Ask the Expert

Can USB compromise the security of an embedded mobile device?

Can the security of an embedded device be compromised using USB? Specifically, when a device is connected to the host PC through USB, can the device be broken into by using an application that runs on the host PC?

    Requires Free Membership to View

    Login

Indeed it can. Let's look at how USB devices connect to a PC, and you'll see why. Universal Serial Bus, commonly referred to by just its acronym USB, is a serial bus standard used to connect devices to a host computer. A bus is a subsystem that transfers data between computers or among computer components. Being a serial bus, USB sends data sequentially one bit at a time. It was created to improve the plug-and-play capabilities of the increasing number of devices people wanted to connect to their computers.

If you remember back to the early days of personal PCs, it was a real chore to connect a new device. It was often necessary to set jumpers, add extra serial or parallel ports, install device drivers and reboot, probably several times. Now thanks to USB, a single standardized interface socket, those days are gone. USB devices can be connected and disconnected without rebooting the computer or turning off the device. It has, of course, been widely adopted as the connection interface of choice, and according to the USB Implementers Forum, as of 2008, there are about 2 billion wired USB devices in the world.

USB, however, is only a standard to interface devices to a host computer. It doesn't provide any security features to filter the data that passes through the connection. In this respect, it is exactly the same as an Ethernet or printer cable; any device connected to a PC via a USB connection can be accessed by an application running on the host PC. Therefore, if the PC has been infected by malware, for example, the malware could access data on a portable hard drive that is connected to the PC via a USB cable. The danger could occur in reverse as well, should a U3-enabled USB drive with auto-launching applications (including malware) connect to a PC could and then access data on the host PC or logs all characters typed on the computer keyboard.

To mitigate these risks, you can disable all USB ports on a PC, but this is rarely practical because the ports may be required for devices such as keyboards and mice. If your organization runs a Windows-based network, then you can control USB drives using Active Directory. Individuals and groups that do not need to use a USB drive can be denied access to the ubstor.pnf and ubstor.inf files through an Active Directory group policy. New to Windows Vista, an administrator can now allow users to install only devices that are on an approved list or deny read or write access to devices that are removable or that use removable media. There are also third-party programs that provide a range of access controls for USB drives.

Hopefully, you can see that USB is merely a means to connect a device to a PC, not to control what the device does. In order to protect the USB device, you will need to provide security measures, which should, of course, be supported by policies that cover and clearly communicate the appropriate use of USB devices.

More information:

  • See how earlier this year, hackers had been discovered corrupting USB sticks.
  • Rob Israel likes the iPod as much as the next guy. But he's not about to let employees plug the mobile devices into their work machines.

    • This was first published in January 2009

    Join the conversationComment

    Share
    Comments

      Results

      Contribute to the conversation

      All fields are required. Comments will appear at the bottom of the article.
      Back to top