Wednesday, April 3, 2019

The Universal Serial Bus

This weekend there was a report out of Mar-a-Lago that a Chinese national had been apprehended while trying to enter this resort while carrying a laptop, 4 mobiles, and a USB thumb drive containing malicious software.  While thumb drives are an efficient attack vector, where the attacker has physical access to a computer, we continue to hear reports of people surprised at how easy it is.  

It is important to decode, to understand, “USB.” It stands for “Universal Serial Bus.” “Universal” refers to the standard; thousands of different devices employ the standard for interoperability. It is a standard interface but it is more than that. It attaches to the bus of the host device as peer with processors, memory, and other external input/output devices. The standard provides for the device to contain executable software to facilitate its attachment to and interaction with the host device.  Think of it this way; any device attached to the bus is logically an internal, not external, device.  

Like many standards, this one is popular, in large part, because it is convenient.  It is an open interface for attaching cameras, scanners, printers, speakers, microphones, head sets, monitors, and storage devices.  As is often, not to say usually, the case, convenience trumps security.  Any control that limited the attachment, i.e., was more secure, would make it less convenient.

It is a privileged form of attachment; no authentication, no cryptography, no control. It is subject only to physical access control. Simply plugging a USB “thumb drive” into the bus of another device is sufficient to alter the fundamental operation of, not to say corrupt, that device in, perhaps, as little as tens of seconds. As we have seen, compromise of a single device on a network may reduce the cost of attack against all other devices on that network.
Since most, not to say all, personal computers expose their bus via the USB standard, it is essential to prevent unauthorized physical access to all such computers.   (Indeed the interface is so ubiquitous and so vulnerable that some security professionals advocate filling the port with superglue.  This measure should be considered for sensitive systems and applications and hostile environments.)