Infected USB devices as an attack vector


USB devices are the main source of malware in industrial control systems, said Luca Bongiorni of Bentley Systems at the # TheSAS2019 conference. Most people who are in any way related to the security area know the traditional story of flash drives „accidentally” left in parking lots , which presents the problem so vividly that we will repeat it on more than one occasion.

In another – also true – USB story, an industrial worker wanted to watch the La La Land movie , so he downloaded it to a flash drive during his breakfast break. In this way, the system at the nuclear power plant, isolated from the Internet, was infected – this story shows that preventing such incidents is not difficult .

However, people forget that USB devices aren’t just flash drives. Peripherals for entering information into a computer – such as keyboards and mice, as well as smartphone charging cables, plasma spheres and thermal mugs – can also be modified to allow attacking industrial control systems.

A brief history of weapons in the form of USB devices

Manipulated USB devices are not new. The first cases of their use were recorded as early as 2010. By using a small programmable board called Teensy and a USB connector, the attackers imitated the operation of peripheral devices, for example by sending keystrokes to the computer. Hackers quickly realized that such devices could be useful for penetration testing, and prepared a version that could create new users, run programs that installed backdoors, and inject malicious programs by copying them or downloading them from a specific website.

Teensy was the first to use a PHUKD device in a modified version . Then Kautilya appeared , which worked with the popular Arduino boards. Later on, Rubberducky appeared – perhaps the most famous USB keystroke emulator to appear in the Mr. Robot , and the appearance did not differ from an ordinary flash drive.

The creator of the PHUKD device quickly came up with the idea of ​​creating an infected mouse containing a penetration test plate: in addition to the functionality of a regular mouse, it could do anything that the PHUKD device could. From a social engineering standpoint, it may be easier to use peripherals to infiltrate systems than to use separate USB devices, because even those who know not to plug unknown drives into their computers usually don’t suspect that the keyboard or mouse may be infected .

The second generation of infected USB devices was created between 2014 and 2015 and included devices exploiting the infamous BadUSB bug . It is also worth mentioning the threats TURNIPSCHOOL and Cottonmouth, allegedly created by the US internal intelligence agency NSA: these devices were so small that they could be inserted into a USB cable and used to capture data from computers (including computers not connected to any network).

Modern infected USB devices

The third generation of USB penetration testing tools has taken them to a whole new level. One such tool is the WHID Injector – essentially the same as Rubberducky, but with the addition of a wireless connection. As this device includes a Wi-Fi module, it does not need to be pre-programmed; a hacker can control them remotely, which gives him greater flexibility and the ability to work with various operating systems. Another third-generation tool is P4wnP1, which uses a Raspberry Pi computer and is an extended version of the Bash Bunny platform with additional functionality, including wireless connectivity.

Of course, both the WHID Injector and the Bash Bunny are small enough to fit in a keyboard or mouse. The video below shows a laptop that does not connect to any networks via USB, Ethernet cable or Wi-Fi, but has an infected keyboard connected that allows a remote hacker to execute commands and run applications.

Small-sized USB devices, such as those mentioned above, can also be programmed to resemble peripheral devices, allowing them to bypass security features in companies that only accept mice and keyboards from certain manufacturers. Tools such as WHID Injector can also be equipped with a microphone in order to eavesdrop and spy on people in the facility. Worse, one such device is enough to hack an entire network – unless it has been properly segmented.

How to protect systems from infected USB devices

Infected mice and keyboards, as well as cables used to spy on or perform malicious activities, pose a serious threat and can be used to hack even systems that are isolated from the internet. Today, almost every person can buy and program tools to help in such attacks, so it is worth following the events in the world of cyber threats.

In order to protect your critical infrastructure against such threats, it is worth using multiple layers of protection.

  • First of all, ensure physical security so that unauthorized persons cannot plug USB devices into industrial control systems. In addition, physically block unused USB ports on such systems and eliminate the possibility of removing peripherals that are already in use.
  • Organize training for employees to be aware of the different types of risks, including infected USB tools (tell about the incident caused by an employee who was about to watch the La La Land movie ).
  • Segment your network and manage the permissions that have been accessed to block attackers from gaining access to systems controlling critical infrastructure.
  • Secure each system in the facility with protective products that can detect all kinds of threats.