If you see a USB stick lying on the street, you might be better off just walking by. And if you happen to pick it up, make sure it ends up in the trash compactor. No matter how curious you may be, it’s just not worth the risk of plugging in.
This was my takeaway reading articles about a presentation given by Elie Bursztien, leader of Google’s anti-abuse research team, at the Black Hat USA 2016 security conference.
According to this piece, Spreading Malware through Dropped USB Sticks Could Be Highly Effective, Research Finds, Bursztien was curious how effective it would be to use scattered USB sticks as a delivery vector for malware. So he dropped 297 USB sticks on a university campus.
What the research found (you can see the slides here) should concern any CIO or CISO: Almost every USB stick was picked up, and a startling 45% of people who retrieved them clicked on files stored on the stick.
Bursztien explains in this blog post that there are three types of attacks with USB sticks:
One type employs HTML files to phish the user for login credentials when they click on a file.
Another uses Human Interface spoofing (HID). “HID spoofing keys use specialized hardware to fool a computer into believing that the USB key is a keyboard. This fake keyboard injects keystrokes as soon as the device is plugged into the computer. The keystrokes are a set of commands that compromise the victim’s computer,” Bursztien wrote.
Another is custom hardware that exploits flaws in USB driver software as a way to hijack direct control of a computer as soon as the USB stick is plugged in.
Bursztien also employed a number of social engineering tactics to get those who picked up the USB sticks to actually plug them in. He labeled some of the USB sticks as “confidential” or “final exam solutions.” Guess what? Those with labels were plugged into PCs more often.
Don’t think your employees would fall for such tactics? Why don’t you try dropping a few USBs labeled “Executive Salaries” and “Employee Evaluations” around the office and see what happens?
It’s a clever way for an attacker to gain access to a network. The people they are ultimately targeting don’t even have to pick up the USB sticks (although that would be nice). All the attacker needs is one person to plug in a USB drive with malware on it and then plug into a networked computer. From there, traditional tactics are used to scurry around a network and find the target.
Of course, this is nothing new.
Penetration testers use this ploy all of the time. And way back in 2012, workers at the Dutch offices of chemical company DSM found USB sticks and reported them to IT. When IT had a closer look, they found the sticks were armed with a payload that would run against the company’s systems and grab login credentials.
While Bursztien isn’t breaking new ground here, he does offer a worthwhile reminder.