This almost sounds like a 1950s B movie title where demented USB drives attack unsuspecting villagers. Unfortunately it’s the result of work by security researchers that can turn a USB drive into a silent malware installer. Researchers from Berlin-based Security Research Labs (SRLabs) demonstrated an attack dubbed BadUSB at the Black Hat security conference in Las Vegas in August 2014 that can takeover a keyboard and have it send keystrokes to download and install malware.
Researchers Adam Caudill and Brandon Wilson released a collection of tools this past week that can be used to turn those drives malicious. It involves modifying firmware on the USB drive that adds new functionality, albeit something that most of us probably don’t want. Since the security vulnerability doesn’t have an easy fix, SRLabs didn’t want to release more details so that people could exploit it.
“We really hope that releasing this will push device manufacturers to insist on signed firmware updates, and that Phison will add support for signed updates to all of the controllers it sells,” Caudill said in a blog post. “Phison isn’t the only player here, though they are the most common – I’d love to see them take the lead in improving security for these devices.”
While having signed firmware is a must for these devices, it doesn’t do the whole job. Using signed firmware would prevent a rogue process from updating the firmware on a USB controller, but it wouldn’t stop someone from going after the ultimate target, which is your data and the files that contain them.
Protecting the files themselves is the only way to truly protect yourself. Protecting a file with strong encryption as you create it is the place to start. Next you should apply a centralized security policy to that file that controls its usage no matter where it is located. This data-centric security policy moves with the files and allows you to control access based on user credentials under your control. You could use an internal or external directory service, email-based authentication or a multi-factor process to authenticate and authorize the file’s recipients.
Once validated, you can control what someone can do with the file. If you only want to let them view it, they can’t do anything else, including print or take a screen capture of it. If you want to immediately revoke access to an authorized user, you can do it at the click of a mouse. This gives them a bunch of useless bits on a drive. If the person trying to access the file never had access, they will have the same thing. A bunch of nothing.
Fighting malware is a full-time job and requires vigilance on the part of users and businesses. Making sure your data is secured requires the same rigor. Encrypt, control and trace activities of all your sensitive files to give your business the protection it deserves from both malicious and accidental events.
Photo credit Chris Yarzab