Don’t Worry, USB Happy

Yes, a $45 USB Rubber Ducky can disable an industrial control system, as I showed in my recent presentation at the Cyber Senate’s event and in my blog on USB attacks. I explained how bad USB devices can be, and the severity of threats they introduce. When disbelievers explained that they turned off USB devices via Windows’ Group Policy to prevent these threats, I calmly showed the same Rubber Ducky reversing all of those policies. That’s right, a USB device bypassed USB device controls. Good stuff.

None of this is rocket science – honestly, I’m not that smart – but thanks to the great job that the USB protocol does with the “Universal” part, things like USB Rubber Duckies, Bash Bunnies and BadUSB can be extremely dangerous. In my presentation, I think I scared some people — especially when I explained how even Application Whitelisting (the Golden Child of ICS security) can’t stop a well-crafted USB attack. Some of you also shared your USB horror stories.

But USB is still a good thing, which is why USB devices remain the defacto standard for device connectivity in modern computing, despite their increasingly bad rep. Refusing to use USB devices will only cause painful inconveniences to your organization. The attackers will find other vectors, and the problem won’t be solved. With the proper security controls in place, and with your eyes wide open, USB can be used safely again: you’ll be able to get all the benefits but leave the apprehension behind.

Don’t worry, everyone, there’s hope – USB happy! [1]

It’s the Least We Could Do

Human Interface Device (HID) attacks can be extremely powerful, especially when they are targeted and properly planned, but an HID attack can only ever be as powerful as the “H” (the Human).

If you’re not practicing the fundamentals of least-privilege access, now is the time to start. Put simply, if your H is logged in as Admin, an HID attack will be typing away with full Admin privileges. If that H is only allowed to use a single application, the HID attack will similarly only be able to use that single application.

Of course, there’s the unfortunate fact that, despite the best intentions of user and access management, credentials can and will be stolen. There’s even a nifty way to steal credentials using (you guessed it) a USB device. Sigh.

To Protect Against USB, Think Like USB

Understand that the reason USB can be so tricky to defend against is because it’s an amazingly sophisticated and flexible protocol. It doesn’t mean that you can’t secure USB, but it does mean that you’re going to have to take a multi-faceted approach. To protect against USB threats, you have to understand how the USB protocol works and cover all vectors. You must think like the USB.

This means you need more controls, and better ones. I picked on application whitelisting (AWL) before, because unless it’s implemented correctly, it can be easily bypassed (and it’s very difficult to implement whitelisting correctly in an industrial control system). That doesn’t mean you shouldn’t implement AWL as well as you can. It’s a great anti-malware mechanism. Traditional anti-virus (AV) isn’t terribly effective on its own anymore, but you should still use AV as well.

The tenets of Defense-in-Depth haven’t changed, because no single control is infallible. When securing a protocol like USB that is adaptable by design, strong Defense-in-Depth is even more important.

Trust Me

In our explorations of various USB threats, we had an epiphany: what the USB protocol needs is device authorization. In fact, the USB standards are evolving in that very direction, for this very reason. Unfortunately, we can’t wait – and if we did, it would be a long wait, because “industrial control systems” and “modern computers” don’t typically go together. So, we teamed up with Open Systems Resources, experts in Windows driver technology, to help tackle this problem. The result is T.R.U.S.T – Trusted Response User Substantiation Technology, designed specially to protect against USB threats to critical infrastructure and other industrial control environments.

It works like this:

1. First, TRUST gets in the way of the normal USB protocol to quarantine new devices so that they can’t connect and cause any harm on their own.
2. Next, it determines what the device really is by observing how the device presents itself and how the host computer responds.
3. Then, TRUST presents a Captcha to the human user. This Captcha tells you exactly what the device you are connecting really is, and requires a human response to authorize the device.

All three pieces are important because:

• Once a USB device connects, it’s too late. So you have to isolate that device first, and in such a way that only a secure service can interact with it.
• You need to interact with a USB device to determine what it is. You can’t rely on whatever the device tells you it is, because USB Device Types, Device IDs, Serial Numbers, and other identifiers can easily be spoofed or manipulated.
• You have to be able to break any programmatic attempt for a smart, malicious USB device to circumvent #1 and #2. Requiring a conscious authorization from an Administrative user (a human, the H) is a sure-fire approach that has been proven extremely effective in other areas of privacy and security.

But don’t just trust me, personally. TRUST is the brain child of several very smart people, including some from my own team, as well as from our technology partner Open Systems Resources.

Take the Bus Back

The intention of my past few articles stems from a desire to once again benefit from that thing we call the Universal Serial Bus– the protocol that freed us from the floppy drive, untethered us from a tangle of proprietary interfaces, and saved us from insufficient storage [2]. USB is truly designed to be universal, and its success at this goal has made it ubiquitous, convenient and cost effective.

As one of the initial vectors of the first known targeted attack against ICS (Stuxnet), and more recently responsible for carrying an infected download of La La Land into a control room, USB has certainly gotten a bad reputation, leading to exclusive policies, device bans, and hot glue. 

But the reason all of us use USB devices every single day is because the USB protocol is amazingly beneficial, and condemning its use hurts us far more than it could help us. Instead of pushing USB away, we can control it, secure it, and make USB safe again. That should make everyone happy.

1 - Please forgive me for the pun. Trust me, the reggae tune will eventually leave your subconscious.

2 - I remember the controversy around the original Bondi Blue iMac, sans floppy drive and 100% USB dependent. I still have mine, in a box in the attic (it doesn’t boot but it is still cute).