USB Devices Are Insecure

Security-wise, USB devices are broken.

USB is trivial to attack with

There are numerous examples of this. SRLabs' version 1 slides presented at BlackHat explains the concept of what BadUSB is and goes into multiple things, including how USB Ethernet devices can be used to siphon all Internet traffic from your computer.

How can we fix this?

Before we can attempt to fix anything, we need to know the history of what we'd like to fix. Let's go back nearly a quarter of a century to 1996 when version 1.0 of the USB Standard was released. Outside of the ability to transfer files at 1.5 MB/s, there wasn't much else that was designed into it. 1.0 didn't have the ability to use extension cables or pass-through monitors, due to timing and power limitations. In 2000, 2.0 (the version most people still use today) was released. 2.0 brought with it a maximum speed of 60 MB/s and additions to the spec have also brought specifications for battery charging, Micro USB, Mini-A and Mini-B connectors.

Since at least USB 2.0, there hasn't been any important or drastic changes in regards to security put into the specification. This issue is compounded by the vast amount of USB devices in use today. With USB being as old as it is, any change that breaks backwards compatibility for devices that are 2.0 isn't possible. With this being said, what can we do to defend our systems? Outside of completely disabling USB via group policy, BIOS settings, etc, there's very few recommendations I can personally give.

Defenses or lack thereof

I've never used nor condone use of this specific device, but something like Kanguru's flash drive with signed firmware would be a good first step to ensure your personal device(s) aren't manipulated. Though this doesn't prevent someone from spoofing the vendor/product IDs of your USB device(s) and have their device(s) masquerade as yours. Spoofing of these IDs would make a whitelist of them useless. Would be nice to see signed firmware as a requirement in newer iterations of the USB standard though.

I was pondering the idea of whitelisted USB devices, and touched upon this via Killer's #14 issue regarding duplicate devices. The issue brings up a "connected whitelist" of devices that must be connected at all time. While it's a little extreme to force specific devices to be connected at all time, it's pretty much the best we've got in regards to spoofing.

If this post made you think about USB security, I'd love to get your opinion!
Feel free to contact me using the methods below.