Smart USBs Gone Bad

You know those handy, smart USB drives that let you carry the contents of your computer around your neck when you're on the move, applications and all? These portable drives can also be used by an attacker to steal your user privileges and data.

That's what Bob Clary, a consultant with Secure Network Technologies, recently discovered within just a few minutes of purchasing a smart USB. "The minute I saw the U3 USB drive, I thought 'I can do anything with this.' Five minutes after I had bought it, I had it hacked," says Clary, whose company performs social engineering and penetration testing for its clients.

Turns out this new generation of USBs provides another entry point for hacking into Windows machines. Clary discovered that by adding his own hacking tools to the drive, he could lift data from a machine and even steal user privileges and take control of the machine -- as long as it was logged on and the screen saver unsecured.

But the actual flaw lies in Windows, not the smart USBs, he says. "It's important to understand that this is not a security flaw in the U3 software or architecture, but a flaw in how Windows handles AutoRun devices," he notes. "U3 is simply a program environment that is self-contained so that it will work regardless of what's installed on the machine that it is plugged into."

Nathan Gold, U3 ambassador for U3 LLC, says this security problem comes with the territory in any smart USB drive, floppy disk, or CD-ROM. "A flash drive is no different from a floppy or CD-ROM," he says.

The weakest link here is that, although Windows XP does not automatically run a USB, it will automatically run a CD, which is how the U3 and other such USB devices appear to the OS, according to Secure Network's Clary. "It fools Windows into thinking it's a CD," he says. "Any program on the U3 USB will run with whatever privileges the currently logged-in user has."

But an attacker would obviously need physical access to the victim's machine. That would mean plugging it in and then taking it out, or plugging it in and having it send data out via Sendmail, for instance, he says. "You can configure your own U3 FOBs to be turned off."

Clary says he has written several Windows utilities for the drives, including one that uses an administrator's credentials to connect to the domain controller "and grab files, registry, user info, memory dumps, etc."

But antivirus tools would typically recognize and stop any well known hacker tools in their tracks, he says, and a personal firewall can prevent an unauthorized app from sending data on the network. And the key security measure to protect your machine and users from a USB-born attack is to turn off the AutoRun feature for CDs, he says.

In addition, Microsoft's latest operating system may circumvent this problem. "By default, Windows Vista prompts the user to confirm whether the AutoRun command should run," according to documentation from Microsoft's Website.

U3's Gold says the "autostart" feature built into U3's smart drives, which are packaged and sold by companies such as Memorex and SanDisk, has built-in security that prevents anyone from seeing data on the drive unless they enter a 128-bit encrypted password. "Our drives are USBs on steroids, plus the 'autostart' feature lets you load apps automatically," he says. "But most importantly, it automatically starts by protecting the drive with that password layer." That protects your smart drive from being hacked.

But what about a hacker popping his own smart drive into your machine? Gold says many companies merely turn off the autostart feature in their PCs so that CDs -- and smart USBs -- cannot automatically run, which would protect you from a nefarious drive. He echoed Clary's recommendation: "That's one the simplest measures -- turn off the autostart," he says.

He adds that there are also server-based tools that let you manage and control what specific drives and other hardware gets plugged into a client machine.

Clary says smart USBs are basically just another attack venue for social engineers or insiders gone bad. "Most places give me a jack in the wall. But this technology gives you yet another way to do it [hack]," he observes. "The scary thing is it doesn't require any real technical savvy."

— Kelly Jackson Higgins, Senior Editor, Dark Reading