USB devices offer an old-school way to steal data

Robert Vamosi CNET

Published: 22 Aug 2005

• 
• 
• 
• 
• 

We've heard a lot recently about data thieves stealing personal data, especially credit card and social security information, through phishing scams and keystroke-logging Trojan horses sent anonymously over the Internet. So it doesn't surprise me that criminal hackers are turning their attention away from the comforts of the Internet and going old school, once again physically infecting target computers by hand. Their method? How about a hardware-based Trojan horse using USB ports?

Plug and root
In a Black Hat talk entitled 'Plug and root: the USB key to the kingdom', researchers Darrin Barrall and David Dewey, both of SPI Dynamics, a security firm, outlined two flaws they found in the way Windows XP drivers handle Universal Serial Bus (USB) devices. The researchers said in July 2005 that both vulnerabilities had been disclosed to Microsoft, but the software giant didn't include patches in its August 2005 security update. The researchers found fault with the way Windows XP drivers handle USB autorun and USB raw sockets.

The Windows autorun feature of Plug and Play is interesting. By default, the Windows autorun driver works only with non-removable media. However, the researchers played around with the idea and wondered whether they could create a faux USB device that would appear to Microsoft Windows to be a non-removable DVD drive. Sure enough, they were able to do so by taking advantage of a flaw in which USB drivers handle raw sockets. Specifically, the researchers were able to fool Windows into thinking their faux USB device was a non-removable drive by identifying themselves with the vendor ID and product ID for a known DVD drive.

With their faux USB device in hand, the researchers demonstrated how they could attach it to a Windows XP machine and force a Kernel Heap buffer overflow, which would then allow the machine to run their malicious code.

Fun with hacked USB devices
OK, so assuming you have one of these doctored USB devices, how practical would it be? Very. You could, for example, write malicious code to capture financial data and save it to a file or perhaps even broadcast the file onto the Internet. You could then target a specific company and pay the janitor or an intern to go around at night attaching your USB device to each Windows desktop for a minute or two before moving on. Within one or two weeks, you might have compromised every desktop computer in the building. As we all learned with the MSBlast worm in 2003, although corporations have tough, layered firewall security on the outside, they're vulnerable on the desktop level inside. Let's take this mythical attack one step further. At Black Hat, the researchers facetiously suggested one could put out a fishbowl of USB devices at a trade show. Another way would be to offer pictures of a celebrity on a USB drive and hope that a gullible employee then shares the drive with co-workers in what is known as a sneaker net approach to spreading malicious code.

Say you want to collect only credit card information. There are a lot of PC-based point-of-sale systems in retail stores worldwide. I know from having worked for a POS software company that many POS stations are configured so that their physical ports (that is, the USB ports) are facing you, the customer, and not the sales associate. Simply distract the sales associate, pop in your custom USB device, then 10 or 20 seconds later, remove it before anyone notices. If your malicious code allows for an Internet connection, just sit back and wait for the credit card files to start streaming in. If your code or the POS station isn't Interne-aware, you'll need to return to the store a week or so later and use a similar distraction technique to retrieve the file.

Mitigation
The researchers admit these are lame attacks, so there are a few things you can do while we wait for Microsoft to fix the flaws. First of all, you can disable the autorun feature within Windows. Because disabling autorun involves editing the System Registry (always a risky proposition), you should have a backup handy, or have restore points within Windows XP active, before you attempt this. Despite the caveat, disabling autorun is a good idea, because it prevents CDs and DVDs from installing junk on your computer. Really, you should always be in control of software installations; manually typing in a command on the run line shouldn't be a problem for most people. You can also resort to a software solution such as DeviceLock. DeviceLock allows you to set physical ports on your computer (serial, USB and so on) to be read-only. In a worst-case scenario, you could always glue shut the USB port.

And, finally, everyone should be using antivirus and personal firewalls on their desktops by now; even if you are infected with a hardware Trojan horse, the antivirus program should prevent it from executing, while the firewall should prevent it from 'phoning home'.

Related articles

• 
• 
• 
•