Detecting and Mitigating USB-based Threats

The flexibility of the USB protocol and the inherent trust given by Windows, Mac, and Linux operating systems to Human Interface Devices (HIDs), such as keyboards, can combine to create a threat vector that can directly perform malicious activities on a system as though it were performed by a logged-in user.

Detecting and Mitigating USB ThreatsWhile the specific devices that are categorized as HIDs vary both in hardware and software, the general concept behind them is the same: a USB-based device detected as a HID by an operating system, and after being initialized can send any combination of keystrokes at super-human speeds. While there are legitimate uses for such a device (IT automation, penetration testing, etc.), this post will focus on the ways they can be used maliciously and how to prevent these type of attacks.

The risks that HID-based threats present are virtually limitless. However, it is important to note that in the majority of cases, because it is the user's keyboard that is being manipulated, actions will be both visible to the user (to a varying extent) and capable of being interrupted. In other cases, however, users are given very little indication that any attack has taken place as these are performed quickly and off screen, allowing minimal time for exposure or interruption. A sign of this type of attack is often a prompt, such as a notification that a keyboard was attached or the flash of a PowerShell or CMD window. However, these can disappear so quickly that the user is unaware of them, or even if they are, it is sometimes too late to halt the threat.

What is particularly concerning about USB-based threats is their unique ability to exfiltrate data without the need to connect over a security network or be recognized as a storage device. Once the device is connected, it can then take control of the computer.

There are numerous examples of devices which can be used maliciously to mimic HIDs (in theory this is any device with a USB connection and a controller). Some notable instances include:

  • Using a Teensy microcontroller board with various types of software in order to imitate HID devices is the most traditional method.
  • The simplest tool currently available is the USB Rubber Ducky from Hak Shop. The Rubber Ducky offers a simplified scripting language and an existing community of samples that can be quickly deployed and concealed in a case that resembles a typical USB drive.
  • Utilizing off-the-shelf USB devices by hacking firmware, though extremely labor intensive, makes it possible to infect generic hardware, removing the need for specialized devices. This allows a single infected system to apply the infected firmware to any compatible device being connected to the machine, all the while remaining very hard to detect. This type of threat was a topic highlighted in a recent blog post.

Prevention Measures

While there are a number of general precautions that can be taken to reduce a network's vulnerability, such as limiting user permissions and access to sensitive data, the specific threat posed by HIDs requires two further steps:

  • Prevent users from bringing in unapproved media. This can be done either through outright bans or by using solutions such as OPSWAT's MetaDefender Kiosk to sanitize the data on unapproved media and securely move it into the network. This significantly reduces the likelihood of introducing malicious devices and files into the network, especially reducing the risk of accidental infection, which has been proven to be the cause of the majority of portable media-based attacks.
  • Prevent users from accessing USB ports where software solutions exist. The safest way to do this is at the hardware level, either by removing the USB ports outright, or physically disabling them. Once this is done, legitimate HID inputs can be handled via physically secured connections or PS2-based devices (though PS2-based threats are possible also).

While we at OPSWAT are researching different methods of detecting potential HID threats, the limitation in visibility to a USB-based device means that if it is presented as a mass storage device, and there is enough of a delay in the initialization of the HID component, there is currently no way to reasonably detect all devices. One method we can fully recommend is to be wary of all USB-based devices that are connected to your computer!

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.