Researchers from the Ben-Gurion University of the Negev in Israel have identified 29 ways in which attackers could use USB devices to compromise users’ computers.
The research team has classified these 29 exploitation methods in four different categories, depending on the way the attack is being carried out.
B1) By reprogramming the USB device’s firmware to execute malicious actions (such as malware downloading, data exfiltration, etc.).
B2) By not reprogramming USB device firmware, but leveraging flaws in how operating systems normally interact with USB protocols/standards.
C) USB-based electrical attacks.
Reprogrammable microcontroller USB attacks
1) Rubber Ducky – a commercial keystroke injection attack platform released in 2010. Once connected to a host computer, the Rubber Ducky poses as a keyboard and injects a preloaded keystroke sequence.
2) PHUKD/URFUKED attack platforms – similar to Rubber Ducky, but allows an attacker to select the time when it injects the malicious keystrokes.
3) USBdriveby – provides quick covert installation of backdoors and overriding DNS settings on an unlocked OS X host via USB in a matter of seconds by emulating an USB keyboard and mouse.
4) Evilduino – similar to PHUKD/URFUKED, but uses Arduino microcontrollers instead of Teensy. Also works by emulating a keyboard/mouse and can send keystrokes/mouse cursor movements to the host according to a preloaded script.
5) Unintended USB channel – a proof of concept (POC) USB hardware trojan that exfiltrates data based on unintended USB channels (such as using USB speakers to exfiltrate data).
6) TURNIPSCHOOL (COTTONMOUTH-1) – a hardware implant concealed within a USB cable. Developed by the NSA.
7) RIT attack via USB mass storage – attack described in a research paper. It relies on changing the content of files while the USB mass storage device is connected to a victim’s computer.
8) Attacks on wireless USB dongles – a category of attacks first explored with the release of the KeySweeper attack platform by Samy Kamkar, a tool that covertly logs and decrypts keystrokes from many Microsoft RF wireless keyboards.
9) Default Gateway Override – an attack that uses a microcontroller to spoof a USB Ethernet adapter to override DHCP settings and hijack local traffic.
Maliciously reprogrammed USB peripheral firmware attacks
10) Smartphone-based HID attacks – first described in a research paper for which researchers created custom Android gadget drivers to overwrite how Android interacted with USB devices. The malicious driver interacted with the Android USB gadget API to simulate USB keyboard and mouse devices connected to the phone.
11) DNS Override by Modified USB Firmware – researchers modified the firmware of a USB flash drive and used it to emulate a USB-ethernet adapter, which then allowed them to hijack local traffic.
13) Hidden Partition Patch – researchers demonstrated how a USB flash drive could be reprogrammed to act like a normal drive, creating a hidden partition that cannot be formatted, allowing for covert data exfiltration.
14) Password Protection Bypass Patch – a small modification of a USB flash drive’s firmware allows attackers to bypass password-protected USB flash drives.
15) Virtual Machine Break-Out – researchers used USB firmware to break out of virtual machine environments.
17) iSeeYou – POC program that reprograms the firmware of a class of Apple internal iSight webcams so that an attacker can covertly capture video without the LED indicator warning.
Attacks based on unprogrammed USB devices
18) CVE-2010-2568 .LNK exploit used by Stuxnet and Fanny malware
19) USB Backdoor into Air-Gapped Hosts – attack used by the Fanny malware, developed by the Equation Group (codename for the NSA). Attack uses USB hidden storage to store preset commands tha map computers in air-gapped networks. Info on networks is saved back to the USB flash drive’s hidden storage.
20) Data Hiding on USB Mass Storage Devices – a large collection of tricks of hiding malware or stolen data inside a USB flash drive (eg.: storing data outside of the normal partitions, hiding the file inside an invisible folder by making that folder’s icon and name transparent, etc.).
21) AutoRun Exploits – depending on how host computers were configured, some PCs would auto-execute predetermined files located on a USB device’s storage. There’s an entire malware category dedicated to this called autorun malware.
22) Cold Boot Attacks – aka the RAM dump attack. Attackers can store a memory dumper on a USB flash drive and extract left-over data from RAM by booting from a USB device.
23) Buffer Overflow based Attacks – Several attacks that rely on exploiting OS buffer overflows when a USB device is inserted into a computer. This happens because operating systems will enumerate the devices and functions (run certain predetermined operations) when a USB device is inserted [1, 2, 3, 4].
24) Driver Update – very complex attack that relies on obtaining a VeriSign Class 3 Organizational Certificate and submitting drivers to Microsoft that are automatically delivered and installed on user PCs when a certain SUB device is inserted. This attack is possible, but very hard to pull off in the real world.
25) Device Firmware Upgrade (DFU) – attackers can use the Device Firmware Upgrade (DFU), a legitimate process supported by the USB standard, to update local legitimate firmware to a malicious version.
26) USB Thief – a USB flash drive based data-stealing malware that was recently discovered by ESET.
27) Attacks on Smartphones via the USB Port – attackers can hide and deliver malware (malicious) via USB phone chargers.
28) USBee attack – make a USB connector’s data bus give out electromagnetic emissions that can be used to exfiltrate data.
29) USB Killer – permanently destroy devices by inserting a USB device that triggers an electrical surcharge.
The Ben-Gurion team detailed all these attacks in an article published last year in the ScienceDirect journal.
The purpose of this research was to alert users of the many ways that USB devices can be abused to infect their systems and covertly steal data from protected and air-gapped networks. The research team’s recommendation is that USB devices be forbidden or at least strictly controlled in secure networks.