From: Gadi Evron (ge@linuxbox.org)
Date: Mon May 31 2004 - 16:54:55 EDT
Jerry Shenk wrote:
> I recently inserted some guy's USB drive into a machine and was a but
> surprised when it went into an auto-run sequence. I think turning off
> auto-run is a REALLY good idea. On a USB drive, it seems like it could
> be really dangerous. Has anybody messed with this?
>
> One possible scenario:
> - Have a USB drive with a few tools on it.
> - Have an auto-run configured to run pwdump and dump the SAM to the USB
> drive
>
> It seems that this attack would work with a machine that was locked from
> the console. Does 'autorun' still work under a locked screen? With
> this USB drive being writeable, it would seem that some scripted attack
> to extract information from a machine could be amazingly fruitful....the
> possibilities are almost endless.
Indeed.
This has been covered on several occasions, some on TV Sci-Fi shows and
some in actual security discussions.
Basically it is not always just about auto-run (which is always a good
idea to disable). USB auto-installs a driver for itself on plug-in.
That driver can be:
1. Messed with.
2. Built from scratch with one of *many* SDK's out there.
USB brings the threat of any user, maid, cleaner or hostile whoever to
plug it in, gather whatever information/perform whatever action, and leave.
I feel threatened enough by the fact that such small devices with such a
huge capacity exist and can be smuggled in so many ways, automatic
operations are just a plus. You don't really need many tools other than
Copy, but I suppose tools can be created.
This can be taken forward in many ways. from simply connecting a USB
drive and copying information as I've mentioned through Palm pilots
which would allow you to chose what you want to steal and all the way to
wireless devices which can be remotely controlled by a laptop or
through, say, a cellular device, whether temporary for the sake of one
illegal operation, or permanently, hidden.
Disabling USB all-together, virtually, by domain policy or removing the
USB devices themselves, maybe even just filling the plugs with silicon
or glue physically are some more drastic options which some
organizations *might* take, but I don't see it as a very viable option
for most.
It all depends on your risk analysis. Cost vs. benefit, as always with
security.
There exist several tools to monitor a domain for when and if a USB
device is connected to any remote machine, and of what kind. A simple
web search should help you find some examples.
The security risks of USB are more than this short email can convey, but
I think I gave you enough to get started and to think about.
I hope I was helpful,
Gadi Evron.
-- Email: ge@linuxbox.org. Work: gadie@cbs.gov.il. Backup: ge@warp.mx.dk. Phone: +972-50-428610 (Cell). PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104 C0D0 A7B3 1CF7 D921 6A06 GPG key for encrypted email: http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA 569A A87E 8DB7 06C7 D450
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT