Attack of the USB Killers: Coming to Your Clients’ Classrooms

What are USB Killers, and what does their existence say about the security behind your classroom/higher ed tech installations?

This article was originally published on Commerical Integrator on May 6, 2019

Last month, a former student of the College of St. Rose in New York pled guilty to destroying “66 computers as well as numerous monitors and digital podiums containing USB data ports owned by the College.” The damage was done using a “USB Killer” device that discharged high voltage pulses into the host device, physically damaging the host’s electrical system.

According to the court documents, the total losses due to the incident were 58,471 USD. A quick Google search shows that these “USB Killer” devices are readily available on websites like Ebay for around 40 USD.

Details of the “digital podiums” were not released, but any AV integrator who has done work in higher education institutions could probably guess they were lecterns or teaching stations outfitted with room computers, portable laptop connections, confidence monitors, control touch panels, media switchers, and/or playback devices.

The “numerous monitors” in the court documents could have been simple computer monitors, or larger wall-mounted flat panel displays often used for small-group collaboration.

Motive? Doesn’t Matter

The motives of the attacker are unclear, and in the end, are essentially irrelevant. What is relevant is that the same thing could easily happen at another university, K-12 school, company, or house of worship.

Security experts have shown that USB drives and cables can be built to perform HID attacks, launch command shells, download malicious payloads, and/or modify the DNS settings to redirect traffic.

But more importantly, any USB memory device (a.k.a. USB stick or thumb-drive) could contain files that are infected with malware.

One penetration tester that I spoke to said he often drops off a handful of infected USB drives at hospitals and medical buildings.

The USB drives appear to be harmless freebies, and eventually an employee uses one, opens the file, and the test payload is delivered.

He said that the USB drive attack vector is not as effective as email phishing campaigns, but it is still part of his testing.

When I first shared the College of St. Rose story, many #AVTweeps commented that little could be done:

“It’s hard to protect against physical attacks. If you do block the USB port or somehow protect it from electrical discharge, the attacker could smash it with a hammer.” – Leonard C. Suskin (@Czhorat)

“Without an option to disable the port completely for both data and power transfer, there is little anyone could do in this instance. With physical access, all bets are off…”Kevin (@kevin_maltby)

What Can Be Done About USB Killers

I agree that if someone is truly intent on causing damage, they will find a way, but I think there are still some things that can be done to minimize the impact and likelihood of a USB-based attack.

First, make sure that all members of your organization have signed a computer usage policy, and formally agree to not destroy computer hardware.

Next, consider remoting all computers in locked data closets, and always lock classroom podiums and AV credenzas to minimize access.

Use card-keys or biometric scanners to allow limited access to server rooms, and add IP cameras to these rooms so you can prove who actually did the deed. This is called attribution, and is often a challenge in cybersecurity.

USB attacks should also be outlined in your cyber-awareness training, so that everyone knows to not use random USB drives or charging cables they find.

Last but not least, you should have an incident response plan that anticipates USB attacks, and communicate that plan, so everyone knows what to do in case of a “USB Killer” attack. It may seem unlikely, but it’s certainly possible, and it is best to be prepared for it.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Design Principles For Secure AV Systems

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

Advertisements

Know Your Audience, #AVtweeps

Photo of the Brooklyn Bridge by Paul Konikowski

I shared this joke earlier today on Twitter, during an #AVinTheAM online chat:

“An Architect, an IT Director, and an AV Professional walk into a bar…

[The AV Professional could be a consultant, integrator, or manufacturer]

The Architect orders a Vodka Sour, the IT Director orders a Rum and Coke,

The AV Professional says they need to standardize their user experiences,

orders three Long Island Ice Teas, and then asks, ‘who’s paying for these?'”

I hope I don’t offend any architects or IT people with my humor, the joke is really on the AV professional. He or she may think they are making both the Architect and the IT Director happy, by incorporating both their drink ideas into the triple order of Long Islands. There are many roads this joke could lead us, but today, we will talk about knowing your audience when meeting about an AV project.

In practice, meetings with architecture firms, IT departments, music ministry leaders, fitness instructors, technical directors, general contractors, or higher education universities, have some similarities, but each group has their own priorities and lingo.

Dropping lofty buzzwords like “user experience” and “agile workspaces” may not be as effective as using the words that they use; ask about their typical meetings, or classes, rehearsals, services. You are basically asking them about the current user experience, but in their words.  Ask them what meeting spaces are the most popular, and why.

Discuss any trends you are seeing in flexible work or education environments. Ask them if they have any divide/combine spaces, but instead, use the term “airwalls”. How often do these rooms get combined or separated? How do the systems work when combined or separated? And how well do they work for the typical room usage?

If you discussing a church, house of worship, or auditorium, say “sound board” when asking them about the FOH (Front of House) mixing position. See what I did there?

If a client or work contact uses an acronym you don’t recognize, don’t be afraid to ask them what it means, to them. Don’t assume they know your acronyms either.  You might say OMP meaning Operations & Maintenance Plan, and they may instead hear:

Office Managing Partner

Occupational Maternity Pay

Open Market Purchase

or a dozen other meanings for the acronym OMP.

And if you audience includes Millennials, they may think, for a second, that you meant

One Moment Please

because that is how OMP is used in SMS messaging and other text chat platforms! So don’t be afraid to spell out your acronyms and ask them about theirs. Some companies have so many acronyms that they develop a glossary page for them. Ask for a copy!

The other thing to ask about early on is timeline.  Architects and consultants will use acronyms like SD, DD, and CD to describe the Schematic Design, Design Development, and Construction Document phases of their drawing sets. Owners and end-users are more concerned with the commissioning and occupancy. Each has its own deadline.

What if you are going to a meeting with an architect, owner’s rep, IT department head, furniture vendor, plus various engineers from other trades?  Who are the others in the room? How do you know your audience if you have never met any of them?

Do your homework. Start with the meeting planner, and then the other people invited, looking up each one on LinkedIn or Google.  Look at their current job descriptions, but also at their work history, where they went to school; what did they study?  Read their most recent posts, and ask yourself, what drives them? Whenever possible, ask your coworkers if they have ever worked with the other people invited to the meeting.

When the meeting starts, try to quietly jot down the names of any “special guests” you may not have anticipated, and then look them up on LinkedIn or Google afterwards. Ask for business cards for anyone who has one, especially any electrical engineers.  You need to keep your coordination within proper channels, by communicating through the client, the architect or project manager, but you can address them by name in your correspondence, “Following up on the question raised by XYZ…”

Circling back to the joke I made about the architect, IT director, and the AV professional: all are highly technical people, but with different strengths. The IT Director may be able to talk at length about bandwidth, IP addresses, firewalls, and cyber-security, while the architect may be more concerned with determining the electrical and backing needs, and the BTU load of the AV racks, so they can coordinate with their HVAC and MEP engineers.  Furniture vendors need to know what holes to provide in the tables for microphones and table boxes.  They all love dimensions!  Coordinate using AutoCAD or Revit, or markup PDFs using Bluebeam or similar.

By determining your audience in advance (or during a meeting, or sometimes after) you can tailor your communique and deliverable to each, making each one happy. You might also find yourself being a bridge between different people involved in a project. By speaking their own dialects, you can connect them like the boroughs of Manhattan.

And maybe Long Island :)

Photo of the Brooklyn Bridge by Paul Konikowski
Photo of the Brooklyn Bridge by Paul Konikowski

If you enjoyed this post, you may also enjoy these other articles on PKaudiovisual.com:

Technology and Green Buildings

Your Conference Rooms Are So Trendy!

The Anatomy of an AV Integration Project

Resume of Paul Konikowski, CTS-D

Cybersecurity In Audiovisual Systems

You Should Consider Cybersecurity During All Phases Of An Audiovisual Installation

By Paul Konikowski, CTS-D

Earlier this month, the San Francisco Bay Area was graced with the presence of President Barack Obama, who was here to participate in a Cybersecurity Summit at Stanford University.  *Side note*, I am still unsure if it’s spelled as one word or two, cyber security, or with a dash, cyber-security, and the online jury seems to be rather undecided. So for the sake of brevity, I am sticking with the one-word-version, cybersecurity. *End side note*. At the aforementioned summit of cybersecurity experts, students, and information technology managers in Palo Alto, Mr. Obama signed an executive order encouraging the private sector to share cybersecurity threat information with other companies and the U.S. government.

Rising stock prices of cybersecurity software firms like Palo Alto Networks (PANW), FireEye (FEYE), and CyberArk (CYBR) have also reflected this increased level of awareness. Why? Because unlike guns or nuclear warfare, cyber hacking can happen right under our noses, for years and years, without anyone even noticing. Larger firms have realized that they need the best of the best to combat these criminals, and investors have taken notice to the growth potential of these new age software “heroes” who will do battle for a price, much like the Routiers, the early mercenary soldiers of the Middle Ages.

As audiovisual experts we also need to become IT cybersecurity experts, at least to some degree. At minimum, we have to know what risk we are adding to the network before, during, and after the AV installation. Here is a list of ways you can protect your audio, video, and control systems against theft and hackers, in no particular order:

  • Have a frank and honest discussion with the project team about cybersecurity. Find out who is in charge of the network, and who will need access to the systems.
  • Use motorized projection screens that are fitted into the ceilings to discourage theft.
  • Mount projectors using security boxes, or scissor lifts to hide them up inside the ceilings.
  • AV touch panels and camera controllers often have passwords, but are they updated?
  • Portable TVs and poorly mounted speakers are easy targets; don’t “tempt” thieves
  • Ping all projectors and flat-panel television type displays once every minute. If the display does not respond, assume it is being stolen and automatically email security
  • Interactive whiteboards, mice, and keyboards are generally trustworthy, but who is really checking that USB stick that automatically downloads this or that app to the laptops?
  • Don’t assume that the person in charge of your computer network is the best one to test the AV installation for bugs or security breach points. Hire an expert to test it.
  • Backup all files at least once a day to a secure offsite and/or cloud storage facility.
  • Microphones and tableboxes should be periodically checked for James Bond type “bugs” that can listen to private meetings. It’s not always the newest technology that you need to worry about!
  • Videochat and audio conferencing suites should never be left unlocked while not in use
  • Make sure that end users know when a camera is on or when microphones are open.
  • Digital signage and way-finding kiosks are updated via website; use unique passwords.
  • Unfortunately, most AV equipment racks are made by just a few manufacturers, and each uses one or two different key codes in their door locks. Once you have a set of the common AV rack keys, you can open almost any locked AV equipment rack in the U.S.
  • “Security screws” can also limit the amateur thefts, but any real crook will have tools.

These are just a portion of the areas that the AV Design Engineer and Project Manager need to address during a project. The real problems are the bugs and “holes” that are accidentally left in a program, that nobody catches, mainly because, no one is looking for them. That is why it is critical that today’s AV integration firms hire a well-trained, experienced QA (quality assurance) department who will double-check the engineer’s design, the programmer’s code, and the completed installation.

We all make mistakes, its human nature. And even when we don’t make mistakes, we certainly overlook things that others might catch. Having someone else check your AV design, bug test your code, or evaluate your network or website for cybersecurity threats will always uncover more than checking it yourself.  If you are not putting up “constant vigilance” against the hackers, and paying an expert to test your systems, then you are just living in denial, thinking that your systems are working properly and secure. If these hackers can break into insurance companies and Target, you have to assume that they are trying to hack into your systems as well, (or that they already have!)

constant vigilance