Endpoint Security , Enterprise Mobility Management / BYOD , Governance & Risk Management

A New Way to Mitigate USB Risks

Open Source Software Blocks Malicious Actions, Researchers Say
A New Way to Mitigate USB Risks

USB is an old friend, and it's not going away anytime soon. First released in the mid-1990s, the specification eliminated the mess of ports on computers by defining how cameras and hard drives can seamlessly connect to a computer. Even Apple - which has often taking the lead in eliminating ports and drives - has retained a lone USB 3.0 port on its MacBook line of laptops.

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

But USB devices, such as flash storage drives, pose a big security risk. Computers blindly trust whatever is on the drive, which is sometimes not what is advertised. That's made flash drives an attractive attack vector because many users blindly trust the devices.

The fear of an attack coming from a USB drive has led to some drastic measures, including filling USB ports with epoxy or using physical locks on ports. But academics say they've developed a defense. They presented a research paper on the project at the Usenix Security Symposium in early August. For the event, they gave away red hats that say: "Make USB Great Again," playing off U.S. presidential candidate Donald Trump's campaign theme.

Unleashing Packet-Level Filters

Their software, called USBFILTER, is a packet-level access filter that enforces a tight set of rules for how interfaces on a USB device can interact with the host operating system, says Kevin Butler, associate professor in the computer and information science and engineering group at the University of Florida.

The term interface, in this case, refers to an internal function on a USB device. For example, a USB headset has interfaces for the speaker, the microphone and the volume controls. Operating systems trust interfaces and load the drivers for them automatically. Accordingly, many sneaky USB assaults involve stuffing a secret interface onto the USB drive, then using it as an attack vector.

Figuring out what is a bad interface versus a good one is tough because USB packets are difficult to analyze, Butler says. But the developers behind USBFILTER have engineered it to help assess which packets are coming from which interface. Such knowledge can then be applied to prevent unauthorized interfaces from connecting to the operating system.

The software can also be used to limit what interfaces can do, the developers say. Plug a USB webcam into a USB port on a PC, for example, and USBFILTER can ensure the device only gains access to Skype and can't secretly activate the camera at other times. Or a USB headset with a speaker and a microphone could be restricted to only allow the speaker to interact with an operation system, since microphones also pose a security risk. Or the software can deactivate all interfaces, so that the USB port on a computer can be restricted to only act as a charging port for mobile devices.

"It's a very powerful mechanism that really allows for fine-grained control over any type of data from any type of USB device," Butler claims.

If a USB device other than a real keyboard is programmed to emulate a keyboard, that can also be blocked using the software, the developers say. That could help avoid attacks such as BadUSB, which was described at the Black Hat hacking conference in 2014. In that demonstration, researchers showed that it's possible to rewrite the firmware of a USB device and include malicious functions, such as a secret keyboard, that are undetectable to anti-virus products.

To defend against that, USBFILTER can whitelist the mouse and keyboard of a host machine and drop any other packets representing themselves as those kinds of devices. It still might be possible to try to fool USBFILTER by impersonating those devices with their product and vendor numbers, known as VID/PID, and the serial number, the developers acknowledge. But that would require the attacker to unplug the existing mouse and keyboard and plug the malicious device back in. It's an attack vector that wouldn't work by dropping a malicious USB key in a supermarket parking lot and hoping someone picks it up.

Open Source Approach

USBFILTER is open-source code and has been posted on GitHub. The software has been written for Linux, but Butler says it could be ported to Mac and for Windows.

The real power from USBFILTER will come if it is used throughout an organization and an administrator can centrally control and deploy new rules, the developers say. Related software hasn't been designed yet, but it would mean administrators wouldn't have to worry about what users who access their networks are jamming into USB ports.

"Our eventual hope is that we potentially get this made into a standard part of your operating system," Butler says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.