INDUSTRIAL CYBER SECURITY Ammar Alzaher April 18, 2019 USBS BEHAVING BADLY HOW TO CONTROL USB USAGE IN OPERATIONAL NETWORKS
INDUSTRIAL
CYBERSECURITY
Ammar Alzaher
April 18, 2019
USBS BEHAVING BADLYHOW TO CONTROL USB USAGE IN OPERATIONAL NETWORKS
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Which one
is safe?
2
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
USB Doppelgangers!
USBs Behaving Badly
3
USBHarpoon O.MG Cable
Rubber Ducky Bash Bunny
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The State of USB Security
4
The State of USB Security
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
5
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
How likely is:
a malicious
file trying to
enter your site
through an
USB device? ?%
6
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
This is what we found…
7
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
8
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
9
4Continents
50Locations
4+Industries
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
10
26%Potential to cause major
disruption to an industrial
control systeme.g. loss of view or loss of control
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
11
15% Are well-known threatse.g. Mirai, Stuxnet, TRITON, WannaCry
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The State of USB Security
12
Threats are Changing…
13
For example, this:
May pretend to be this:
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
SMX Protects Against Advanced USB Threats
14
Inc
rea
sin
g T
hre
at
Co
mp
lex
ity
BadUSB• Manipulation of USB firmware.
• USB device will act as a HID - Human Interface Device (e.g. a keyboard),
and can execute scripts.
Rubber
Ducky
• A keystroke injection tool disguised as generic USB drive.
• Computer recognizes the USB as a “normal” keyboard and automatically executes
the preprogrammed rubber ducky scripts.
• Execution speed around 1000 words per minute!
Bash
Bunny
• A fully featured Linux computer with the ability to execute all Rubber ducky scripts, as well
as more complex attacks leveraging data connections (e.g. Ethernet over USB or
Ethernet control model - ECM)
• Can also impersonate mass storage or serial devices
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
USB Device Attack Categories Visualized
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018+
Rubber Ducky
PHUKD/URFUKED
USBdriveby
Evilduino
Unintended USB channels
TURNIPSCHOOL(COTTONMOUTH-1)
Attacks on wirelessUSB dongles
RIT attack viaUSB mass storage
Default gateway override
Smartphone basedHID attacks
DNS override by modified USB firmware
Keyboard emulation by modified USB firmware
Hidden partition patch
Password protection bypass patch
Virtual machine break-out
Root sector virus
iSeeYou: Disabling the MacBook webcam
indicator LED
.LNK Stuxnet/Fanny USB flash drive exploit
USB Backdoor into air-gapped hosts
Data hiding on USB mass storage
Autorun exploits
Cold boot
Buffer overflow Driver update
Device firmware upgrade (DFU)
USB Thief
USBee attack
USB port Attacks on smartphones
USB Killer
Programmable Microcontrollers
Maliciously Re-programed
Peripherals
Not Re-programed Peripherals
Electrical
Attack Categories*
* Ben Gurion University of the Negev, 2017
15
USBHarpoon
O.MG Cable
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
USB Device Attack Categories Visualized
16
ATTACK
Rubber Ducky ✔ ✔
PHUKD /URFUKED ✔ ✔ ✔
USB driveby ✔ ✔ ✔
Evilduino ✔ ✔ ✔
Unintended USB Channel ✔ ✔ ✔
TURNIPSCHOOL(COTTONMOUTH-1) ✔ ✔ ✔
RIT attack via USB mass storage ✔ ✔
Attacks on wireless USB dongles ✔ ✔ ✔
Default Gateway Override ✔ ✔
Smartphone based HID attacks ✔ ✔ ✔
DNS override by modified USB firmware ✔ ✔ ✔ ✔ ✔ ✔ ✔
Keyboard emulation by modified USB firmware ✔ ✔ ✔ ✔ ✔ ✔ ✔
Hidden Partition Patch ✔ ✔
Password protection bypass patch ✔ ✔
Virtual Machine Break-Out ✔ ✔
Boot Sector Virus ✔ ✔ ✔
iSeeYou ✔ ✔ ✔
.LNK Stuxnet /Fanny ✔ ✔
USB Backdoor into air-gapped hosts ✔ ✔
Data hiding on USB Mass Storage drive ✔ ✔
Autorun exploits ✔ ✔
Cold Boot ✔ ✔
Buffer Overflow ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Driver Update ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Device Firmware Upgrade (DFU) ✔ ✔ ✔ ✔ ✔ ✔ ✔
USB Thief ✔ ✔
Attacks on smartphones via the USB port ✔ ✔
USBee attack ✔ ✔ ✔ ✔ ✔ ✔ ✔
USB Killer ✔
USB Peripheral Persona of USB Connected Micro-controller Host
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
What We Learned
17
• Relying solely on the USB Device information is not good enough
• What the USB device reports is not definitive!!!
What matters is how the OS treats the device
- OS decision process is complex, taking into account many factors
- The driver the OS chooses may be “OS Standard” or “Vendor Specific”…
makes all the difference
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The State of USB Security
18
The Myths of USB Security
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
19
Reality: • Many advanced USB and human interface device (HID) attacks
such as BadUSB, Rubber Ducky and Bash Bunny are designed
to circumvent these security measures by disguising as an
approved device at the firmware level.
Common Myth “Locked USB Ports”
Myth: “We lock down USB ports.
This prevents all USB based attacks
and USB borne malware.”
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
20
Reality: • AV is not a be all end all solution to preventing malware
brought in from removable media such as USB drives.
• AV also requires the USB to be inserted on the
workstation before it can be scanned. This can be
problematic.
Common Myth “My AV Will Protect Us”
Myth: “We have traditional
Anti-Virus (AV) installed onsite.
This will catch all inbound
malware from USB drives.”
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
21
Reality: • AWL cannot stop “all inbound malware”, typically AWL will
not prevent script/macro attacks embedded in authorized
application files. Make sure your USB solution can do this.
Common Myth “I Have AWL, This Will Protect Me From all
Inbound Threats”
Myth: “I have Application
Whitelisting (AWL), this will keep
me safe from all inbound
malware”
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
The State of USB Security
22
What Can We Do About It?
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Apply What You Have Learned Today
23
• Next week you should:
- Assess existing USB defensive measures, considering all 3 attack types
• In the next three months you should:
- Complete an inventory of USB devices currently in use
- Assess your supply chain: what USB devices are you using?
• Within six months you should:
- Adjust USB and removable media policies to account for your findings.
- Consider technical controls to enforce these policies
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Establish and followgood (USB) security basics
Enforce
Technical Controls
1
Monitor and Manage
Network Traffic
2
Consider all USB
attack types
3
Patch and Harden
End Nodes
4
Secure the USB device
supply chain
5
Deploy (and test!)
Backup and Recovery
6
24
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
TRUST (Trusted Response User Substantiation Technology)
25
SMX ST
Award winning
Portable design
Enterprise management capability
Enforces USB device authorization
© 2019 by Honeywell International Inc. All rights reserved.
© 2019 by Honeywell International Inc. All rights reserved.
Why Customers Choose HON for Industrial Cyber Security
26
End-To-End Solutions
Professional Security
Consulting Services
3rd Party Integrated
Security Products
Managed
Security ServicesCyber Security
Software
Industry Proven Products, Services & Solutions
• Trusted partner for industrial cyber security
• Complete portfolio of industry proven cyber security products, services & solutions
• Operational Technology (OT) domain expertise
• Vendor neutral solutions for site or enterprise deployments
• Global capabilities and local presence
Honeywell Confidential - © 2019 by Honeywell International Inc. All rights reserved.
Thank you!27
To learn more, visit:
http://becybersecure.com
And never trust doppelgangers …