READ THIS: Apple Pay ready for lift-off and Google 'trying to get it right'

USB security for a BYOD environment

Topic: Hardware

USB security for a BYOD environment

Summary: BYOD is a double-edged sword for corporations. But the latest USB security blunder to surface is going to cause some real headaches. Here's how to protect yourself.

Adrian Kingsley-Hughes
SHARE:
TOPICS: Hardware, Security
46

BYOD is a double-edged sword for corporations. On the plus side it can save the company money and please the workers, which all seem good until you counterbalance that against the age-old problem of security. But the latest USB security blunder to surface is going to cause some real headaches.

Must See Gallery

Google's Nexus 6 phablet, Nexus 9 tablet: in pictures

Google's Nexus 6 phablet, Nexus 9 tablet: in pictures

Last week security researchers Brandon Wilson and Adam Caudill posted code to Github that could be used to replace the firmware inside an existing device and make it do almost anything, from spoof a computer's network interface, to act as a keyboard to issue commands.

"The security of these devices is completely compromised," Wilson told ThreatPost. "You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive."

Pretty scary stuff.

"It’s undetectable while it’s happening," Wilson said. "The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you."

Switched on IT departments should already be on the lookout for compromised devices, whether they be accidentally infected with malware, or a device deliberately designed to infiltrate a network.

But this raises the game. It makes it possible for any device to be compromised, and for that to be undetectable during normal circumstances.

So what can you do?

  • Use endpoint security software to manage hardware, scan for malware and so on. Won't protect against the low-level vulnerability above, but it still makes good sense.

  • Physically protect USB ports. Block them off, blank them off, remove them, or you could even fill them with epoxy.

  • Make hardware as tamperproof as possible. You don't want devices being easy to open, because that makes them vulnerable to tampering. Seals, tamper-resistant fasteners, and epoxy are your friend.

  • Strict audit of all USB hardware. If you're ultra-paranoid then you want to have a list of everything, down to USB cables.

  • Use tamper-proof USB devices, such as the IronKey USB flash drives.

  • Inspect hardware regularly, and test for suspicious activity.

  • Confiscate (and possibly keep for evidence or destroy) unauthorized devices.

Whatever you do, make sure that it's clearly stated in the BYOD policies, and that everyone is on the same page as to what the policies are.

See also:

Topics: Hardware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion

  • Starting to smell a rat...

    And it is not "USB security".

    But security experts (inadvertently) are helping. And so is the media-fed over-the-top paranoia in place now.

    Ever since tech-savvy executives started sneaking in their Altairs and Apple I and II machines into businesses that have been the bastions of the mainframe, system tech world there has been an effort to get back to the "good old days". Let's see now, distributed computing, client-server, network computing, oh, and the cloud.

    But each time the powers that be try to lock down and reassume command of their world, some pesky consumer-led tech comes along to throw a new curve into all this. Just as finally the PCs are all locked down so in reality, between the requirement of using the network and the shared resources of the cloud a "work PC" is not much more than an old dumb terminal with a prettier screen, the rebels strike back with their phones and tablets.

    What's next? The only way a device will communicate with the work systems will be with a secure Wi-Fi gateway using a secure RDP connection. Not that much different than the days when remotely connecting with a mainframe system was a special piece of software that had to be installed on the client machine and integrated security with that software. And nothing, NOTHING can come in from the outside to that world or go outside of that world to the wider environs of that computer. Already look at how quickly specific remote desktop and dedicated app server software are gaining, even on phones and tablets.

    If you have a box at work (and it won't be much of one) it will likely be a big screen, a little box with absolutely no IO save a keyboard, mouse and a LAN connection (or maybe a Wi-Fi connection if the business uses 802.11ac) and that will be it. Perhaps a headphone jack for training videos. Already anything but an internal hard drive is for the most part verboten. And with the rise of virtual desktops and such, all the machine really needs to do is create a link to a fast pipe to get to the corporate server room and back, and have enough graphics oomph and accept keyboard and mouse input. That's it. Even storage will be in the cloud (or likely, the back room).

    And those pesky phones and tablets will be registered and only when the device ID is recognized will it even be allowed to connect wirelessly. USB - NEVER!!! Remote workers, they are easy. RDP software through a gateway or products like Citrix will do the trick.

    Suddenly it's the 1970s all over again! No wonder disco (EDM) is back! And look, a whole new industry can form to provide a way around all that once again. If now we even care.
    jwspicer
    Reply 4 Votes

    • Look outside your window...

      WiFi is so easy to crack that it is silly - and with Windows' incomplete TCP/IP it is not even fun, that is the last place on earth that is safe.

      Do like MacOS, Linux and Android: set a security for every peripheral that is connected, and for storage, set the place for "mounting" inside a sandbox, not at the outmost level in a file hierarchy where everything is exposed. Everything has a reason.... so also "mountpoints" and "symbolic links".
      knuthf
      Reply 1 Vote

      • generalized statement

        "WiFi is so easy to crack that it is silly"

        That's a pretty generalized statement, dependent on a wide variety of factors. If set up properly, you can actually have very good WiFi security that you can be confident is secure against currently known attacks.

        The problem isn't that WiFi can't be secured. The problem is that most people don't do it.
        CobraA1
        Reply Vote

    • and what's your point?

      The only reason corporations had to go away from terminals and mainframe type of infrastructure is that network speed couldn't keep up with the demand. Corporate IT network is not about freedom but about functionality and well... security.
      Today with fiber optics and servers able to run many virtual instances at the time it is natural way to come back to centralized, easy to manage infrastructure.
      RomanIT
      Reply Vote

  • A question for AKH

    If an employee uses a flash drive provided by his or her employer, can the flash drive have its firmware replaced while inserted in one's PC (Windows, OS X, GNU/Linux, whatever) by merely visiting a web site where JavaScript, designed to detect a flash drive, its manufacturer and maliciously replace its firmware, runs in your web browser?

    I'm thinking of a watering hole-style attack which serves malicious JavaScript and requires no web browser vulnerabilities.
    Rabid Howler Monkey
    Reply Vote

    • As I understand it, some can.

      Unfortunately.
      jessepollard
      Reply Vote

  • The end of the epoch for computer security?

    I've watched this battle between computer security and those determined to defeat it for over 20 years now. My conclusion is that we've arrived at the last phase of the current epoch -- a time when, for the currently designed computer systems and the currently designed internet, there are so many holes and available exploits that all realistic expectations of computer security are lost. We now have wealthy international criminal enterprises as well as many governments actively engaged in breaching all manner of computer and internet security. We are discovering that due to flawed fundamental designs of everything from security standpoint, Internet protocol, Payment systems, OS design, I/O devices, etc etc - the entire ecosystem is rotting as the parasites worm their way into everything with impunity.

    Sooner or later we as a society are going to have to face the fact that we must redesign computers and networks all over again, from the ground up, rigorously focused on the basics of security. Until then, very little that goes into a computer is going to be safe.
    Compute_This
    Reply 2 Votes

  • Inserting code on a Flash drive

    from a .Net script is fully possible.
    On the Linux/unix/MaxOS/Android it is possible to restrict access to the SD-card that is mounted, place this in a protected place, and also hide the content. Very few use this capabilities, but my latest Android - Kitkat, comes with an "application manager" that expose all sorts of silly things like writing to another flash memory, or accessing another application. First one out was Skype: "Will you allow Skype to use Google Voice Recorder" answer was "NO - never". Maybe I have stopped being able to record a phone call, but I never asked for the recording.
    knuthf
    Reply Vote

  • Adrian, by devices are you talking about USB drives or PCs

    I ask, because some of the older USB drives I have are such that you can NOT update or change the code on how they work. All you can do is add or retrieve data off them. Some even have a little physical lock you can use to make them 'read only' in regards to the data on them. Thus they aren't open to abuse like above.

    My understanding of the history of USB is, like the Internet itself, it was designed to be very quick, easy to use and facilitate a n easy use and easy to connect devices to work with or transfer of data etc. Thus anyone expecting them to be high security has to be nuts to begin with. USB saves a shut down and restart for adding or removing devices.

    Regardless of if the USB device is compromised without the knowledge of the user or not, any IT department worth its salt has been doing things to make it extremely difficult to compromise their computers and system. If done right it doesn't really matter what people bring in on a USB drive or not, the system is protected. The downside is: to do so means each computer device accessing the system has to be protected properly and that takes a lot of time and effort, and what you mention at the start is the BYOD device which usually means things like tablets and smart phones which are not possible to protect at all.

    To me, the issue is not potential problems from USB devices, but the inability to protect BYOD gear from being used as an attack venue if allowed to access the system with it.

    20 years ago I worked at a tech college where it was impossible to infect the computers because the drive with the operating software was read only and the BIOS was read only and had to be removed and updated in another device. When turned on the systems logged into the network and were scanned by the security system before being allowed to finish logging on. This is still possible to do, but not with tablets or smart phones. Which I wonder why you have them able to access the main network to begin with since they aren't that good for real productivity work.
    Deadly Ernest
    Reply 1 Vote

    • Part of the problem is the cheap controllers on the computers.

      They tend not to have an IOMMU to control what memory the device can access for DMA.

      This failure makes the host computer totally insecure.

      The next part of the problem is the cheap controllers on the deice. To save pins they use the same connection to program the chip as they do for data transfer... Thus knowing the right protocol for the device allows it to be reprogrammed.

      This failure is what makes the device insecure in the first place. And a suitable program on the device can (using the lack of an IOMMU) scan the entire memory of the host, retrieving/injecting whatever.
      jessepollard
      Reply Vote

      • That will only work IF the PC or device being attacked allows

        for the transfer of data or code to the relevant protected areas without suitable authorisations codes (ie passwords) being entered. Also, if the OS itself is locked down and not able to be altered on the fly, then whatever they do won't work anyway. These sort of security measures used to be common, but are now rare.
        Deadly Ernest
        Reply Vote

        • No - it works all the time.

          DMA is directly connected to the memory bus unless there is an IOMMU.

          Memory is only "protected" by a MMU. There is nothing else.

          Without an IOMMU, the device can read/write anywhere.
          jessepollard
          Reply Vote

          • Jesse, the main reason to upload something into a

            system's memory without approval is to have it run later. If the OS and the hard drive it sits on are locked down properly there is NO way you can write to that drive in a way anything in the memory will activate after a reboot. Thus the system is protected because whatever was put into memory, even if it went into the Page File or whatever your system uses for it, the code will get flushed out when the system turns off or reboots. Thus a properly 'hardened' system is protected. Which is the point I was making. In short, you have to leave the system vulnerable for the attack to work, which is true of most attacks.
            Deadly Ernest
            Reply Vote

  • Simple: Migrate to Linux or iOS

    All Linux/Unix such as MacOS and Android and Ubuntu comes with a "User id" and "Group Id" setting that is in the file system. Well Linux with their "ext4" file system can also encrypt the USB flash, so you can loose it and nobody else can read it.
    All of the OS'es can make the "mount-point" of a USB storage to an arbitrary place in the file system, including "rroot" (/) and /tmp - or "$HOME/shared/sandbox". Then the uid and gid has to be correct to be able to read the content, or for any code on the device to be able to "see" the outside. But of course, these can also use the Windows file systems, and place a Windows exploitation on the device - but when it is so easy and cheap to avoid the problem: Why not just migrate?
    knuthf
    Reply Vote

    • That won't address the original failures.

      The missing IOMMU allows the device to access any part of physical memory, and without that, Linux can't protect itself.
      jessepollard
      Reply Vote

    • Simple: Free is not free

      The cost of the OS has miniscule impact on the cost of maintaining an OS in an enterprise.
      dustmagnet
      Reply Vote

      • Except he isn't talking about the cost, but the inbuilt security

        and how that makes a difference to the use of the system.
        Deadly Ernest
        Reply Vote

    • @knuthf

      That ain't gonna save you from badusb. Any USB controller chip with a writeable firmware is theoretically vulnerable. This is probably the most serious "theoretical" vulnerability in the history of computers, it remains to be seen just how pathogenic it becomes in the wild due to some issues with potential firmware brickage. Think any USB device can potentially be a rubber ducky, it's the NSA's wet dream.
      Alan Smithie
      Reply 1 Vote

      • To be fair, it doesn't just mean USB devices.

        SCSI/SAS disks (well, some anyway) allow software updates... So these allow the same kind of attacks.
        jessepollard
        Reply Vote

  • BYOD

    Let's focus on the OD in BYOD. Own. Device.
    Mean's it's mine. Not yours. Bring or buy is irrelevant - it's the same thing.

    And if epoxy is the advice... wel mr IT-whatever: you destroyed My Own Device. Sell it later on is a no-go area. On offer: nice xyz computer with NO single usb-port. I bet they'll be coming in drones and pay you good money... And I'll take it that the company will pay the difference back. Not?

    Let's be honest: the whole byod is a dead-end street that way. Windows (M$ actually) and getting it secure has been a dead-end for as long as I can remember it.
    Microsoft still runs in the same league as IBM did an era ago: nobody has been fired for buying an IBM solution. Look back at the start of the FUD-years.
    Getting windows secure appears to be as effective as hosing your leaking boat with a colander.
    p.de.haan2@...
    Reply Vote