As one of the initial vectors of the first known targeted attack against industrial control systems (Stuxnet), and more recently responsible for carrying an infected download of La La Land into a control room, USB has certainly gotten a bad reputation, leading to exclusive policies, device bans, and hot glue.
But the reason so many people use USB devices every single day is because the USB protocol is amazingly beneficial, and condemning its use hurts us far more than it could help us. Instead of pushing USB away, we can control it, secure it, and make USB safe again.
Recognizing the Threat
It’s not all about infected files on portable drives. There are USB tools, commercially available, that could cause serious harm to an industrial control system. “Rubber Duckies” and “Bash Bunnies” are great pen testing gadgets, but in the wrong hands they’re also powerful hacking tools because they manipulate the USB protocol to purposefully and programmatically misbehave. In industrial environments, where production computers are likely to be more vulnerable and less protected than your average enterprise, this misbehavior can have severe consequences.
These “threats” work because the USB protocol was designed to be universal. To accommodate this, a degree of trust is required to allow USB devices of various types to load appropriate drivers. The problems start when devices announce themselves as things they are not — sometimes maliciously, but more commonly out of some desire for a device manufacturer to add value. Avoiding the technical details, the bottom line is that not all devices are what they seem; and not all devices behave as you might expect.
At the risk of letting our imaginations run wild, here’s something else to think about: the firmware that USB devices use to present themselves to a USB host controller can be overwritten with malicious firmware.
So, even benign, approved devices, acquired via an official and verified supply chain, can become infected and act badly (Unless you only approve verified secure devices with signed firmware, which, in the wake of BadUSB, I highly recommend). It’s a plight that still plagues about 50 percent of the USB devices out there, and it is appropriately named “BadUSB.” So your mouse might start acting like a keyboard, or a network interface, or a serial connector, or a storage device, or all of the above at once. It's a serious vulnerability that's been known about for years, but there’s absolutely no way to detect it.
Understand that the reason USB can be so tricky to defend against is because it’s an amazingly sophisticated and flexible protocol. It doesn’t mean that you can’t secure USB, but it does mean that you’re going to have to take a multi-faceted approach. To protect against USB threats, you have to understand how the USB protocol works and cover all vectors. You must think like the USB.
This means you need more controls, and better ones. Keep using application whitelisting (AWL). It’s a great anti-malware mechanism. Traditional anti-virus (AV) isn’t terribly effective on its own anymore, but you should still use AV as well. These tenets of Defense-in-Depth haven’t changed, because no single control is infallible. When securing a protocol like USB that is adaptable by design, strong Defense-in-Depth is even more important.
Human Authorization as a Mitigating Control
In our explorations of various USB threats, our Honeywell cybersecurity team had an epiphany: what the USB protocol needs is device authorization, something to ensure that your USB devices are legitimate. In fact, the USB standards are evolving in that very direction, for this very reason. Unfortunately, we can’t wait — and if we did, it would be a long wait, because “industrial control systems” and “modern computers” don’t typically go together. Instead, we teamed up with Open Systems Resources, experts in Windows driver technology, to develop an authorization approach to securing how USB is used in an industrial enterprise.
We call it T.R.U.S.T. – Trusted Response User Substantiation Technology. It works like this:
- First, TRUST gets in the way of the normal USB protocol to quarantine new devices so that they can’t connect and cause any harm on their own.
- Next, it determines what the device really is, by observing how the device presents itself and how the host computer responds.
- Then, it presents a Captcha to the human user. This Captcha tells you exactly what the device you are connecting really is, and requires a human response to authorize the device.
All three pieces are important because:
- Once a USB device connects, it’s too late. You have to isolate that device first, and in such a way that only a secure service can interact with it.
- You need to interact with a USB device to determine what it is. You can’t rely on whatever the device tells you it is, because USB Device Types, Device IDs, Serial Numbers, and other identifiers can easily be spoofed or manipulated.
- You have to be able to break any programmatic attempt for a smart, malicious USB device to circumvent these points noted above. Requiring a conscious authorization from an Administrative user is a sure-fire approach that has been proven extremely effective in other areas of privacy and security.
Used together with another modern industrial control system (ICS) security technique — cloud threat intelligence — your USB protection can also be automated and teach itself what to look for. But that’s another technique we can explore further in another article.
I hope this article helps you once again benefit from the Universal Serial Bus — the protocol that freed us from the floppy drive, untethered us from a tangle of proprietary interfaces, and saved us from insufficient storage. USB is truly designed to be universal, and its success at this goal has made it ubiquitous, convenient and cost effective. Pairing it with defense-in-depth and cutting-edge human authorization techniques can help reduce the risks of USB exploitation for safe use, instead of sticking hot glue into your USB ports.
Eric Knapp is Chief Engineer and Director of the Strategic Innovation Group, Honeywell Industrial Cyber Security.