A New Way to Mitigate USB RisksOpen Source Software Blocks Malicious Actions, Researchers Say
USB is an old friend, and it's not going away anytime soon. First released in the mid-1990s, the specification eliminated the mess of ports on computers by defining how cameras and hard drives can seamlessly connect to a computer. Even Apple - which has often taking the lead in eliminating ports and drives - has retained a lone USB 3.0 port on its MacBook line of laptops.
But USB devices, such as flash storage drives, pose a big security risk. Computers blindly trust whatever is on the drive, which is sometimes not what is advertised. That's made flash drives an attractive attack vector because many users blindly trust the devices.
The fear of an attack coming from a USB drive has led to some drastic measures, including filling USB ports with epoxy or using physical locks on ports. But academics say they've developed a defense. They presented a research paper on the project at the Usenix Security Symposium in early August. For the event, they gave away red hats that say: "Make USB Great Again," playing off U.S. presidential candidate Donald Trump's campaign theme.
Unleashing Packet-Level Filters
Their software, called USBFILTER, is a packet-level access filter that enforces a tight set of rules for how interfaces on a USB device can interact with the host operating system, says Kevin Butler, associate professor in the computer and information science and engineering group at the University of Florida.
The term interface, in this case, refers to an internal function on a USB device. For example, a USB headset has interfaces for the speaker, the microphone and the volume controls. Operating systems trust interfaces and load the drivers for them automatically. Accordingly, many sneaky USB assaults involve stuffing a secret interface onto the USB drive, then using it as an attack vector.
Figuring out what is a bad interface versus a good one is tough because USB packets are difficult to analyze, Butler says. But the developers behind USBFILTER have engineered it to help assess which packets are coming from which interface. Such knowledge can then be applied to prevent unauthorized interfaces from connecting to the operating system.
The software can also be used to limit what interfaces can do, the developers say. Plug a USB webcam into a USB port on a PC, for example, and USBFILTER can ensure the device only gains access to Skype and can't secretly activate the camera at other times. Or a USB headset with a speaker and a microphone could be restricted to only allow the speaker to interact with an operation system, since microphones also pose a security risk. Or the software can deactivate all interfaces, so that the USB port on a computer can be restricted to only act as a charging port for mobile devices.
"It's a very powerful mechanism that really allows for fine-grained control over any type of data from any type of USB device," Butler claims.
If a USB device other than a real keyboard is programmed to emulate a keyboard, that can also be blocked using the software, the developers say. That could help avoid attacks such as BadUSB, which was described at the Black Hat hacking conference in 2014. In that demonstration, researchers showed that it's possible to rewrite the firmware of a USB device and include malicious functions, such as a secret keyboard, that are undetectable to anti-virus products.
To defend against that, USBFILTER can whitelist the mouse and keyboard of a host machine and drop any other packets representing themselves as those kinds of devices. It still might be possible to try to fool USBFILTER by impersonating those devices with their product and vendor numbers, known as VID/PID, and the serial number, the developers acknowledge. But that would require the attacker to unplug the existing mouse and keyboard and plug the malicious device back in. It's an attack vector that wouldn't work by dropping a malicious USB key in a supermarket parking lot and hoping someone picks it up.
Open Source Approach
USBFILTER is open-source code and has been posted on GitHub. The software has been written for Linux, but Butler says it could be ported to Mac and for Windows.
The real power from USBFILTER will come if it is used throughout an organization and an administrator can centrally control and deploy new rules, the developers say. Related software hasn't been designed yet, but it would mean administrators wouldn't have to worry about what users who access their networks are jamming into USB ports.
"Our eventual hope is that we potentially get this made into a standard part of your operating system," Butler says.