LAS VEGAS -- Seemingly innocuous devices pose a considerable security threat to your company's crown jewels, according to researchers who identified two new bugs in the Microsoft Windows XP Universal Serial Bus [USB] driver.
SPI Dynamics security engineers David Dewey and Darrin Barrall at last week's Black Hat security conference discussing two USB driver bugs that could easily lead to daunting security compromise. In "Plug and Root, the USB Key to the Kingdom," they showed how easy it is to transform a common USB storage device into what is essentially a hardware-based Trojan.
While physical proximity to a machine could lead to easy compromise, Dewey said physical compromise is usually risky and visible. A USB-based Trojan, however, can allow for full data compromise with less than 10 seconds of physical access. Citing the example of a retail point-of-sale terminal with a USB port on the monitor, a malicious attacker can discretely plug in the USB device, wait 10 seconds while a monitoring program downloads and then leave the scene. Subsequently, after a time period of a week or so has elapsed, the USB device is plugged back in and the recorded transaction and credit card information is pulled off the terminal for "two, 10-second attacks that no one ever saw."
Another example cited is to simply put out a fishbowl of free USB devices that look like thumb-drive freebies at a conference, or typical "marketing swag," as a way to effectively distribute a rootkit that sends information back to the malicious attacker. Dewey stated "someone walks by, picks this up and they root themselves" -- alluding to having the device "phone home" and transport information after a USB device is inserted into a victim's PC.
A third example is a SneakerNet worm, where an unknowingly infected individual moves unauthorized 'Paris Hilton' images via a thumb drive circulated amongst co-workers.
Dewey stated this was only a few of many simple ways a malicious individual could leverage USB devices to his benefit with the "Walk-Up-and-Own, attack vector."
While this type of attack can only occur with Windows AutoRun functionality, and only works on non-removable devices, Dewey showed how to make a USB device look non-removable via in-system programming typically used to update USB device firmware. Dewey suggests countering USB-based attacks by disabling Windows XP AutoRun functionality.
Subsequently, Darrin Barrall presented the hardware "Meta-USB" device, which the team constructed as a tool to attack an OS kernel. The so-called meta-USB device can emulate other USB devices that have device drivers that are typically written with, and assumed to be trusted by, the operating system.
While the Meta-USB device is constructed so it can look like any USB device supported by the Windows operating system, Dewey stated these issues are not specific to Windows. "We'll be able to target some Windows specific drivers that are by default installed, [on Windows] 2000 and later, and we will target those. This same device that we have, however, is USB 2.0 compliant and can be tested against Linux, OS X, whatever you want."
An anonymous source close to the issue said that what was shown was only the tip of the iceberg and that a device like the Meta-USB could be used to "own the box" with much more ease that the presenters described.
Victor R. Garza is a technology/security consultant and lecturer at the Naval Postgraduate School in Monterey, Calif.