←All Posts Posted on November 23, 2014 By admin
One of the information security weaknesses that’s hit the news recently is the ‘BadUSB’ vulnerability.
First revealed by researchers last summer, BadUSB allows the controller chips in USB devices to be reprogrammed so that they behave in a malicious way. There are a number of manufacturers of these chips which are used in flash drives and a wide range of other USB devices including external storage, printers and cameras.
Depending on who made the chips some can be reprogrammed, some can’t and some only in a particular set of circumstances. The problem is that makers of end-user devices don’t always stick to the same chip maker. They switch between makes depending on price and availability, meaning that USB devices may not be identical at the chip level even if they come from the same manufacturer.
This is a particular problem for computer forensic investigation where the integrity of a device may be in question. Many forensic examiners have now built tests for BadUSB into their workflows to check whether malicious devices have been attached to systems. They need to check not just for a USB connection at a particular time, but also verify the type of device and see if any unusual activity – such as large transfers of sensitive data – has taken place.
How Does it Work?
BadUSB uses the controller chips of USB devices. By reprogramming the firmware – the operating instructions – contained on these chips it can make one device masquerade as another. For example, a device could be reprogrammed to look like a network card, allowing it to intercept requests and send them to malicious servers.
A device could also be reprogrammed to look like a keyboard, allowing it to intercept keystrokes and passwords entered by the user. A reprogrammed device could also be used to inject malicious code into files being copied onto the system.
How to Guard Against it
There are a number of steps that information security teams can take to guard against attacks by BadUSB. The easiest way to prevent attack is by adopting a strict device policy. At its simplest this prevents users from using personal or unknown USB devices on their systems.
This can be enforced using Endpoint Security software, that will prevent access to any unauthorised USB device that’s plugged in. This can be further reinforced by encrypting authorised USB devices so that only those keyed to the system can be used.
Endpoint security can also enforce application controls to stop unauthorised software being installed. This effectively prevents a BadUSB device from being able to deliver its malicious payload.
Another useful approach is to employ data leak prevention technology. Whilst this doesn’t actually prevent the infection it does detect and block the unauthorised transmission of data. Stopping information from leaving the organisation is the most critical step.
For most enterprises the best approach will be one that blends policy and software based techniques to provide the maximum protection against attacks and stop sensitive information from escaping. As computer forensic investigation specialists, Elvidence offers its customers advice on the best way of dealing with the BadUSB threat. This can include an examination of their existing security policies and controls to assess their effectiveness at blocking BadUSB infections.