October 12, 2006
U3 is a fun new technology for USB flash devices. U3 flash drives contain a partition that emulates a CD-ROM drive, where U3 enabled applications are installed. The CD emulation means that these devices will auto-play on most XP, 2000 and 2003 computers, when the drive is inserted. The talented folks over at hak5.org have created several projects, including Switchblade and its younger cousin Hacksaw, which exploit this technology for hacking/pen testing.
U3 reinforces the old security axiom, “if I can touch it, I own it.” Using auto-play with exploit code is nothing new. CDs can be used in this manner. What is new is the ability to run this on a writeable device. As the hak5 guys have proven, this is a deadly combo. Plug your USB drive in, wait for it to suck off password hashes or key files, install a back-door, and be gone. This works even if the screen is locked. One more reason why at some companies, the janitor is the richest guy in the place.
As pen testers, U3 is just one more tool to make our lives easier. As security managers, developing a defense in depth against U3 is difficult. Here are a few suggestions to make it easier. Most of these are just good general security practices, but U3 increases their importance:
- Assign the least amount of privileges possible to your users. Programs run with U3 execute with the privileges of the logged-on user. Unless, of course, the hacker includes a privilege escalation exploit on the drive.
- Keep systems patched. This reduces the # of possible exploits.
- Never leave systems logged in with admin access. Locking the screen does not protect against auto-play. Admins should always log out when done.
- Disable auto-play. (Instructions below)
- Restrict USB devices. Several vendors offer solutions to disable USB ports, or restrict them to authorized devices.
- GFI EndPoint Security
- ControlGuard Endpoint Access Manager
- SafeEnd Protector
- Device Lock
- SecureWave Sanctuary
- TriGeo USB-Defender
There are mulitple ways to disable auto-run. The best way is to use group policy. Go to computer config>admin templates>system and find the “turn autoplay off option. This option makes a registry entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer. You can also create this key manually. For stand-alone PCs, the TweakUI PowerToy from Microsoft can also be used. TweakUI offers a disable autoplay option under the “My Computer section.
The last tool in your arsenal is training. Teach your users not bring in USB devices from home, or plug-in flash drives the find or are sent in the mail. This seems like common sense, but several security testers have shown that users will pickup drives on the ground and plug them in to their PCs to see what is on them. The most famous example of this is the test Steve Stasiukonis wrote about in the Dark Reading blog. 20 Flash drives on the ground outside a bank yielded 15 compromised systems. Flash drives work better for this type of test than CDs, because users perceive them as valuable since they are re-writable. A good security education program would prevent this.
If you have other ideas for protecting against flash drives and U3, we’d love to hear about them.