Last month, a former student of the College of St. Rose in New York pled guilty to destroying “66 computers as well as numerous monitors and digital podiums containing USB data ports owned by the College.” The damage was done using a “USB Killer” device that discharged high voltage pulses into the host device, physically damaging the host’s electrical system.
According to the court documents, the total losses due to the incident were 58,471 USD. A quick Google search shows that these “USB Killer” devices are readily available on websites like Ebay for around 40 USD.
Details of the “digital podiums” were not released, but any AV integrator who has done work in higher education institutions could probably guess they were lecterns or teaching stations outfitted with room computers, portable laptop connections, confidence monitors, control touch panels, media switchers, and/or playback devices.
The “numerous monitors” in the court documents could have been simple computer monitors, or larger wall-mounted flat panel displays often used for small-group collaboration.
Motive? Doesn’t Matter
The motives of the attacker are unclear, and in the end, are essentially irrelevant. What is relevant is that the same thing could easily happen at another university, K-12 school, company, or house of worship.
Security experts have shown that USB drives and cables can be built to perform HID attacks, launch command shells, download malicious payloads, and/or modify the DNS settings to redirect traffic.
But more importantly, any USB memory device (a.k.a. USB stick or thumb-drive) could contain files that are infected with malware.
One penetration tester that I spoke to said he often drops off a handful of infected USB drives at hospitals and medical buildings.
The USB drives appear to be harmless freebies, and eventually an employee uses one, opens the file, and the test payload is delivered.
He said that the USB drive attack vector is not as effective as email phishing campaigns, but it is still part of his testing.
When I first shared the College of St. Rose story, many #AVTweeps commented that little could be done:
It’s hard to protect against physical attacks. If you do block the USB port or somehow protect it from electrical discharge, the attacker could smash it with a hammer.
— Leonard C Suskin (@Czhorat) April 27, 2019
Without an option to disable the port completely for both data and power transfer, there is little anyone could do in this instance. With physical access, all bets are off…
— Kevin (@kevin_maltby) April 27, 2019
What Can Be Done About USB Killers
I agree that if someone is truly intent on causing damage, they will find a way, but I think there are still some things that can be done to minimize the impact and likelihood of a USB-based attack.
First, make sure that all members of your organization have signed a computer usage policy, and formally agree to not destroy computer hardware.
Next, consider remoting all computers in locked data closets, and always lock classroom podiums and AV credenzas to minimize access.
Use card-keys or biometric scanners to allow limited access to server rooms, and add IP cameras to these rooms so you can prove who actually did the deed. This is called attribution, and is often a challenge in cybersecurity.
USB attacks should also be outlined in your cyber-awareness training, so that everyone knows to not use random USB drives or charging cables they find.
Last but not least, you should have an incident response plan that anticipates USB attacks, and communicate that plan, so everyone knows what to do in case of a “USB Killer” attack. It may seem unlikely, but it’s certainly possible, and it is best to be prepared for it.