Researchers Karsten Nohl and Jakob Lell caused quite a stir in Las Vegas earlier this month, which quickly spread to the rest of the world of cybersecurity, when they showed how USB drives could be reprogrammed and transformed into portable malware carriers.
Nohl and Lell explained that since USB drives are designed to be reprogrammable, a hacker could make a drive masquerade as another device. In one example an attacker could reprogram a USB device to assume the function of a keyboard, and then issue commands to the computer or install malware.
And possibly the worst part of the vulnerability is that a user has no visibility into the software running a USB drive, so there’s no way to find out if their drive has been affected. In the wrong hands, a BadUSB drive really is “scarily insecure,” as Nohl put it.
USB Drives are Repeat Cybersecurity Offenders
Long before Black Hat 2014, it’s been widely known that USB drives are not the most secure way to transfer data between devices. Convenient, yes. Secure, no.
Not only are USB drives easy to lose, but any device with a USB interface could potentially be affected by malware originating from a USB drive, including laptops and phones. As far back as July 2011, the Ponemon Institute found that 70 percent of businesses could trace data breaches back to USB drives.
Even the NSA found USB drives to be useful for espionage purposes. In December 2013, it was revealed that the agency had used a series of USB implants known as “COTTONMOUTH” to target adversarial networks. If the NSA is exploiting a vulnerability, then it’s probably an effective means of attack.
A World Without USB Drives?
Even if businesses understand the risk of using USB drives, they’re usually limited to making an all-or-nothing choice. In fact, in the Ponemon survey, more than one-third of enterprises said they used software to block all usage of USB drives by employees. Other complementary solutions like antivirus software also won’t fend of exploits like BadUSB because the software that runs on USB drives isn’t visible to computers. It’s clear that USB drives are a threat, so surely, a smarter approach would be to remove the need for employees to use them altogether.
If businesses want to allow their employees to work remotely, it’s better they require them to access and transfer files using a device that is connected securely to the corporate network via a VPN, instead of allowing them to use a USB drive to move data from one device to another. As soon as a USB drive is ejected from a corporate device, the information it contains is no longer protected by the umbrella of security offered by the corporate network, and enterprises no longer have control over who has access to the data or how the data is utilized.
If an enterprise utilizes a centrally managed VPN, employees can download a VPN client that will work on any device or operating system, which they can use to access files anywhere, at any time. An enterprise will also maintain access control, limiting the information users can access according to their roles and attributes. Additionally, if a user’s computer were to be affected by malware, the network administrator could deprovision the user as soon as the breach was detected, thereby preventing the malware from spreading throughout the network.
Now that Nohl and Lell have sounded the alarm about BadUSB, the hope is that enterprises will stop using USB drives and instead turn toward comprehensive network security and a defense in-depth strategy, including utilizing a VPN with central management. Hopefully, by Black Hat 2015, BadUSB will be just a distant memory.
Want to learn more about remote access VPN?
In Remote Access VPN For Dummies, we cover:
– The full VPN landscape, including hybrid IPsec/SSL VPN solutions
– The evolution of remote access VPN
– How to provide users with secure remote access
– How to simplify remote access VPN and reduce costs