USB flash drives masquerading as keyboards mean more BYOD security headaches

USB flash drives masquerading as keyboards mean more BYOD security headaches

Summary: Hackers have come up with an ingenious way to bypass the Microsoft's AutoRun protection measures present on Windows 7 and Windows 8 by making the flash drive pretend it's a keyboard.


You should be already aware of the data theft risks that USB flash drives pose to your company – even a seemingly lowly 2GB drive can hold a lot of precious data – but a new threat has emerged which makes them even more dangerous.

Writing on the Webroot blog, security expert Dancho Danchev highlights the dangers facing corporations, both small and large, from low-cost USB flash drives that are capable of bypassing Microsoft's AutoRun protection measures present on Windows 7 and Windows 8.

The flash drives get around Microsoft's security mechanisms by tricking the operating system into thinking that the memory stick is not a memory stick but instead a 'Human Interface Device,' such as a keyboard.

Within 50 seconds of first plugging one of these devices into a PC, the malicious scripts or files contained on it will be run and the system is compromised. This load time is cut down substantially on subsequent mountings of the device. Without a physical inspection of the device, it's almost impossible to tell it apart from a benign flash drive.

And the price is cheap, with a modified 128MB USB stick costing $54, and a 8GB version costing only $64.

The barrier to system infiltration is low, you just need to know where to find them (no, I'm not telling you, so don't bother asking).

Think you're safe because you use OS X or Linux? Think again! There are devices being marketed that claim to be able to get infiltrate these operating systems too.

(Source: Webroot)

So where does this leave organizations who have adopted BYOD? In a bad place, that's where.

Currently there are no security patches for this problem, and given the low-level nature of the access, it remains to be seen whether this is even possible.

Then there's security software. While endpoint security can go some way to protecting against this sort of threat, this is a new threat and one that current security tools are not ready to deal with.

That leaves physical security. This includes:

  • Physically protecting USB ports.
  • Strict audit of USB hardware.
  • Using tamper-proof USB devices, such as IronKey USB flash drives.
  • Confiscation for inspection, and then destruction of unauthorized hardware.

All this might seem extreme, but at present this is all that companies have got to protect themselves against this low-cost, high-risk threat.

Topics: Bring Your Own Device, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • But how can this be?

    osx is UNIX and Linux is *nix and we've been told that these are impenetrable OSs that have been designed from the ground up to thwart any and all attacks on the device.

    We were lied to.

    • You ain't very smart, are you?

      First of all anyone plugging a random USB device deserves to be pawned and more.
      What you do not understand is that any system to which an attacker has physical access is vulnerable. There is no way around that. With sufficient resources any encrypted and secured system can be broken into. Unless it has a self destruct mechanism.
      *nix is infinitely more secure at remote access level than Windows. No question that Win 7/8 are much more secure than XP. But when you start low any improvement is good.
      BTW, this is an old news Adrian.
      • "BTW, this is an old news"

        I have heard, seen, read about and helped with with Windows systems being pawned via AutoRun. I have never seen, heard or read about such accidents on GNU/Linux or *BSD.
        Well, there has being a vulnerability in some image processing library that could lead to potentially bad things to occur, when a media is not only mounted but also browsed with a daemon (I am not allowing caja/nautilus do it anymore). It was fixed promptly though.
        I also understand, that still there is minuscule non-zero risk on both GNU/Linux or *BSD, so if you're on an industrial system you better not do it.
    • you now are

      being told by Adrian and Dancho. So what? Adrian copy-pastes stuff and doesn't give it a thought. I would call this nowhere-to-find-no-one-has-ever-seen the first ever Linux targeted AutoRun malware a boloney. Moreover, try infecting with AutoRun malware an Android system. There has been no documented evidence of a malware infiltrating GNU/Linux via an external media, including the AutoRun idiocy. All rights are reserved for Microsoft corp.
      Not sure about OS X, as far as GNU/Linux is concerned, I am not aware of AutoRun being implemented (by default) on any distro. Some distros would mount external media with the "noexec" option (by default), which is even better idea, meaning the exec rights are being stripped from the files on a media.
      With this sensational thing in particular, not sure about Windows, no script would be executed even if a flash drive says "it's a human interface device". So what? You won't simply trick the device prober, if it will think there is no filesystem it won't mount it at all, even if does it won't AutoRun anything on it!
      BTW, the whole "AutoRun phenomenon" is the Microsoft peculiarity. It's just treating your user as the dumbest creature on the planet.
      • Shouldn't have to explain this to a "smart" *nix person

        This doesn't use AutoRun. That's the point.

        Bam, there goes your whole post.

        Do you SERIOUSLY believe that when you insert a USB drive on a Linux computer, the Linux OS doesn't execute any OS code? Do you believe there are 0 vulnerabilities in Linux OS code? Come on, you are a "smart" *nix person, even you can't be THAT naive.

        While there aren't enough details in the post about how this actually works, if I were to make a guess, I would suggest that this USB stick uses vulnerabilities in drivers and code associated with mounting devices and parsing directories and perhaps even thumbnail image libraries in order to execute arbitrary code on the OS.

        Please note sections 6 and 7 specific to Linux.

        Please note that I provided links, I provided real explanations, while you simply went with personal insults and discussing something that is completely and 100% irrelevant (AutoRun).
        • I did mention

          that image precessing vulnerability now being fixed. It was a potential, not a 100% certain thing. Like I said, the risk is non-zero, although for the malware to bloom you need a high enough risk, such as AutoRun. Turning off AutoBrowse and even AutoMount would further diminish this risk.
          Your source is pdf article and I cannot read the indicated sections. So, please kindly provide some other links. Once again, there is no "documented" evidence of a malware to execute an unsolicited code on *BSD or Linux when inserting an external media. AMOF, on FreeBSD by default it will get mounted only manually, if you didn't add a corresponding line in the /etc/fstab
          • Too funny

            So "AutoRun" counts as a vulnerability (even though it can be turned off).

            AutoBrowse and AutoMount don't count because they can be turned off.

            Got it.

            Once again, this has NOTHING to do with AutoRun. This appears to be using vulnerabilities in the code that the OS runs in response to a USB device being plugged in, in the drivers that the OS uses to interact with the device, and in the code that the OS uses to read data off the device. This whole attack completely bypasses any concept of auto run regardless of the implementation. Here is how a similar article would be written for home security:

            "Attackers have found a way around breaking in the front door by smashing a window with a rock and getting in that way."

            Someone really stupid would write this in response:
            "Ha, my home is invulnerable to this attack because it doesn't even have a front door."

            Hopefully this makes it clear how stupid someone like that would sound.

            Oh, hi eulampius.
          • so is it a virtual, potential

            threat yet never implemented. You get a link to the exploit I and others could try? Because, what Dancho was saying was a possible "crossplatform scripting malware", so your driver needs to be able and allowed to execute some bad shell code. Smells of a potential vulnerability .. and too much dreaming to me, since Linux uses its own (mostly generic) scsi, usb drivers. When it probes " a random" (not a specific) device it gets a very limited info about it.
            AutoMount and AutoBrowse do count, the risk associated with them though is some magnitudes lower than that of AutoRun.
          • You asked for a link, here it is


            "Think you're safe because you use OS X or Linux? Think again! There are devices being marketed that claim to be able to get infiltrate these operating systems too."

            Back to your post:
            "so your driver needs to be able and allowed to execute some bad shell code."

            Wow, I thought Linux people knew something about how computers work.
          • so nothing actual yet again...

            >>I thought Linux people knew something about how computers work.
            As a rule, they do more than the Windows users. Remember: "AutoRun was my idea, AutoRun was your idea, no AutoRun was his/her idea"?
        • Re: This doesn't use AutoRun. That's the point.

          Toddy, we know you don't understand computers, much less operating systems. No need to remind us every day a number of times.

          Just what do you think "run an script from the device when an device is connected" is?

          Unlike you, I know what this particular stick does. No, it does not reply on any driver vulnerabilities. It is just that your "secure" Windows "OS" executes scripts from the device, when you connect say... a keyboard. That script is executed with enough privileges to do whatever it pleases.

          Nice, eh?
    • Do some research toddy

      What this system contains is Flash memory, a HID keyboard logic and a microcontroller programmed to type ANSI instructions to anything it's plugged into.

      It literally reprograms your computer regardless of OS to copy and execute a payload from the flash storage as if you were typing the commands yourself.

      The newest Arduino 'Leonardo' uses this technique, as does the MakeyMakey controller.

      How can this be? YOU try protecting a computer against intrusion from its keyboard...
  • See, If You Were Using an iPad

    You wouldn't have to worry about being able to connect USB-based devices to your device.
    • See, if you were using a toaster

      You wouldn't have to worry about being able to connect USB-based devices to your device, too.
    • I wouldn't be too sure about that conjecture, WebSiteManger

      USB stands for universal SERIAL bus with the operative word being SERIAL. The iPad, since day one, has had a serial hardware interface port although that port has been changed from it's original 32 pin connector interface to it's newer "Lighting" design.
    • Of course

      If you were using a real OS, you would not worry about such exploits, because no real OS will ever attempt to run any code from an temporarily attached external device.

      But, for one reason or another, a lot of people are forced to deal with the toy Microsoft calls an "OS", so... they have to be careful.
  • This is why....

    there are USB lockdown mechanisms in AD Group Policy.
    • Re: there are USB lockdown mechanisms in AD Group Policy.

      Oh really?

      And those instructions prevent the connection of an USB keyboard to the computer? Great, just great ... excuse.
  • destruction of unauthorized hardware?

    once confiscated, would a forensic examination not be a better course of action?