Small yet risky things (in the internet age)
by FABIO COATTI, ICT Legal Consulting - It's a common knowledge that the threat to IT systems is becoming increasingly versatile and subtle.
Hardly a day passes without tweets about new malware, news reports of big firms hacked or forums busy with new virus discussions, last example being the infamous CBT-Locker ransomware.
Among such threats, quite a fascinating attacks are those that rely on common objects, small and apparently harmless.
An example? Ubiquitous USB flash drives. So common to go unnoticed, a standard desk item. They are used as advertising gadgets, quick and easy tool for file sharing and so on. Ok, everyone knows that every file in them should be checked for viruses, so we should be safe...or not? Well, maybe not. Let's see why.
A common USB flash drive is a simple device: under the hood it conceals the memory, but also controllers, firmware, all complex components, potentially vulnerable and that inevitably gets the interest of hackers.
Unsurprisingly, some hackers found the way to change harmless and nice USB drives into a possibly harmful hacking device.
Simply put, it is possible to reprogramme USB drives so as to have them perform “interesting” things: mimic a keyboard or a network device, inject malicious code during boot sequence and so on.
Entering “badusb” in any search engine will bring plenty of details about this attack, even you may also find some github code.
Antiviruses are more or less ineffective in defending us from this kind of threat. The danger is not in the content, but in the box. Once a PC is infected, it can be difficult or nearly impossible to clean up things. A laptop can have all sort of embedded USB devices: webcams, smartcard readers, fingerprint readers and so on. And maybe also laptop bios has been modified during the attack.
According to some sources, a relevant part of devices in use right now are vulnerable and it is also very difficult to detect if a device is prone to attack or it has already become a victim.
On the bright side, it must be said that this attack is not always feasible. It requires some specific conditions and good knowledge on the attacker side, but nonetheless it is a real danger.
How can we defend our devices from this risk? As mentioned, there is no silver bullet: the real solution will be to get secure devices that are not vulnerable by design; it could be difficult to find a good one. Basically this is in vendor hands, and what about devices used now? A widespread fix will surely take time.
A bit drastic but very effective methods is to physically lock USB plugs. If you manage very sensitive data and you can't always keep an eye on your laptop this could be an option, if you can afford to lose USB ports.
Maybe now you may look at USB flash drive that you routinely use to exchange files differently. However, look also for other small, unobtrusive but “interesting” objects around you. There are many of them.
Fabio Coatti, of Counsel at ICT Legal Consulting, IT Expert