USB connections are widespread, being the standard, default interface for many different communications. USB ports allow for a wide range of tools and devices to be connected to a computer, as well as facilitating data transfer between numerous devices. Due to the wide range of potential functionalities, USB ports can be a very fast way for attackers to gain dangerous access to a device. Hackers have specialized tools that can make short work of an exposed USB port, but awareness of these techniques can help defenders prepare for this attack style.
What Connects To USB?
To understand how malicious tools can interface with USB ports, it can be useful to think about how normal tools work. USB allows for a massive range of connections, including mice, keyboards, external monitors, WiFi and Bluetooth adapters, storage devices, and many more unique connections. This flexibility allows manufacturers to comply with a single standard with devices and greatly reduces their headache when releasing a new product, as opposed to having to create several different devices to connect to different interfaces.
Even just these standard-use tools can be used for malicious means. A very common style of device is a KIOSK mode device meant to run a single application. While escaping out of this mode is certainly possible without USB, it can be far faster with an exposed USB port. Being able to send input to a machine with a mouse and keyboard allows for much more functionality than just a standard KIOSK touchscreen interface.
Common USB Attacks
Continuing with the previous example of KIOSK breakouts, there can be many ways to use USB for this. A very common method is abusing keyboard shortcuts to force the operating system to go to another screen, such as the desktop. This can also be done to start other programs or processes, many of which can be leveraged for malicious means. A popular breakout technique against Windows machines is sending CTRL+ALT+DELETE to the machine, allowing the malicious user to bring up Task Manager and start a new process of their choosing.
Many devices are meant to be air-gapped and kept off public or private networks. These devices typically do not have the hardware to connect to the internet, but it may be possible to introduce this hardware. A simple USB WiFi adapter can potentially expose a device to the open internet and allow attackers remote access. Having this connectivity can be extremely dangerous, as not only will it lead to the device getting compromised, but it may also allow a hacker to jump off of the device onto other machines in the network.
Mass storage devices, while not inherently malicious, can be used for attacks as well. These devices are the perfect way to introduce malware into otherwise protected networks. They can also be used for exfiltrating sensitive data without sending it over the network. Another abuse method through mass storage devices is side-loading another operating system through the boot and accessing the unencrypted file system through the other OS.
Along with the standard USB tools, there are many malicious tools created for penetration testers that can quickly and efficiently attack USB interfaces. One of these is the USB Rubber Ducky, a small device that looks like an innocent flash drive that is capable of acting as a keyboard typing at incredible speeds. This allows for payloads to be prepared in advance and run extremely quickly, saving the penetration tester valuable time.
Another unique tool for testing USB is the Bash Bunny. This tool is another small USB device that acts as a miniature computer, running tools and scripts silently and quickly. This device can act as a keyboard, a mass storage device, a network adapter, and perform many other functions depending on the custom payload used. Similar to the rubber ducky, this device saves a massive amount of time for the penetration tester.
Defending Against USB Attacks
While these attacks can be extremely devastating, there are many ways to mitigate them. All of these require physical access to USB ports, meaning they can largely be stopped by restricting this access. Locking USB ports behind a panel, and using USB port locks can stop attackers in their tracks. From a software perspective, there are further solutions. It may not always be possible to restrict physical access, and in these cases, it may make more sense to use USB whitelisting software. This checks the device as it is plugged into the device and determines if it is allowed or not. Removing the drivers for certain devices can help as well. For example, if keyboards are not expected to be used in normal operation, removing the HID drivers can lock down the interface.
