Re: USB delivered attacks

[Gadi Evron <ge () linuxbox org>]

Jerry Shenk wrote:

> I recently inserted some guy's USB drive into a machine and was a but
> surprised when it went into an auto-run sequence.  I think turning off
> auto-run is a REALLY good idea.  On a USB drive, it seems like it could
> be really dangerous.  Has anybody messed with this?
>
> One possible scenario:
> - Have a USB drive with a few tools on it.
> - Have an auto-run configured to run pwdump and dump the SAM to the USB
> drive
>
> It seems that this attack would work with a machine that was locked from
> the console.  Does 'autorun' still work under a locked screen?  With
> this USB drive being writeable, it would seem that some scripted attack
> to extract information from a machine could be amazingly fruitful....the
> possibilities are almost endless.

Indeed.

This has been covered on several occasions, some on TV Sci-Fi shows and 
some in actual security discussions.

Basically it is not always just about auto-run (which is always a good 
idea to disable). USB auto-installs a driver for itself on plug-in.

That driver can be:
1. Messed with.
2. Built from scratch with one of *many* SDK's out there.

USB brings the threat of any user, maid, cleaner or hostile whoever to 
plug it in, gather whatever information/perform whatever action, and leave.

I feel threatened enough by the fact that such small devices with such a 
huge capacity exist and can be smuggled in so many ways, automatic 
operations are just a plus. You don't really need many tools other than 
Copy, but I suppose tools can be created.

This can be taken forward in many ways. from simply connecting a USB 
drive and copying information as I've mentioned through Palm pilots 
which would allow you to chose what you want to steal and all the way to 
wireless devices which can be remotely controlled by a laptop or 
through, say, a cellular device, whether temporary for the sake of one 
illegal operation, or permanently, hidden.

Disabling USB all-together, virtually, by domain policy or removing the 
USB devices themselves, maybe even just filling the plugs with silicon 
or glue physically are some more drastic options which some 
organizations *might* take, but I don't see it as a very viable option 
for most.

It all depends on your risk analysis. Cost vs. benefit, as always with 
security.

There exist several tools to monitor a domain for when and if a USB 
device is connected to any remote machine, and of what kind. A simple 
web search should help you find some examples.

The security risks of USB are more than this short email can convey, but 
I think I gave you enough to get started and to think about.

I hope I was helpful,

        Gadi Evron.

--
Email: ge () linuxbox org.  Work: gadie () cbs gov il. Backup: ge () warp mx dk.
Phone: +972-50-428610 (Cell).

PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
GPG key for encrypted email: 
http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450