October 12, 2006

Defending against U3 & Switchblade

U3U3 is a fun new technology for USB flash devices. U3 flash drives contain a partition that emulates a CD-ROM drive, where U3 enabled applications are installed. The CD emulation means that these devices will auto-play on most XP, 2000 and 2003 computers, when the drive is inserted. The talented folks over at hak5.org have created several projects, including Switchblade and its younger cousin Hacksaw, which exploit this technology for hacking/pen testing.

U3 reinforces the old security axiom, “if I can touch it, I own it.” Using auto-play with exploit code is nothing new. CDs can be used in this manner. What is new is the ability to run this on a writeable device. As the hak5 guys have proven, this is a deadly combo. Plug your USB drive in, wait for it to suck off password hashes or key files, install a back-door, and be gone. This works even if the screen is locked. One more reason why at some companies, the janitor is the richest guy in the place.

As pen testers, U3 is just one more tool to make our lives easier. As security managers, developing a defense in depth against U3 is difficult. Here are a few suggestions to make it easier. Most of these are just good general security practices, but U3 increases their importance:

  1. Assign the least amount of privileges possible to your users. Programs run with U3 execute with the privileges of the logged-on user. Unless, of course, the hacker includes a privilege escalation exploit on the drive.
  2. Keep systems patched. This reduces the # of possible exploits.
  3. Never leave systems logged in with admin access. Locking the screen does not protect against auto-play. Admins should always log out when done.
  4. Disable auto-play. (Instructions below)
  5. Restrict USB devices. Several vendors offer solutions to disable USB ports, or restrict them to authorized devices.

There are mulitple ways to disable auto-run. The best way is to use group policy. Go to computer config>admin templates>system and find the “turn autoplay off option. This option makes a registry entry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer. You can also create this key manually. For stand-alone PCs, the TweakUI PowerToy from Microsoft can also be used. TweakUI offers a disable autoplay option under the “My Computer section.

The last tool in your arsenal is training. Teach your users not bring in USB devices from home, or plug-in flash drives the find or are sent in the mail. This seems like common sense, but several security testers have shown that users will pickup drives on the ground and plug them in to their PCs to see what is on them. The most famous example of this is the test Steve Stasiukonis wrote about in the Dark Reading blog. 20 Flash drives on the ground outside a bank yielded 15 compromised systems. Flash drives work better for this type of test than CDs, because users perceive them as valuable since they are re-writable. A good security education program would prevent this.

If you have other ideas for protecting against flash drives and U3, we’d love to hear about them.

-Bill

Thanks for stopping by.
If you found this article useful, please leave a tip.

3 Comments »

  1. Bill said,

    October 23, 2006 @ 11:50 am

    Nice piece!

  2. edgeblog » 10 New Immutable Laws of IT Security said,

    October 23, 2006 @ 4:25 pm

    […] An unsupervised janitor is the richest guy in your company – See rule 4. As I’ve discussed before, a USB key with U3 and a PC with AutoPlay is all it takes to get passwords, install software, and generally 0wn a PC. Couple that with your administrator’s terminals and you have a recipe for disaster. Would you really trust your janitor to do the right thing if I offered him $1,000 to plug a USB drive into a PC for 10 minutes and then bring it back to me? Physical security extends beyond the data center to include every system that has privileged access. How secure are your admin’s home PCs? Your CIO’s? […]

  3. dante said,

    March 4, 2007 @ 6:56 am

    hello bill, i had a question about your switchblade article, i am not sure switchblade can run if the screen is password protected. i have tried on two laptops, and it only works when the screen is not locked. if i have missed something, please let me know… thanks for your time.

RSS feed for comments on this post · TrackBack URI

Leave a Comment