USBs (as well as CDs, DVDs, etc.) are designed to provide removable storage for a computer. This storage includes both data files (Word documents, videos, etc.) and programs that can run off of the removable media. While useful, these devices can also be easily weaponized by an attacker and pose significant cyber risk to an organization.
The Threat of Autorun
The ability to run programs on removable media can be a problem, especially since some operating systems have “autorun” capabilities for removable media. This capability means that the removable media can be created in such a way that certain programs are run when it is inserted into a computer that has Autorun enabled.
Autorun can be helpful in some cases, such as automatically running programs from an installation CD. However, it can also be abused by cybercriminals that put malicious programs set to run automatically on removable media sent to their targets.
Cyber Threats of Removable Media
Removable media, such as USBs, CDs, and DVDs, can be weaponized in a number of different ways. These range from delivering malware to stealing data to physically destroying the computer that they are inserted into.
One of the most common uses for a weaponized USB is to deliver malware to an organization. A malicious USB could be distributed at a conference, dropped in a parking lot (labeled as “Employee Bonuses” or similar), or mailed to an employee as a “free gift”. Once the USB is inserted into a computer, it can either use Autorun to execute the malicious functionality or trick the target into running it using an enticing filename.
The use of removable media for delivering malware is dangerous because it sneaks the malware past the security solutions deployed at the organization’s network perimeter. Unless an organization has an endpoint security solution in place, it may not detect the attack until it is too late.
Initial Network Access
A malicious USB has the ability to run programs using Autorun functionality or by tricking an employee into running them. This means that a malicious USB can be a useful tool for an attacker trying to establish a foothold on an organization’s network.
Once the USB has been inserted into an employee’s machine, the malicious program installed on it can open up an outbound network connection to a computer controlled by the attacker. Such a “reverse shell” will likely be capable of bypassing the organization’s firewall since most firewalls default to allowing all outbound traffic. With this reverse shell, an attacker then has full command line access to the compromised machine and can use it to further infect the organization’s network.
Removable media are also useful for attackers wishing to perform credential theft. A keylogger can be installed on a USB that is inserted into an employee’s computer or sent in a way that entices them to plug it in themselves.
Once inserted, the USB can monitor the information typed by the employee into the computer. Then, depending on whether or not the attacker has physical access to the employee’s work location, the stolen data can either be stored on the USB for later retrieval or sent out over the network.
A malicious USB can be effective for stealing data from an organization for the same reason that it could be an effective keylogger. A USB has the ability to run programs on it and has built-in storage to contain any sensitive information that it collects from an employee’s computer.
USBs are especially useful for data exfiltration because they are capable of bypassing the network entirely (if the USB is physically retrieved by the attacker). Since many organizations are heavily reliant upon network-level cybersecurity solutions, this can make an attack much more likely to succeed and harder to detect.
USBs are designed to have two different input channels: one for power and one for data flow. Ideally, these should be designed so that there is no accidental crossover between the channels.
However, with a soldering iron and some knowledge of USB internals, it is possible to modify a USB to destroy a computer. Such a USB would collect power over the power connection, then discharge it over the data connection. Plugging this USB into a computer would likely render it unusable.
Protecting Against Removable Media Cyber Risks
The use of weaponized removable media can be a very effective attack vector for cybercriminals. However, it is also one that can be dealt with in a number of different ways.
Employee Security Awareness Training
One of the most effective methods for protecting against the potential cyber threats of removable media is employee training. Teaching employees about the potential cybersecurity risks of removable media and not to plug untrusted devices into their computer can help to dramatically decrease the potential threat that they pose to the enterprise.
If an organization or employee has a legitimate need to use untrusted USBs in their work, an organization should have a process for testing a USB for malicious functionality in an isolated environment before it is allowed to be plugged into any other machines. Employees should be informed about this process and told to take all untrusted removable media to IT for inspection before trusting or using them.
Disable Autorun on All Computers
Autorun functionality is more of a liability than an asset. While the ability to have a program run automatically when a USB is inserted, this makes it too easy for an attacker to effectively weaponize a USB.
Autorun should be disabled for all removable media on all of an organization’s computers. If necessary, employees can then be trained to run the programs on trusted removable media manually (by opening the USB’s folder and clicking on the icon).
Disallowing Use of Removable Media
The best way to protect against the cyber threats of removable media is to disallow the use of removable media altogether within an organization. This makes it impossible for an attacker to effectively weaponize a USB for use against an organization.
Such a policy can be implemented in a few different ways. The organization can have policies in place stating that removable media cannot be used on corporate computers. Alternatively, computers can be configured not to run USBs, CDs, or DVDs inserted into them. Finally, the use of removable media could be made impossible by physically removing or blocking disk drives or USB ports in critical systems.
Dealing with the Threat of Removable Media
Removable media is a useful tool and has a number of different legitimate uses within an organization. However, it can also pose a significant cyber threat to a company. The potential risks of removable media and methods for addressing them should be a component of an organization’s cybersecurity strategy.