Written by Mr. Iftah Bratspiess, CEO, Sepio Systems.
We’ve all been there; you walk the floor on a certain expo – and then it catches your eyes! A bowl full of Cellular-power banks chargers, you could almost sense those milliamps running through your veins – you promised yourself that you would be stronger this time, but yet again you cannot resist and take one – convincing yourself that it’s for the kids…
According to Kaspersky Labs human vulnerabilities are accounted for at least half of the Cyber Security incidents (https://www.kaspersky.com/blog/the-human-factor-in-it-security/), human beings have multiple weaknesses, and one of the most common one is the fact that we all like gifts. One need only to walk the floor in various events and see the over whelming wealth of giveaways, that are offered to people who are willing to pause for a minute and grab a shirt/power bank/NERF gun or any other eye-catching gift.
So, if you are a highly sophisticated crime organization, targeting a certain bank, what would be better than arranging a promo in a nearby coffee-shop where most of the employees enjoy their coffee and offer them a free USB cup warmer?
One of the most known incidents regarding manipulated USB devices was cited by Business Insider (https://www.businessinsider.com/russia-planted-bugged-thumb-drives-to-break-into-us-govt-computers-2017-3) where, in attempt to break into the American military’s network which was classified and not connected to the public internet – the Russians (allegedly) planted thumb drives in kiosk near NATO HQ in Kabul, hoping that a local service man or woman, would buy a thumb drive there, assuming it is “neutral” and does not pose any threat and plug it into a secure computer.
Yet, the Russians are not alone in this domain. A couple of years ago, as part of the grand leak of pages from a catalog of capabilities provided by the NSA’s ANT division for the NSA’s Tailored Access Operations (TAO) division, it became a common knowledge that a highly sophisticated wireless implant can be encapsulated within a USB Type-A connector. An attack tool named Cotton-Mouth was used by the NSA as part of their supply chain attacks on various targets.A couple years after, you no longer need the resources of an agency, as multiple tools are now being offered as low as $10US – branded as USB Ninja Cable or USB Samurai Cable. These cables use a known vulnerability within HID devices (Human Interface Devices like keyboard, mouse, credit card scanner etc.). These cables, once connected to the victim’s machine, provide a covert wireless access to it, where an attacker located nearby can run various payloads on it, without being picked up by existing EPS/EDR solutions.
This technology leap, now brings state level technology and capabilities into cybercrime organizations (assisted by legacy crime organizations), opening a whole new world of potential Enterprise level targets. No one has solid statistics regarding the use of manipulated devices, as in some cases they are hidden from sight, while their outcome may be mistakenly thought of as a Phishing attack. The common belief that these attacks are carried out only by state agencies, and if you are not a military or government target, then you’re safe is no longer true. Another misconception is that the attacker needs a “James Bond”, in order to get in and plug a device, while in real life, it couldn’t be farther from the truth, as the Enterprises employees are used as the attack vehicle for those manipulated devices.
In recent years people are more aware about the risks in plugging an unknown USB thumb drive (although it still happens), but no one warns them all those innocent looking devices like USB cup-warmer, USB charging cables and cellular power banks.
After the “Golden era” of giving USB mass storage keys as giveaways, it’s now the time for Cellular-power banks, as people got the understanding that plugging a USB mass storage device that you just got from an unknown source is not what a professional CISO would do.
In most cases people WILL take a Cellular power bank and use if freely, of course you, that is now reading this – don’t, but there are many who will – and it’s up to us to spread the word – they can be just as malicious. By simply reducing the battery size, you can make room for a nice Rubber Ducky device impersonating as a keyboard, working under the radar – with wealth of various payloads with courtesy of the legitimate developers community or the dark web.
BTW – In the last RSA we gave out rubber duckies (the real ones), and after hearing our pitch, people were afraid to take them, although we promised them, it only quacks…
In Summary, what can one do in order to protect himself, and his Enterprise, against those rogue devices?
As in every aspect of security, exercise caution and don’t mix business with pleasure. You can take the risk and plug a giveaway into your home PC but keep an infinite barrier between your home PC and your Enterprises asset, keeping in mind that even those innocent looking giveaways can give your valuable data away.