3

Is there anything we can do across the company to make sure USBNinja and other similar USB cables that looks so real for users can really be mitigated?

Filipon
  • 1,204
  • 10
  • 22

2 Answers2

3

USBNinja exploits design-level weaknesses of the USB specification. As such there is no simple technical solution and it is unlikely that one will emerge.

You can attempt to close down your USB using device control solutions, but a) you need a very homogeneous IT environment to be able to do that effectively (i.e. blocking devices based on vendor and product ID) and b) a targeted attack can easily work around these.

You also cause yourself headaches with device control that should not be underestimated. We've just been through this process for a customer, and it took days to find a tight policy that doesn't lock down the entire system (due to the way Windows loads its device drivers, if you block an essential device, your system is toast).

An awareness approach is most likely the one with the highest contribution to resistance, but it will also have holes (guests and visitors, contractors, etc.)

For your most valuable devices, I would seriously consider glueing known-good devices to the system at least so much that any tampering will be visible. Also lock unused USB ports (there are USB locks).

Consider USB locks also for notebooks of critical personel.

Tom
  • 10,124
  • 18
  • 51
1

Update your training and HR policies to tell users not to plug things into the USB ports on their computers.

Anyone caught plugging something into their computer not on the official list gets a written warning with HR.

Buy a NinjaUSB yourself, write a payload that just sends an email, then leave the cable out and see if anyone bites. If they do, make sure you use it as a teachable moment.

Write a windows group policy to disallow USB devices such as badusb/NinjaUSB from registering when plugged in. Unfortunately blocking USB devices is a blacklist and not a whitelist approach. http://technet.microsoft.com/en-us/library/cc731387.aspx

EDIT: This site contains a list of known USB devices. You could write a script to block all those devices. https://usb-ids.gowdy.us/read/UC/. While it's not exhaustive, even a partial block list will prevent the unsophisticated attacker who purchases off the shelf hardware.

Daisetsu
  • 5,110
  • 1
  • 14
  • 24
  • 1
    "BadUSB" is not a device, it is a (frankly overhyped) class of attacks. There is no way to block it specifically short of completely blocking new USB devices, or at least blocking USB devices that identify as an HID. – forest Oct 06 '18 at 04:18
  • 1
    Correct, what I'm suggesting is using a script to create a blacklist of known bad actors. There are lists of USB devices curated for this specific use https://usb-ids.gowdy.us/read/UC/. While it's not an exhaustive list, and a custom firmware could use a new ID, it prevents the lazy attacks from someone who purchases a NinjaUSB, RubberDuckie, or uses the available firmware flashers to create a HID device from a commercial USB running the phison chipset. It's a similar approach to running a filter for bad URLs, God, but not perfect. – Daisetsu Oct 06 '18 at 14:21
  • 1
    Most organizations have a standard supplier for their peripherals, they should only have a handful of keyboards and mice. It should be possible to enumerate all the legit HID and not include those in the block list. – Daisetsu Oct 06 '18 at 14:29
  • 1
    @forest "There is no way to block it ..." Not true. You can have the screen lock when any keyboard is connected like Penteract keyboard detector does. – User42 Dec 12 '18 at 18:45
  • 1
    @User42 that's a mitigation, but I would still agree with Forest that there's no way to "block" it entirely. Some of these attacks include a delay after the drive is inserted before they start executing. A user would see their screen lock, and just log back in (unless they were really careful and noticed the lock happened exactly when the drive was plugged in). There's also other cases where the drive initially registers as a mass storage drive then later re-registers as a keyboard (users wouldn't assume it was the drive). – Daisetsu Dec 12 '18 at 18:52
  • 1
    @Daisetsu I have the app (and I see it work every time I connect a mouse too). It shows you multiple messages. And it looks like if it would re register it would lock again though I didn't verify that. – User42 Dec 12 '18 at 19:18
  • 2
    @User42 That might help with keyboards, but what if the device registers itself as some other HID, like a mouse or touchpad? What if it registers itself as a non-keyboard HID that installs a driver which gives it keyboard-like behavior? [What if it registers itself as a network interface](https://samy.pl/poisontap/)? – forest Dec 13 '18 at 00:34
  • 1
    @forest As I said it blocks mice too. And it disables network adapters as well. But even if it couldn't, an application _could_ do that. – User42 Dec 13 '18 at 15:29