Today we totally rely on USB based devices to run our lives. Our phones charge using a USB cable, we connect flash drives through a USB connection to our PC’s and phones. We even attach WiFi dongles and ethernet adaptors using USB. USB is also evolving into faster data transfer speeds to the point now where it is possible to drive two 4K displays via a USB 3.1/Type C connector.
A Bit of Technical Background
What is little known is that a typical USB connector has four connections/pins:
- Two connectors/pins that provide power to the device, which is what is used to typically charge your device but also provides power to the device itself
- Two connectors to provide a data connection that allows your device to exchange information with the connected device.
Typically the power connectors should not pose a threat, unless it delivers unregulated power to your device. This is by no means impossible since several third party chargers have been known to provide little power protection during fast charge cycles.
However it is the data connectors that pose the most threat.
The firmware within a USB device can also be hacked. This is software that is embedded into the USB device that runs as soon as the device is plugged in to allow access to the content on the USB drive/device. If this firmware is corrupted to host malware, by plugging in the device to your computer it can do many things:
- Install malware onto your computer
- Operate as a keyboard, sending commands to your computer to download additional malware
- Modify files on your computer while appearing to operate normally
- Could function as a USB WiFi adaptor/cellular connection to transmit files to a remote system operated by hackers
- If connected during the device boot sequence, the USB device could detect this and install malware during the boot process which could effectively evade ant-malware software especially if the device isn’t booting securely.
Malware can be propagated through using a USB storage device (e.g. a pen drive) simply by having a file that is infected with malware able to be run automatically when the device is inserted into a PC. An article from CNet from 2008 demonstrates this. Fileless malware can also be propagated using USB sticks – see the article from Trend Micro in 2017.
What can you do to avoid these threats?
There are various things you can do to put in place mitigating actions to reduce the threat brought to you by a rogue USB device. These include:
- Turning off the AutoRun capability for any USB attached device
- Enabling your anti-virus to scan devices on initial connection
- Asking yourself whether you trust the device (see below).
You should always ask yourself the question whether or not you trust the USB device. For example:
- Did the device come to you in commercial packaging as a new device?
- If a device comes without commercial packaging, or the packaging is damaged, this could be an indicator that the device could have been tampered with in some way
- Do you trust the person/organisation handing you the device?
At a summit in 2018 between the US and North Korea, USB fans were handed out to journalists that could be attached to their phones (see the article from Bleeping Computer). Ask anyone in the security community about North Korea and they will tell you they are a major nation state cyber threat actor. These fans were analysed and found not to be infected with malware, but the fact that they were being handed out free and that they were manufactured in China could have been dangerous.
As a general rule, if I am handed a USB data stick/device by anyone I don’t know, the first thing I now do is refuse it. If it ends up in my pocket, then I will not put it into any device I own and will typically destroy it so that no-one else will get affected. USB devices are often delivered free at conferences, but the safer way to get content is to download it from the distributors website using a secure https connection.
The threat isn’t just limited to USB data sticks, but any USB device, including a set of headphones.
A large number of companies now disable the USB ports on company issued devices, often using a software package that allows registered devices to connect. As a non-corporate, you can always disable the USB ports on your PC through the BIOS settings or on Windows based PC’s through the device manager (Macs probably have a similar feature). Unless you root your phone (not recommended), you typically cannot disable onboard USB connectors on your phone.
What about these Power Connectors?
As mentioned above, faulty power adaptors can provide a power surge that can damage your device. Also, USB cables that support fast charging need to have a power regulator installed into them to limit the dangerous flow of power. These can be faulty and in the early days of the USB Type C charging cables, this was a real issue – not so much now. However there are a number of additional threats that you need to be aware of.
Juice Jacking: How often have you charged your phone up for free at a charging station at an airport, or other venue. If you are using a standard USB cable to charge your device, the data connectors are intact and can be used by a malicious charging station to spread malware. This is called Juice Jacking (see a Wikipedia article on this here). You can buy USB cables without the data connectors connected from many online stores. These come in full cables, or as a connector you plug into your standard cable that disconnects the data pins. You should also use one of these cables if you are charging from a hotel power socket, especially if you are not using your device manufacturers power brick which typically do not connect the data connections.
USB Killer: Another threat that recently surfaced is where a device now being called a ‘USB Killer’ has been used to destroy a number of PC’s (see the article on ZDNet). This is a innocuous looking USB stick type device that contains a number of high power capacitors that get charged up when the device is connected to a target computer. Once charged, they release the power back to the computer as a 200v discharge that destroys the electronics on the motherboard of the connected PC, thus killing the PC. These can be purchased on several online shops (Amazon, eBay, etc) as penetration testing tools. However, the true use of these sticks is to damage computer equipment. From the outside, you might not be suspicious, until you plug it in and say 20s later your PC starts smoking.
The ones I have seen online are in the form of a USB data stick, but realistically they could be disguised as a set of headphones, or any number of other USB based device.
USB devices are incredibly useful, and I could not work without them. However there are a number of threats that you need to be aware of, and exercising good device hygiene is a good way to mitigate the majority of these threats.
By getting this far in this blog you will be better armed to defend yourself from these threats. However, as usual the best anti-malware device you have is what’s between your own ears – your brain. Think before you act and before connect that unknown device to your PC/phone/etc. By the time you realise the USB device you have just connected is malicious, it is probably too late.