Guide | How To A Comprehensive Protection of USB Ports/Devices

The associated guide may contain user-generated or external content.

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
29 different types of USB attacks are listed below, even one type which can break out of a virtual machine

Here's a List of 29 Different Types of USB Attacks - Guardian360

In short, no USB device inserted means you are protected, right? Wrong! MouseJack is a class of vulnerabilities that affect most of the wireless, non-Bluetooth keyboards and mice. Read the last part on this topic.


Let’s look at some of the common USB attacks.

BadUSB

BadUSB is a type of computer security attack that uses USB devices pre-programmed (modified firmware) with malicious code. These USBs are often disguised as regular flash drives but contain malicious code that can be used to infect computers or networks. When plugged into a computer, the malicious code is activated and can be used to take control of the system or gain access to sensitive data. The hack utilizes a security flaw in the USB that allows an attacker to insert malicious code into their firmware, transforming it into a keyboard which can be used to type commands harming the victim’s computer. It can also be used to physically damage computers by corrupting the system’s hard drive or frying the motherboard. BadUSB disguises itself as a human interface device (HID) and covertly executes malicious commands or opens virus payloads on the target computer. One prevention is to disable autorun features on all connected systems so that any potential threats cannot automatically execute themselves upon connection without user intervention first being required.

BadUSB can act like different input/output devices like physical keyboard, mouse, network adapter, phone, tablet, webcam, or authentication token. For example, if it pretends it is a keyboard or mouse, the malicious software can inject keystrokes and mouse clicks, performing multiple actions on the computer, like launching Microsoft Outlook and sending an e-mail to a certain address, with attached files from the user’s computer. If it pretends it is an authentication token, a BadUSB would force the computer to prompt a token password, which can then be stored on the flash drive and retrieved later.

Software that protects against BadUSB like HitmanPro.Alert, Kaspersky, G-DATA USB Keyboard Guard and DuckHunter.

USB Killer

A USB Killer is USB drive that has been modified to deliver an electrical surge that can damage or destroy hardware when the altered thumb drive is inserted into a computer's USB port. The modified drive essentially commands the computer's on-board capacitors to rapidly charge and discharge repeatedly. If left alone, the repeated overcharging will overload the USB port and physically destroy the computer's electrical system.

Essentially, a USB Killer works by delivering 210-220 volts to an interface that is designed for 5 volts. The overpowered surge can damage or destroy not only ports, but also attached hardware. It’s a kind of BadUSB.

USB Rubber Ducky

It is a small USB device (e.g. flash drive) that emulates (pretends) to be USB keyboard and can type on their own at very high speeds i.e. executes pre-defined keystrokes. Because most-if not all-OS trust keyboards automatically, it is hard to protect oneself from these attacks.

USB Bash Bunny

Exploiting local network attack vectors, the Bash Bunny emulates specialized Ethernet adapters. That means the target computer sees the Bash Bunny not as an ordinary flash drive, but as a USB Ethernet Adapter connected to a network. It's a network of two – the Bash Bunny and your target – and once connected, you'll have direct access to the target bypassing any would-be firewalls, countermeasures or intrusion detection systems from the legitimate LAN.

This is done in such a way that allows the Bash Bunny to be recognized on the victim computer as the fastest network, without drivers, automatically – locked or unlocked. As a 2 gigabit adapter with an authoritative DHCP server, the Bash Bunny obtains a low metric. This means that the computer will instantly trust the Bash Bunny with its network traffic — enabling a plethora of automated pocket network attacks undetectable by the existing infrastructure.

Bash Bunny is a more effective method as compared to Rubber Ducky. The USB Rubber Ducky injects keystrokes at superhuman speeds, violating the inherent trust computers have in humans by posing as a keyboard. Bash Bunny simultaneously mimic multiple trusted devices to trick targets into divulging sensitive information without triggering defenses. Aside from emulating a keyboard, Bash Bunny can also be one of the following:
  • Serial Device
  • Ethernet Device
  • USB Mass Storage
  • HID (Human Interface Device)
Some methods of preventing Bash Bunny attacks are included below.

If USB flash drives/SSDs are used on your PC/laptop/phone then malware infection is a non-issue since the drives are scanned upon insertion by the AV from your PC/laptop/phone

If USB flash drives are to use on other’s PC/laptop/phone or the latter use in public places then some of the following protection is required

a) Ensure USB-C ports are certified to USB Type-C Authentication Program – to protect against bad chargers, cables and devices i.e against malicious firmware and hardware attached to USB devices
b) Juice Jacking – A compromised public wall outlet/charging station/hub infected with malware and has full access to your phone/laptop/tablet data. To prevent it use a USB Data Blocker. It is for charging only and blocks hacker’s access, data theft and malware transmission.
c) Use physical port blockers on your laptop especially in public places to prevent unauthorized access to the USB ports if you are away for some time i.e. prevent malware spreading, USB Killer, Rubber Ducky and BadUSB. Physically blocking ports involved no software and acts as first layer protection. Downside is you need to pay for and carry the key to unblock the USB locks.
d) Install G-DATA USB Keyboard Guard (against BadUSB), DuckHunter (against RubberDucky) and Penteract Disguised-Keyboard Detector 2 on your PC/laptop. This acts as a second layer protection.

Note:- DuckHunter helps to prevent any type of automated keystroke injection attack

Physically blocking ports c) with software d) provide great protection against the abovementioned attacks.

e) USB Device Control – To protect against data loss and data theft by monitoring and controlling data transfers from endpoints to removable storage devices e.g. giving Read/Write access rights to USB devices, blocking/disabling USB ports through registry/GPO/ BIOS/USB device manager settings or third-party USB Blocker Software. Set USB flash drives to ‘Read-Only’ mode for root. Create a WRITE folder and set to Read/Write mode
f) Turn AutoPlay on PC/laptop to OFF
g) Always software lock the PC/laptop to prevent unauthorised login especially in public places. That's because most BadUSBs are 'dumb' and just blindly send keystrokes according to their programming. So, they cannot detect if they are stuck in a password prompt.
h) Keep AV/AM up to date. It will not scan the firmware but it should (or may be not) detect if the BadUSB tries to install or run malware, hopefully not too late.
i) Enforced USB malware scan of inserted USB flash drive/SSD
j) Always scan an unknown USB device before use
k) Always use passwords and encryption on your USB drive as an extra layer of protection for your data; make sure you have this information backed up in case something happens to your drive.
l) Install ESET DriveSecurity AV on USB flash drives
m) Run USB flash drives in VM

MouseJack

MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are 'connected' to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim's computer by transmitting specially-crafted radio signals using a device which costs as little as $15.

An attacker can launch the attack from up to 100 meters away. The attacker is able to take control of the target computer, without physically being in front of it, and type arbitrary text or send scripted commands. It is therefore possible to perform rapidly malicious activities without being detected.

The MouseJack exploit centres around injecting unencrypted keystrokes into a target computer. Mouse movements are usually sent unencrypted, and keystrokes are often encrypted (to prevent eavesdropping what is being typed). However, the MouseJack vulnerability takes advantage of affected receiver dongles, and their associated software, allowing unencrypted keystrokes transmitted by an attacker to be passed on to the computer's operating system as if the victim had legitimately typed them.

Note: MouseJack only affects non-Bluetooth wireless devices.

Solution: Use Bluetooth Mouse/Keyboard or onboard Keyboard/Keypad

MouseJack FAQ — Bastille
 
Last edited:

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
Just to add.

Beware of modified cable offered to you for charging your device. Always use your own charging/data cables

USBHarpoon Is a BadUSB Attack with A Twist

Quote

Protecting against attacks that rely on a USB connection is not easy. A potential answer is to use a data-blocking device, also known as USB condom. An electronic accessory like this blocks the data pins on a USB cable and allows only power to go through.

Unquote

This has been pointed out in the starting post under point b)
 

HarborFront

Level 71
Thread author
Verified
Top Poster
Content Creator
Oct 9, 2016
6,022
Another thing related to the USB port is using a USB flash drive to bypass Windows login passwords as below





The best methods of protection is to have non-password login and an encryption boot up password for the drives inside your laptop (BitLocker Drive Encryption).

Using policy to prevent USB flash drive insertion will not work as the policy can only disable the USB after boot. Neither the use of port blockers. With care, a hacker can remove the port blockers without causing damage to the USB ports. Using the BIOS to disable USB ports is not effective either as the BIOS can be factory reset, CMOS battery can be removed and jumping some pins on the motherboard.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top