USB drives. They’re ubiquitous. They’re everywhere. You probably have several floating around your office, or nearby. We tend to use them so often that we don’t even think about it, and that’s a potential problem. At a recent Black Hat hacking convention, a demonstration was performed that proved just how easy it is to gain total control over just about any computer system, no matter how secure. The secret lies in all those little USB drives that nobody seems to think twice about.
Using a combination of one part tech savvy and one part simple social engineering, hackers conducted an experiment. Of course, as this was just a demonstration, the USB drives they used weren’t loaded with anything of a malicious nature. Just a simple bit of code that would send a ping if it made its way onto a network, so that the results could be tracked. Those results were beyond disturbing.
The technical wizardry takes the form of some code that fools the PC that the USB drive is plugged into. Instead of a USB drive, the PC in question recognizes the device as a keyboard, and will happily accept spoofed keyboard commands from it.
The social engineering side of the equation is far simpler. All it takes is attaching the USB drive to a dummy set of keys, then leaving them in a high traffic area where they are sure to be found. Overwhelmingly, when this technique is used, the person who finds the “lost keys” plugs the USB drive in, in an attempt to discover the identity of the drive’s owner.
It’s completely innocent. It’s something most people would do instinctively in order to get the keys to their rightful owner, and the hackers are well aware of this. Once the drive has been plugged in, it’s already too late. The software contained on the drive can begin issuing commands to the PC, which will happily accept them.
The most terrifying thing about this type of attack is that it completely circumvents all Enterprise-level best practices, where data security is concerned. The lesson here is simple. If you aren’t 100% sure the USB drive in question belongs to you, don’t risk plugging it into any device you own.