Good samaritans and skinflints beware!

Plugging in that USB stick you found lying around on the street outside your office could lead to a security breach.

This is no secret, of course. We have all (hopefully) been aware of the dangers of inserting an unknown USB device into our computers for some time. Heck, the technique has even made it into the Mr Robot TV series.

But what may not be widely known is just how successful the tactic can be for allowing hackers to compromise your computer systems.

Research presented this week at BlackHat by Elie Bursztein of Google’s anti-abuse research team shows that the danger is alarmingly real:

…we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.

It seems folks just can’t resist picking up a USB stick that they see lying around – Bursztein says that it only took six minutes for the first device that he “lost” to be picked up.

Bursztein was curious as to whether there were ways of influencing the likelihood of someone plugging a found USB stick into their computer, so they left five different types scattered across the University of Illinois campus: drives labeled “exams” or “confidential”, drives with attached keys, drives with keys and a return address label, and generic unlabelled drives.

One would like to imagine that people are less likely to plug in a USB drive if it is clearly labelled with the owner’s contact details, and that appears to be borne out by the statistics.

On each type of drive, files consistent with the USB stick’s appearance were added. So, “private” files were added to USB sticks that were unlabelled or were attached to keys or a return label, “business” files to sticks marked confidential, etc.

However, in reality each of the files was actually an HTML file containing an embedded image hosted on the researcher’s server. In this way they were able to track when files were accessed.

Upon opening the HTML file, users were asked if they wished to participate in a survey asking why they plugged in the drive. Approximately 20% agreed (perhaps encouraged by the promise of a gift card for their assistance).

Just over two thirds of the people who responded to the survey said that they accessed the USB sticks with the intention of returning them to their rightful owner. 18% admitted that they were “curious”, and 14% gave other explanations.

Now from the security point of view it’s worth recognising that a security breach could already have happened by this point.

The most basic – and simplest to conduct – attack would have seen malicious code placed in the HTML file that would have been automatically activated upon viewing, perhaps downloading further malware from the internet. Alternatively, users could have been taken to a phishing site, and tricked into handing over login credentials through social engineering.

In addition, there is also always the danger that an attacker might have planted executable malware directly onto the USB stick, and hoped that an unsuspecting user would allow it to run on their computer.

A more sophisticated attack, however, would see the use of a device using HID (Human Interface Device) spoofing to trick a computer into believing that it was in reality a keyboard. As soon as the “USB stick” is plugged in it would inject keystrokes – building a set of commands that could open a reverse shell that could give a hacker remote access to the victim’s computer.

In a blog post, Bursztein explains in depth how he was able to camouflage a keyboard-spoofing device so that it looked near-identical to a genuine USB stick.

Keyboard-spoofing is not the most sophisticated type of attack possible through a malicious USB stick however.

Perhaps the most complex and stealthy attack would see the plugged-in device exploiting a zero-day vulnerability in the computer’s USB driver – similar to the method used in the notorious Stuxnet attack against the Natanz uranium enrichment facility in Iran.

Your chances of having a USB zero-day vulnerability used against your organisation is remote, unless you are of particular interest to an intelligence agency or state-sponsored hackers.

Keyboard-spoofing HID attacks and especially basic social engineering attacks tricking users into opening files on a newly-found USB stick, however, are much more likely, which means it is essential that you educate your workers about the risks and urge them to hand lost property in rather than attempting to identify a device’s owner themselves.

In short:

USB devices should be treated with caution. Never plug in an unattended, unidentified USB stick.

Keep your security defences, policies and patches up to date.

Check out Bob Covello’s article from earlier this year for more thoughts on the correct handling of found USB sticks.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.