Attack of the USB Killers: Coming to Your Clients’ Classrooms

What are USB Killers, and what does their existence say about the security behind your classroom/higher ed tech installations?

This article was originally published on Commerical Integrator on May 6, 2019

Last month, a former student of the College of St. Rose in New York pled guilty to destroying “66 computers as well as numerous monitors and digital podiums containing USB data ports owned by the College.” The damage was done using a “USB Killer” device that discharged high voltage pulses into the host device, physically damaging the host’s electrical system.

According to the court documents, the total losses due to the incident were 58,471 USD. A quick Google search shows that these “USB Killer” devices are readily available on websites like Ebay for around 40 USD.

Details of the “digital podiums” were not released, but any AV integrator who has done work in higher education institutions could probably guess they were lecterns or teaching stations outfitted with room computers, portable laptop connections, confidence monitors, control touch panels, media switchers, and/or playback devices.

The “numerous monitors” in the court documents could have been simple computer monitors, or larger wall-mounted flat panel displays often used for small-group collaboration.

Motive? Doesn’t Matter

The motives of the attacker are unclear, and in the end, are essentially irrelevant. What is relevant is that the same thing could easily happen at another university, K-12 school, company, or house of worship.

Security experts have shown that USB drives and cables can be built to perform HID attacks, launch command shells, download malicious payloads, and/or modify the DNS settings to redirect traffic.

But more importantly, any USB memory device (a.k.a. USB stick or thumb-drive) could contain files that are infected with malware.

One penetration tester that I spoke to said he often drops off a handful of infected USB drives at hospitals and medical buildings.

The USB drives appear to be harmless freebies, and eventually an employee uses one, opens the file, and the test payload is delivered.

He said that the USB drive attack vector is not as effective as email phishing campaigns, but it is still part of his testing.

When I first shared the College of St. Rose story, many #AVTweeps commented that little could be done:

“It’s hard to protect against physical attacks. If you do block the USB port or somehow protect it from electrical discharge, the attacker could smash it with a hammer.” – Leonard C. Suskin (@Czhorat)

“Without an option to disable the port completely for both data and power transfer, there is little anyone could do in this instance. With physical access, all bets are off…”Kevin (@kevin_maltby)

What Can Be Done About USB Killers

I agree that if someone is truly intent on causing damage, they will find a way, but I think there are still some things that can be done to minimize the impact and likelihood of a USB-based attack.

First, make sure that all members of your organization have signed a computer usage policy, and formally agree to not destroy computer hardware.

Next, consider remoting all computers in locked data closets, and always lock classroom podiums and AV credenzas to minimize access.

Use card-keys or biometric scanners to allow limited access to server rooms, and add IP cameras to these rooms so you can prove who actually did the deed. This is called attribution, and is often a challenge in cybersecurity.

USB attacks should also be outlined in your cyber-awareness training, so that everyone knows to not use random USB drives or charging cables they find.

Last but not least, you should have an incident response plan that anticipates USB attacks, and communicate that plan, so everyone knows what to do in case of a “USB Killer” attack. It may seem unlikely, but it’s certainly possible, and it is best to be prepared for it.

Advertisements

Digital signs left wide open with default password

#SecureAV #digitalsignage

Infosec News Ireland

Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they?d like to display on people?s signage screens.

On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.

He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn?t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is ?essentially an x86 Windows 10 PC.?

View original post 853 more words

The Ponds Are Stocked In AV Land

When I was younger, I participated in a few fishing derbies. I remember one particular derby where I caught nine trout in one day, see photos. The derby was sponsored by the local K-Mart, thus the hat. My dad and I were overwhelmed by the luck I was having! The pond at YMCA Camp Sloper had been stocked with fish the week prior. We asked around and quickly figured out that the best bait to use was corn, because the hatchery-bred fish had not yet learned to eat pond food; they liked corn.

I was not the only one who had luck that day. The kid who took the trophy for the most fish caught like 23. I also did not take the trophy for the largest fish; but I was still a happy camper, and went back the next day and caught a few more on my own. I tried my luck again that summer, in the same spot, but I did not catch anything. The corn stopped working, so I went an bought some expensive fishing tackle, which looked great in my tackle box, but nothing was effective as the cheap corn was during that one spring day of the fishing derby.

“The difference is time” as they say. The climate changed as the pond got warmer, the fish retreated to the cooler bottom. The young hatch-lings that survived the fishing derby weekend had two options moving forward: they could adapt to their surroundings, and eat worms, bugs, and smaller fish in Sloper’s pond, or they could be eaten by bigger fish. I don’t think it was a conscious decision. Eventually, the pond life goes back to “normal”, there are less fish, and the ones who survived are larger and more healthy.

Now, let’ reel this back into AV land. I believe the ponds in AV Land are getting stocked this spring, largely due to the tax law changes. I think #AVtweeps are conscious of it; some are not making any decisions, while some are putting plans in place, to deal with the upcoming volume. Notice I said volume, not revenue, or profits, or tax shelters.

Assuming your customers are C-corps, you should see, and hear, a gradual crescendo in spending in 2018, ending with the busiest holiday season anyone has ever experienced in all of AV Land. Older, problematic digital signal processing, microphones, and touch panels will be updated. Corporate customers will start spending more money on large ticket items like immersive rooms and video walls. Ping pong tables will compete for space with VR and AR gaming setups. The more start-up type smaller businesses will finally start to outfit their huddle rooms with new video collaboration systems.

K-12 schools and community colleges will see more donations to support classroom technology as well as gaming lounges and black-box theaters. Sounds great, right? But take warning, according to the AV Land Farmer’s Almanac (you see what I did there?)…

Your service center calls could become unmanageable as the new gear mingles with old.  Bandwidth needs will spike as AV and IT converge, and go forth, and multiply, and higher resolution video traffic will bog down older switches. Fan noise will increase.   Credenza rack switches will begin to overheat. Meanwhile, sales and design teams will design more and more networked AV. Programmers will ask for more IP addresses. Lead technicians are going to make extra money working overtime, making it all work.

So, how do you, the AV integration expert, plan to catch the MOST fish, AND the largest, without wasting a bunch of time, and money on equipment you don’t really need?

  1. Start with corn: Standardize on no more than a dozen pre-designed systems that you can sell quickly with confidence.  Keep the prices down by keeping things very simple, but be sure to include an adequate materials budget and labor to cover the inevitable trips to Home Depot, Grainger, or Lowe’s. Give your AV installation crews credit cards or similar means to get small items ordered immediately. Get ‘er done.
  2. Bring plenty of worms: The big fish in the pond will want something more than corn.  They will want large format displays that make viewers say “Wow”. They will also want to upgrade projection systems with newer laser light source models. Worms are a little more tricky to put on the hook, but in the end, not complicated.
  3. Tackle your complicated designs using your most excellent people and engineering. Don’t let your best resources get bogged down with the “corn” projects.  Figure out a way to free up their time so they can focus on the larger custom spaces and bring your client’s dreams to life.  They are like the professional anglers on the television.
  4. Give everyone the tools they need to complete the projects, but be careful not to fill your tackle box with a bunch of expensive lures like I did when I was little.  Only buy the tools you need right now. Update your own conference rooms, but don’t over do it.  The same goes for hiring new people, look for the skills that you are going to need for your pipeline, and then hire the people who have those skill sets.
  5. Don’t mistake volume for market share. I thought I was going to win that derby.

The key to the next few years will be to anticipate the sales volume bump, and then scaling appropriately, by putting the right people and tools in place. By following the above suggestions, (and never, ever asking me for fishing advice,) AV integration firms should be able to realize the upcoming spike in revenue, without being caught off-guard.

Fish on!

fish