USB devices are the main source of malware for industrial control systems, said Luca Bongiorni of Bentley Systems during his talk at #TheSAS2019. Most people who are in any way involved with security have heard classic tales about flash drives “accidentally” dropped in parking lots — it’s a common security story that is just too illustrative not to be retold again and again.
Another — real — story of USB flash drives involved an employee working at an industrial facility who wanted to watch La La Land, so he downloaded the movie to a flash drive over lunch. So begins the story of how an air-gapped system at a nuclear plant got infected — it’s an all-too-familiar story of extremely avoidable critical infrastructure infection.
But people tend to forget that USB devices are not limited to flash drives. Human interface devices (HIDs) such as keyboards and mice, charging cables for smartphones, and even things like plasma balls and thermal mugs, can be tampered with to target industrial control systems.
A brief history of USB weapons
Despite people’s forgetfulness, weaponized USB devices are also not news. The first such devices were written up back in 2010. Based on a small programmable board called Teensy and equipped with a USB-connector, they were able to act like HIDs, for example, sending keystrokes to a PC. Hackers quickly realized the devices could be used for penetration testing and came up with a version programmed to create new users, run programs that added back doors, and inject malware either by copying it or downloading from a specified website.
The first version of this Teensy modification was called PHUKD. Kautilya, which was compatible with the more popular Arduino boards, followed. Then came Rubberducky — perhaps the best-known keystroke emulation USB tool, thanks to Mr. Robot, and looking just like the average thumb drive. A more powerful device called Bash Bunny was used in attacks against ATMs.
The person who invented PHUKD quickly came up with an idea and created a trojanized mouse with a pentesting board inside, so that in addition to working just like a regular mouse, it can do everything PHUKD is capable of. From a social-engineering perspective, using actual HIDs to penetrate systems might be even easier than employing USB sticks for the same purpose, because even the people who know enough not to insert an unknown thumb drive into their PC usually have no concerns about keyboards or mice.
The second generation of weaponized USB devices was created during 2014–2015 and included the infamous BadUSB-based devices. TURNIPSCHOOL and Cottonmouth, allegedly developed by the US National Security Agency (NSA), are also worth mentioning: They were devices so tiny that they could be fitted into a USB cable and used to exfiltrate data from computers (including computers not connected to any network). Just a simple cable — nothing anyone is concerned about, right?
The modern state of weaponized USB devices
The third generation of USB pentesting tools brings them to a whole new level. One such tool is WHID Injector, which is basically Rubberducky with a Wi-Fi connection. Because it has Wi-Fi, there’s no need to program it initially with all that it is supposed to do; a hacker can control the tool remotely, which provides more flexibility and also the ability to work with different operating systems. Another third-gen tool is P4wnP1, which is based on Raspberry Pi and is like Bash Bunny with some additional functionality, including wireless connectivity.
And, of course, both WHID Injector and Bash Bunny are small enough to be embedded into a keyboard or a mouse. This video demonstrates a laptop that is not connected to any networks by USB, Ethernet, or Wi-Fi but has a trojanized keyboard attached to it that allows a remote attacker to execute commands and run apps.
— ☎️ⓁⒷⓄ☎️ (@LucaBongiorni) February 14, 2018
Small USB devices such as the two mentioned above can even be programmed to seem like a certain HID model, letting them bypass the security policies of those companies that accept mice and keyboards only from certain vendors. Tools such as WHID Injector can also be equipped with a microphone to establish audio surveillance and spy on people at a facility. Worse, one such device is enough to compromise the entire network, unless the network is properly segmented.
How to protect systems against weaponized USB devices
Trojanized mice and keyboards, as well as surveilling or malicious cables, are serious threats that can be used to compromise even air-gapped systems. Nowadays, the tools for such attacks can be purchased cheaply and programmed with next to no programming skills, so such threats should be on your radar.
To protect critical infrastructure against such threats, use a multilayered approach.
- Ensure physical security first, so that unauthorized personnel cannot plug in random USB devices to industrial control systems. Also, physically block unused USB ports on such systems and prevent the removal of HIDs that are already plugged in.
- Train employees so that they are aware of different kinds of threats, including weaponized USB devices (à la the La La Land incident).
- Segment the network properly and manage access rights to prevent attackers from reaching systems used to control critical infrastructure.
- Protect every system at the facility with security solutions that are capable of detecting all kinds of threats. Kaspersky Endpoint Security's technology will not authorize any HIDs unless the user inputs a code using a HID already authorized to do so.