The giveaway that gives your data away

Oct. 31, 2019
Innocent looking USB devices can be the backdoors hackers need to infiltrate your business

We've all been there; you walk the floor at a certain expo – and then it catches your eyes! A bowl full of cellular power bank chargers, you could almost sense those milliamps running through your veins. You promised yourself that you would be stronger this time, but yet again you cannot resist and take one – convincing yourself that it's for the kids.

According to Kaspersky Labs, human vulnerabilities account for at least half of cyber security incidents. Human beings have multiple weaknesses, and one of the most common is the fact that we all like gifts. One needs only to walk the floor in various events and see the overwhelming wealth of giveaways that are offered to people who are willing to pause for a minute and grab a shirt/power bank/NERF gun or any other eye-catching gift.

So, if you are a highly sophisticated crime organization targeting a certain bank, what would be better than arranging a promo in a nearby coffee-shop where most of the employees enjoy their coffee and offer them a free USB cup warmer?

One of the most well-known incidents regarding manipulated USB devices was cited by Business Insider where, in attempt to break into the American military network, Russians (allegedly) planted thumb drives in a kiosk near NATO headquarters in Kabul. The attackers hoped that a local service man or woman would buy a thumb drive there, assuming it is “neutral” and does not pose any threat and plug it into a secure computer.

Yet, the Russians are not alone in this domain. A couple of years ago, as part of the grand leak of pages from a catalog of capabilities provided by the NSA's ANT division for the NSA’s Tailored Access Operations (TAO) division, it became a common knowledge that a highly sophisticated wireless implant can be encapsulated within a USB Type-A connector. An attack tool named Cotton-Mouth was used by the NSA as part of their supply chain attacks on various targets.

A couple of years after, you no longer need the resources of an intelligence agency, as multiple tools are now being offered for as low as $10 – branded as USB Ninja Cable or USB Samurai Cable. These cables use a known vulnerability within HID devices (Human Interface Devices like keyboard, mouse, credit card scanners, etc.). These cables, once connected to the victim’s machine, provide a covert wireless access to it, where an attacker located nearby can run various payloads on it, without being picked up by existing EPS/EDR solutions.

This technology leap now brings state level technology and capabilities into cybercrime organizations (assisted by legacy crime organizations), opening a whole new world of potential enterprise level targets. No one has solid statistics regarding the use of manipulated devices, as in some cases they are hidden from sight, while their outcome may be mistakenly thought of as a phishing attack. The common belief that these attacks are carried out only by state agencies, and if you are not a military or government target, then you’re safe, is no longer true. Another misconception is that the attacker needs to be “James Bond” in order to get in and plug up a device, while in real life, it couldn’t be farther from the truth, as the enterprises' employees are used as the attack vehicle for those manipulated devices.

In recent years, people have become more aware of the risks in plugging an unknown USB thumb drive (although it still happens), but no one warns them of all those innocent looking devices like USB cup-warmers, USB charging cables and cellular power banks.

After the "golden era" of giving USB mass storage keys as giveaways, it's now the time for cellular power banks, as people have the understanding that plugging a USB mass storage device that you just got from an unknown source is not what a professional CISO would do.

In most cases people will take a cellular power bank and use it freely, of course you, who are now reading this – won’t, but there are many who will – and it's up to us to spread the word: they can be just as malicious. By simply reducing the battery size, you can make room for a nice “Rubber Ducky” device masquerading as a keyboard, working under the radar – with a wealth of various payloads thanks to the legitimate developers community or the Dark Web.

So, what can one do in order to protect himself and his enterprise against those rogue devices?

As in every aspect of security, exercise caution and don’t mix business with pleasure. You can take the risk and plug a giveaway into your home PC but keep an infinite barrier between your home PC and your enterprise's asset, keeping in mind that even those innocent looking giveaways can give your valuable data away.

About the Author:

Iftah Bratspiess is the CEO of Sepio Systems Ltd. Iftah brings more than 25 years of business and technology leadership as an engineer, software developer, product line owner, manager and strategist. He co-founded WebSilicon, an advanced networking and security systems company. As CEO, Iftah led the company from the bootstrap phase to solid profitability. In 2013, WebSilicon was acquired by Magal, one of the world’s largest physical security integration companies. Iftah led the acquisition process and continued in his role during the merger and rebranding process. Post-merger, Iftah was appointed VP of cyber security for Magal, leading business strategy and product development for the cyber market. He was responsible for identifying and engaging global partners to meet the growing need for effective cyber security solutions at critical sites. Iftah can be contacted at [email protected].