USB-Sticks and wooden horses

Posted by Schott-DCT on Tuesday, March 26, 2019

Timeo Danaos et dona ferentes: USB memory replaces wooden horses

The legendary fall of Troy caused by a present works fine even today. Only the bigger than life wooden horse at the beach is replaced by USB memory sticks, dropped on the company’s parking lot – and right away collected and connected to a company’s PC.
Unbelievable? You’d better believe it: details in a study (PDF) on human behavior and IT security.

Security risk
Well known since long, USB sticks (floppy disks in former times) can contain viruses and Trojans as files or in files.
More recent methods (not detectable by a virus scanner) could be BadUSB (details BadUSB-BlackHat-v1), Rubber Ducky or USB-Killer. The latter would probably prevent further virus scans – the computer hardware would be destroyed.

Solution approach
There is no single simple solution – multiple measures may be combined to face the issue:

  • technical actions
  • organizational measures
  • legal provisions

Technical actions could include SW disablement and/or HW blocking of USB ports on the company’s computers.
Raising awareness for these issues by user training is strongly recommended.
Further, an option with most likely very positive impact is a TOM (technical organizational measure) providing a central test computer (e.g. offline Raspberry PI + over voltage protection, maintained by the IT security team) so users can test and challenge dubious USB devices with low risk.
Given internal security policies in place, every employee’s individual signature to it would be an excellent legal provision.

The human factor in IT security
Most of the listed measures are limiting computers’ ease of use, so users may feel constraint. In consequence, acceptance for those measures is low and in return users may feel attempted to circumvent security rules.
The suggested central test computer, freely accessible for all users, would actually simplify user’s life.
Optionally, based on such test computer, one may implement a regular path and controlled process for importing business relevant external data into the company.
In order to take advantage of the “human factor” an award or contest for all safely detected malicious devices may be implemented. By this, users would take an active role in IT security – resulting in motivation.

[1] Users Really Do Plug in USB Drives They Find
Matthew Tischer et. al. Published in: 2016 IEEE Symposium on Security and Privacy (SP)
[2] PDF link
[3] BadUSB Overview (English)
[4] BadUSB-BlackHat-v1: Talk at BlackHat 2014 by Karsten Nohl
[5] Rubber Ducky
[6] USB Killer