings and private contractors; 60% of those who picked up one of the drives plugged it into an office computer. That number rose to 90% for devices with an official logo.[iv]

In March 2013, Microsoft released MS13-027, a security update that could be exploited by connecting an affected USB device into the system that would then try to take over the system.[v] In October of the same year, MS13-081 was released – a different vulnerability with the same ominous description.[vi] The latest USB security vulnerability was patched in August 2015.[vii]

USB vulnerabilities are not specific to Microsoft, though. At the 2014 Black Hat security conference, researchers Karsten Nohl and Jakob Lell demonstrated that USB security is inherently flawed; most USB devices can be silently reprogrammed by malware. [viii] Reprogrammed devices can emulate a keyboard and surreptitiously type any series of commands, spoof a network card and hijack Internet traffic,[ix] or alter the contents of your files. Dubbed BadUSB, the reprogramming is almost impossible to detect and, once it occurs, it cannot be removed even if the USB drive is completely wiped.[x]

What can you do to protect yourself?

Never plug someone else’s USB device into your computer. Never plug your USB device into another’s computer.

Use cloud services such as DropBox, Microsoft OneDrive and Google Drive to share personal files and photos. To share work-related content with your colleagues, use Box.com, Accellion, secure Vanderbilt file shares or other services listed on it.vanderbilt.edu.

Use USB thumb/flash drives, such as imation’s IronKey line, with digitally signed firmware. [xi] If you choose less secure devices for personal use, make sure that they are made by reputable manufacturers (Kingston, Lexar, SanDisk, etc.) and are purchased from well-known firms. Generic brands from unknown vendors on sites, such as eBay and Amazon, and free devices given as promotions at conferences, for example, are much more likely to contain malware.[xii]

Install the latest hardware and software security patches from Microsoft, Apple, Google, etc., and keep all of your devices completely up to date.

Use different USB drives for home and for work. Do not plug your work-related USB devices into your home computer, and do not plug your personal USB devices into your work computer.

[i] http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

[ii] http://www.tripwire.com/state-of-security/latest-security-news/russian-g20-gifts-world-leaders-contain-data-stealing-malware/

[iii] http://www.nextech.com/blog/learning-from-the-mistakes-of-others-the-g20-dod-hacks

[iv] http://www.bloomberg.com/news/articles/2011-06-27/human-errors-fuel-hacking-as-test-shows-nothing-prevents-idiocy

[v] https://technet.microsoft.com/en-us/library/security/ms13-027.aspx

[vi] https://technet.microsoft.com/en-us/library/security/ms13-081.aspx

[vii] https://technet.microsoft.com/en-us/library/security/ms15-085.aspx

[viii] http://www.wired.com/2014/07/usb-security/

[ix] http://www.zdnet.com/article/badusb-big-bad-usb-security-problems-ahead/

[x] http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/

[xi] http://www.ironkey.com/en-US/solutions/protect-against-badusb.html

[xii] http://www.nextech.com/blog/learning-from-the-mistakes-of-others-the-g20-dod-hacks