Tales of the unexpected: mitigating the left field security risk
When looking at the malware attack surface we tend to spend most of our time focused on the common threat vectors such as browser exploits, social engineering/phishing, email attachment infections and remote code executions. This is understandable as that's where the vast majority of malware comes from; but not all of it. Every now and then a threat emerges from the left field, and takes us and our defence mechanisms by surprise. But are these attacks really that hard to mitigate against?
Eight years ago I broke the story of how some brand new TomTom GO 910 satnav units were shipping with two resident Trojans straight out of the box. Luckily for the chap who alerted me to the problem, the computer he had connected the device to had up-to-date Antivirus installed, which immediately caught the fact that two known Trojans were being installed from the satnav. The irony being that the malware was most likely introduced by an infected computer during the Q&A process according to industry insiders at the time.
The rules of left-field threats
This serves to reinforce left-field threat rule number one: just because it's new doesn't mean you shouldn't scan it. The dangers of buying second-user kit are well known and well documented, but we tend to let our guard down when dealing with items as of yet unboxed; and that's a big mistake.
The TomTom example also introduces us to left-field threat rule number two: if it plugs into your network then it's a potential threat, whatever it may be.
The infected satnav unit, for example, was a standalone device intended for use in an automobile and so erroneously not considered a threat to networks and data. However, in order to set it up in the first place to get map updates (at the time) it needed to be connected to a Windows PC and that's where the threat vector was. The malware could jump from standalone satnav to Windows PC to any connected network. A more recent, and even more unbelievable example of this kind of unexpected device danger can be found in the tale of a CEO whose laptop got infected and it was only the sideways logic of the IT guy which got to the bottom of it. "Have you made any changes to your life recently?" he asked, and discovered the executive had quit smoking and started 'vaping' a week or two before. Upon investigation, his cheap Chinese e-cigarette was found to have malware hard-coded into the USB charger which was transferred to the PC when plugged in.
If you think that sounds apocryphal you could well be right, but don't make the mistake of thinking that USB devices with hard-coded malware do not exist. There are plenty of well-documented cases out there of what has become known as BadUSB. This simply involves reprogramming USB devices, or rather the controller chips, at the hardware level, to turn otherwise innocuous devices into malware threats. Proof of concept demonstrations at hacking conferences have shown these BadUSB devices, including thumb drives, acting as keyboard emulators and infecting controller chips of other connected USB devices or even spoofing DNS setting to redirect traffic or execute bootloader malware prior to the OS starting up.
Mitigating left-field threats
Mitigation is problematic as malware scanners will not be able to access the firmware on the device itself, however that doesn't mean they can't detect infections as soon as an executable install is attempted. Practically speaking, for now at least, the best mitigation technique you can apply remains a simple trust model: don't allow USB devices from untrusted sources to connect to your systems. The same, of course, goes for trusted devices that have been connected to an untrusted computer. In the future, perhaps we need to insist that all vendor-supplied USB devices have the controller firmware digitally signed to FIPS 140-2 Level 3 certification standards to ensure no unauthorized modifications can be made, and ensure USB usage policy reflects this vendor-specific requirement.
There were even warnings during the last soccer World Cup in Brazil of rogue AC/DC chargers being deployed in public places such as coffee shops and hotel lobbies which combined USB malware tactics with rogue Wi-Fi hotspots to steal data from the unwary traveller looking to charge their smartphone or laptop. The mitigation is obvious in theory, but harder in practise: don't use 'free' charging points unless they are in trusted places like, erm, coffee shops and hotel lobbies. See what I mean about being harder in practise?
To conclude, I was speaking to an IT consultant recently whose client was seeing lots of pop-up adverts on his company website. A check quickly revealed the site was not compromised, so it had to be the client's browser. In fact, a little prompting revealed that his Mac at home had been infected with adware that was injecting ads into the sites he visited. The infection route had been via a Pirate Bay torrented audio track that required an 'MP3 extraction utility' to be installed. The user upon hearing this declared: “But I thought Macs were safe." Not, unfortunately, from the most left field threat of them all: the user.
The user as an attack vector exposes every possible, however unlikely, angle that the bad guys can use to distribute risk. Mitigating against that is the hardest thing of all...