Penetration Testing mailing list archives
Re: USB delivered attacks
From: Gadi Evron <ge () linuxbox org>
Date: Mon, 31 May 2004 22:54:55 +0200
Jerry Shenk wrote:
I recently inserted some guy's USB drive into a machine and was a but surprised when it went into an auto-run sequence. I think turning off auto-run is a REALLY good idea. On a USB drive, it seems like it could be really dangerous. Has anybody messed with this? One possible scenario: - Have a USB drive with a few tools on it. - Have an auto-run configured to run pwdump and dump the SAM to the USB drive It seems that this attack would work with a machine that was locked from the console. Does 'autorun' still work under a locked screen? With this USB drive being writeable, it would seem that some scripted attack to extract information from a machine could be amazingly fruitful....the possibilities are almost endless.
Indeed.This has been covered on several occasions, some on TV Sci-Fi shows and some in actual security discussions.
Basically it is not always just about auto-run (which is always a good idea to disable). USB auto-installs a driver for itself on plug-in.
That driver can be: 1. Messed with. 2. Built from scratch with one of *many* SDK's out there.USB brings the threat of any user, maid, cleaner or hostile whoever to plug it in, gather whatever information/perform whatever action, and leave.
I feel threatened enough by the fact that such small devices with such a huge capacity exist and can be smuggled in so many ways, automatic operations are just a plus. You don't really need many tools other than Copy, but I suppose tools can be created.
This can be taken forward in many ways. from simply connecting a USB drive and copying information as I've mentioned through Palm pilots which would allow you to chose what you want to steal and all the way to wireless devices which can be remotely controlled by a laptop or through, say, a cellular device, whether temporary for the sake of one illegal operation, or permanently, hidden.
Disabling USB all-together, virtually, by domain policy or removing the USB devices themselves, maybe even just filling the plugs with silicon or glue physically are some more drastic options which some organizations *might* take, but I don't see it as a very viable option for most.
It all depends on your risk analysis. Cost vs. benefit, as always with security.
There exist several tools to monitor a domain for when and if a USB device is connected to any remote machine, and of what kind. A simple web search should help you find some examples.
The security risks of USB are more than this short email can convey, but I think I gave you enough to get started and to think about.
I hope I was helpful, Gadi Evron. -- Email: ge () linuxbox org. Work: gadie () cbs gov il. Backup: ge () warp mx dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
Current thread:
- List Closure From May 28 - May 30 Alfred Huger (May 27)
- USB delivered attacks Jerry Shenk (May 31)
- Re: USB delivered attacks Gadi Evron (May 31)
- USB delivered attacks Jerry Shenk (May 31)