Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:15 AM
Connect Directly

Smart USBs Gone Bad

Tapping the AutoRun feature of many PCs means they can be hacked using smart USB drives

You know those handy, smart USB drives that let you carry the contents of your computer around your neck when you're on the move, applications and all? These portable drives can also be used by an attacker to steal your user privileges and data.

That's what Bob Clary, a consultant with Secure Network Technologies, recently discovered within just a few minutes of purchasing a smart USB. "The minute I saw the U3 USB drive, I thought 'I can do anything with this.' Five minutes after I had bought it, I had it hacked," says Clary, whose company performs social engineering and penetration testing for its clients.

Turns out this new generation of USBs provides another entry point for hacking into Windows machines. Clary discovered that by adding his own hacking tools to the drive, he could lift data from a machine and even steal user privileges and take control of the machine -- as long as it was logged on and the screen saver unsecured.

But the actual flaw lies in Windows, not the smart USBs, he says. "It's important to understand that this is not a security flaw in the U3 software or architecture, but a flaw in how Windows handles AutoRun devices," he notes. "U3 is simply a program environment that is self-contained so that it will work regardless of what's installed on the machine that it is plugged into."

Nathan Gold, U3 ambassador for U3 LLC, says this security problem comes with the territory in any smart USB drive, floppy disk, or CD-ROM. "A flash drive is no different from a floppy or CD-ROM," he says.

The weakest link here is that, although Windows XP does not automatically run a USB, it will automatically run a CD, which is how the U3 and other such USB devices appear to the OS, according to Secure Network's Clary. "It fools Windows into thinking it's a CD," he says. "Any program on the U3 USB will run with whatever privileges the currently logged-in user has."

But an attacker would obviously need physical access to the victim's machine. That would mean plugging it in and then taking it out, or plugging it in and having it send data out via Sendmail, for instance, he says. "You can configure your own U3 FOBs to be turned off."

Clary says he has written several Windows utilities for the drives, including one that uses an administrator's credentials to connect to the domain controller "and grab files, registry, user info, memory dumps, etc."

But antivirus tools would typically recognize and stop any well known hacker tools in their tracks, he says, and a personal firewall can prevent an unauthorized app from sending data on the network. And the key security measure to protect your machine and users from a USB-born attack is to turn off the AutoRun feature for CDs, he says.

In addition, Microsoft's latest operating system may circumvent this problem. "By default, Windows Vista prompts the user to confirm whether the AutoRun command should run," according to documentation from Microsoft's Website.

U3's Gold says the "autostart" feature built into U3's smart drives, which are packaged and sold by companies such as Memorex and SanDisk, has built-in security that prevents anyone from seeing data on the drive unless they enter a 128-bit encrypted password. "Our drives are USBs on steroids, plus the 'autostart' feature lets you load apps automatically," he says. "But most importantly, it automatically starts by protecting the drive with that password layer." That protects your smart drive from being hacked.

But what about a hacker popping his own smart drive into your machine? Gold says many companies merely turn off the autostart feature in their PCs so that CDs -- and smart USBs -- cannot automatically run, which would protect you from a nefarious drive. He echoed Clary's recommendation: "That's one the simplest measures -- turn off the autostart," he says.

He adds that there are also server-based tools that let you manage and control what specific drives and other hardware gets plugged into a client machine.

Clary says smart USBs are basically just another attack venue for social engineers or insiders gone bad. "Most places give me a jack in the wall. But this technology gives you yet another way to do it [hack]," he observes. "The scary thing is it doesn't require any real technical savvy."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Memorex Products Inc.
  • Microsoft Corp. (Nasdaq: MSFT)
  • SanDisk Corp. (Nasdaq: SNDK)
  • Secure Network Technologies Inc.
  • U3 LLC

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 5/28/2020
    Stay-at-Home Orders Coincide With Massive DNS Surge
    Robert Lemos, Contributing Writer,  5/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Can you smell me now?
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-05-29
    There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
    PUBLISHED: 2020-05-29
    A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
    PUBLISHED: 2020-05-29
    All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
    PUBLISHED: 2020-05-29
    All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.