When you think about the potential security risks inherent to USB devices, you probably think about issues related to USB storage: viruses, malware, and users inadvertently (hopefully) taking sensitive data out of the network with them. But with the constant miniaturization and improvement of technology, an insidious new threat is starting to emerge: trojan devices hidden in seemingly innocuous USB devices.
Recently a number of high profile publications, such as the Guardian, have been running a story where a system was apparently compromised due to malware being embedded in the USB charger for a user’s electronic cigarette.
While there is some debate about the particular story in question, the technology itself is here and is very much a real threat.
The Original Story
A number of sites have run pieces on this story over the past month or so, and they all point back to the same thread on Reddit, where a user by the name of Jrockilla posted an anecdote about a system that had been mysteriously compromised. After exploring all the traditional attack vectors, IT finally asked the user if they had done anything differently recently, to which he replied that he had starting using a Chinese electronic cigarette which charges up by plugging into the computer’s USB port. The story goes that the IT department discovered the USB charging device contained malware which phoned home and infected the computer.
Unfortunately, that’s about where the story ends. There’s no information on the USB charger or the malware it supposedly contained, and when pushed for details about what other possible explanations for the breach had been investigated, the original poster disappeared.
Eventually, one of the commenters mentioned that the story sounds suspiciously like a theoretical situation proposed by th3j35t3r, leading to the possibility that this story is now something of a tech urban legend that is now making its way around the Internet.
The legitimacy of this particular tale looks pretty doubtful, and it says something about the fear mongering mentality of most media outlets that anyone is even running this story (based on nothing more than a post to Reddit), but that doesn’t mean it isn’t possible.
There are a number of ways that an attack like this could be pulled off. The charger could have a small USB storage device built in which leverages the operating system’s “autorun” function to launch malware, or even a microcontroller which launches more sophisticated attacks such as BadUSB.
In his talk at Black Hat Asia 2014, JP Dunning showed a USB mouse and keyboard he modified with a microcontroller of his own design called “The Glitch”. With his microcontroller on board, Dunning was able to not only capture data, but also “type” commands into the host computer via the USB Human Interface Device (HID) protocol.
These types of threats can be particularly difficult to defend against; the best course of action is to have a strong policy about outside hardware being connected to the network, and to make sure that hardware is purchased only through trusted vendors.