Also this year the Black Hat security conference will take place in Las Vegas, USA. The first day saw a large number of different presentations, two of which had a common theme: curiosity. Both Elie Bursztein, a security researcher at Google, and Zinaida Benenson, a scientist at Germany’s Erlangen-Nürnberg University, put the human factor at the center of their presentations.
Bursztein addressed the question ‘does dropping usb drives really work?’. He said that at every security conference there is always someone who claims that he has bypassed a company’s security by placing a USB stick in a conspicuous place outside the building in the hope that an employee will plug it into a PC. This attack is said to be so effective that at one point it even reappeared in the TV series Mr. Robot. In a certain scene you can see how a security guard connects a USB stick found shortly before in the parking lot to his computer, without knowing that the drive was there for a reason.
Enough reason for the Google researcher to set up an experiment himself and to investigate this claim. To do this, he spread 297 prepared USB sticks across the campus of the American University of Illinois, to be found by passers-by. In doing so, he distinguished by location, appearance and content of the stick and was able to track the results via a backend. After people had viewed the contents of the stick, they could complete a survey and indicate their motivations.
Bursztein distinguishes three possible attacks that can be carried out via a USB stick. The first one is completely based on social engineering and consists, for example, of posting malicious files with the name ‘do not open’, or something else attractive. However, this attack quickly arouses suspicion and is not very reliable. The second option is so-called hid spoofing , in which the data carrier masquerades as a human interface device ; in most cases that is a keyboard. In this way, a command can be executed via keystrokes; for example, opening a remote shell .
The difficulty with such an attack is that the victim’s operating system must be determined before the attack can be carried out. In addition, the payload that opens the command prompt must be small and not recognized by an antivirus program. The USB stick must also look credible.
However, the researcher has managed to find a solution for all these problems. By virtually pressing and locking the ‘scroll lock’ key, he was able to quickly determine the victim’s operating system. A small payload also turned out to be feasible. For example, it was possible to write a Linux payload of 100 characters using a scripting language. In Windows, the process was a bit more complex, but not impossible either. Manufacturing a USB stick cost Bursztein about $40 per device based on a Teensy 3.2 .
He demonstrated the final attack in a video. It showed that the entire process from plugging in the USB stick to opening a shell and connecting to a metasploit -based command-and-control server took about six seconds, with the user only briefly entering a command prompt. see appear. He then had free access to the infected computer.
The third way to use a USB stick for such an attack is to gain access to a device via a zero-day vulnerability. However, this method is very costly and cumbersome, making it only for very dedicated attackers, such as a state.
Bursztein has made the code of his project available online . He also discussed in detail the manufacture of a USB stick based on a Teensy with a convincing appearance. He used a silicone mold for this, which was not easy for him at first. In the end, however, we managed to make good copies. The researcher is considering starting a Kickstarter project for these types of USB sticks if there is enough interest.
Back to the results of the research conducted. It turned out that 98 percent of the dropped USB sticks had been picked up and that 48 percent of them were connected to a computer, something Bursztein had not seen coming. It also turned out that it did not matter where the USB stick was placed, for example in a parking lot, in a common room or in a corridor. The appearance also does not matter much, for example whether there are keys attached or a label has been stuck on it.
The main reason for opening the files on the carrier turned out to be identifying the owner, the finders said. However, Bursztein has his doubts about this statement, because his data shows that the vast majority of people had only opened the photos and not the other files. The reason that was mentioned most often after that is curiosity, something that Bursztein considers a lot more plausible.
The second study, that of Benenson, focused on the phenomenon of phishing . She wanted to investigate the reasons for clicking on suspicious links. To this end, she sent 1600 students a Facebook message or an e-mail from an unknown person containing a link to photos of a New Year’s party. In addition, the request was sent not to share the photos. The number of clicks was then recorded by the researcher.
It turned out that 43.5 percent of students clicked the link in the Facebook post and 25 percent clicked the link in the email. When Benenson approached the students at a later date, it turned out that the main reason for following the link was curiosity. This was given as the reason in 34 percent of the cases. The subsequent reason was that the students thought they were indeed pictures of a party they had attended. Reasons for not clicking were not knowing the sender and suspecting spam or phishing.
Benenson argues that users should be in a kind of ‘James Bond mode’ all the time: constantly on the alert that something is not what it seems. However, she also understands that this cannot be asked of anyone.
The solutions put forward by the two researchers have common ground. Both mention that creating awareness among users plays an important role. For example, Benenson mentions that it is only necessary to become suspicious if there is a valid indication to do so. She also recognizes that suppressing curiosity is not an option, because this is inherent in humans. She therefore calls for a dialogue with users, for example employees of a company who process messages from outside on a daily basis.
Bursztein mentions that there are also specific ways to defend yourself against an attack via a USB stick, but that these do not always work well. For example, it is possible to block the USB port on computers. In addition, there is the option to only allow certain USB sticks via system policy. However, this can go wrong when a device ID is spoofed, which is not very difficult. Antivirus programs also do not help against such an attack, because only text is entered.
Absolute security is therefore a utopia and the human factor remains a thorny issue when it comes to securing systems. Curiosity will always play an important role in this.