Attack of the USB Killers: Coming to Your Clients’ Classrooms

What are USB Killers, and what does their existence say about the security behind your classroom/higher ed tech installations?

This article was originally published on Commerical Integrator on May 6, 2019

Last month, a former student of the College of St. Rose in New York pled guilty to destroying “66 computers as well as numerous monitors and digital podiums containing USB data ports owned by the College.” The damage was done using a “USB Killer” device that discharged high voltage pulses into the host device, physically damaging the host’s electrical system.

According to the court documents, the total losses due to the incident were 58,471 USD. A quick Google search shows that these “USB Killer” devices are readily available on websites like Ebay for around 40 USD.

Details of the “digital podiums” were not released, but any AV integrator who has done work in higher education institutions could probably guess they were lecterns or teaching stations outfitted with room computers, portable laptop connections, confidence monitors, control touch panels, media switchers, and/or playback devices.

The “numerous monitors” in the court documents could have been simple computer monitors, or larger wall-mounted flat panel displays often used for small-group collaboration.

Motive? Doesn’t Matter

The motives of the attacker are unclear, and in the end, are essentially irrelevant. What is relevant is that the same thing could easily happen at another university, K-12 school, company, or house of worship.

Security experts have shown that USB drives and cables can be built to perform HID attacks, launch command shells, download malicious payloads, and/or modify the DNS settings to redirect traffic.

But more importantly, any USB memory device (a.k.a. USB stick or thumb-drive) could contain files that are infected with malware.

One penetration tester that I spoke to said he often drops off a handful of infected USB drives at hospitals and medical buildings.

The USB drives appear to be harmless freebies, and eventually an employee uses one, opens the file, and the test payload is delivered.

He said that the USB drive attack vector is not as effective as email phishing campaigns, but it is still part of his testing.

When I first shared the College of St. Rose story, many #AVTweeps commented that little could be done:

“It’s hard to protect against physical attacks. If you do block the USB port or somehow protect it from electrical discharge, the attacker could smash it with a hammer.” – Leonard C. Suskin (@Czhorat)

“Without an option to disable the port completely for both data and power transfer, there is little anyone could do in this instance. With physical access, all bets are off…”Kevin (@kevin_maltby)

What Can Be Done About USB Killers

I agree that if someone is truly intent on causing damage, they will find a way, but I think there are still some things that can be done to minimize the impact and likelihood of a USB-based attack.

First, make sure that all members of your organization have signed a computer usage policy, and formally agree to not destroy computer hardware.

Next, consider remoting all computers in locked data closets, and always lock classroom podiums and AV credenzas to minimize access.

Use card-keys or biometric scanners to allow limited access to server rooms, and add IP cameras to these rooms so you can prove who actually did the deed. This is called attribution, and is often a challenge in cybersecurity.

USB attacks should also be outlined in your cyber-awareness training, so that everyone knows to not use random USB drives or charging cables they find.

Last but not least, you should have an incident response plan that anticipates USB attacks, and communicate that plan, so everyone knows what to do in case of a “USB Killer” attack. It may seem unlikely, but it’s certainly possible, and it is best to be prepared for it.

If you enjoyed this article, you might like these related posts on PKaudiovisual:

Design Principles For Secure AV Systems

Identifying Cyber Attacks, Risks, Vulnerabilities in AV Installations

5 Steps to Better Cyber Risk Management

The Best Data Breach Incident Response Plans Require These Steps

Advertisements

Know Your Audience, #AVtweeps

Photo of the Brooklyn Bridge by Paul Konikowski

I shared this joke earlier today on Twitter, during an #AVinTheAM online chat:

“An Architect, an IT Director, and an AV Professional walk into a bar…

[The AV Professional could be a consultant, integrator, or manufacturer]

The Architect orders a Vodka Sour, the IT Director orders a Rum and Coke,

The AV Professional says they need to standardize their user experiences,

orders three Long Island Ice Teas, and then asks, ‘who’s paying for these?'”

I hope I don’t offend any architects or IT people with my humor, the joke is really on the AV professional. He or she may think they are making both the Architect and the IT Director happy, by incorporating both their drink ideas into the triple order of Long Islands. There are many roads this joke could lead us, but today, we will talk about knowing your audience when meeting about an AV project.

In practice, meetings with architecture firms, IT departments, music ministry leaders, fitness instructors, technical directors, general contractors, or higher education universities, have some similarities, but each group has their own priorities and lingo.

Dropping lofty buzzwords like “user experience” and “agile workspaces” may not be as effective as using the words that they use; ask about their typical meetings, or classes, rehearsals, services. You are basically asking them about the current user experience, but in their words.  Ask them what meeting spaces are the most popular, and why.

Discuss any trends you are seeing in flexible work or education environments. Ask them if they have any divide/combine spaces, but instead, use the term “airwalls”. How often do these rooms get combined or separated? How do the systems work when combined or separated? And how well do they work for the typical room usage?

If you discussing a church, house of worship, or auditorium, say “sound board” when asking them about the FOH (Front of House) mixing position. See what I did there?

If a client or work contact uses an acronym you don’t recognize, don’t be afraid to ask them what it means, to them. Don’t assume they know your acronyms either.  You might say OMP meaning Operations & Maintenance Plan, and they may instead hear:

Office Managing Partner

Occupational Maternity Pay

Open Market Purchase

or a dozen other meanings for the acronym OMP.

And if you audience includes Millennials, they may think, for a second, that you meant

One Moment Please

because that is how OMP is used in SMS messaging and other text chat platforms! So don’t be afraid to spell out your acronyms and ask them about theirs. Some companies have so many acronyms that they develop a glossary page for them. Ask for a copy!

The other thing to ask about early on is timeline.  Architects and consultants will use acronyms like SD, DD, and CD to describe the Schematic Design, Design Development, and Construction Document phases of their drawing sets. Owners and end-users are more concerned with the commissioning and occupancy. Each has its own deadline.

What if you are going to a meeting with an architect, owner’s rep, IT department head, furniture vendor, plus various engineers from other trades?  Who are the others in the room? How do you know your audience if you have never met any of them?

Do your homework. Start with the meeting planner, and then the other people invited, looking up each one on LinkedIn or Google.  Look at their current job descriptions, but also at their work history, where they went to school; what did they study?  Read their most recent posts, and ask yourself, what drives them? Whenever possible, ask your coworkers if they have ever worked with the other people invited to the meeting.

When the meeting starts, try to quietly jot down the names of any “special guests” you may not have anticipated, and then look them up on LinkedIn or Google afterwards. Ask for business cards for anyone who has one, especially any electrical engineers.  You need to keep your coordination within proper channels, by communicating through the client, the architect or project manager, but you can address them by name in your correspondence, “Following up on the question raised by XYZ…”

Circling back to the joke I made about the architect, IT director, and the AV professional: all are highly technical people, but with different strengths. The IT Director may be able to talk at length about bandwidth, IP addresses, firewalls, and cyber-security, while the architect may be more concerned with determining the electrical and backing needs, and the BTU load of the AV racks, so they can coordinate with their HVAC and MEP engineers.  Furniture vendors need to know what holes to provide in the tables for microphones and table boxes.  They all love dimensions!  Coordinate using AutoCAD or Revit, or markup PDFs using Bluebeam or similar.

By determining your audience in advance (or during a meeting, or sometimes after) you can tailor your communique and deliverable to each, making each one happy. You might also find yourself being a bridge between different people involved in a project. By speaking their own dialects, you can connect them like the boroughs of Manhattan.

And maybe Long Island :)

Photo of the Brooklyn Bridge by Paul Konikowski
Photo of the Brooklyn Bridge by Paul Konikowski

If you enjoyed this post, you may also enjoy these other articles on PKaudiovisual.com:

Technology and Green Buildings

Your Conference Rooms Are So Trendy!

The Anatomy of an AV Integration Project

Resume of Paul Konikowski, CTS-D

Music Media Matters

Girl Inside California Roots Volume 1

Last week, I dropped $30 on a vinyl record, which was probably the most I have ever paid for an album, without adjusting for inflation. Usually, my vinyl records come from garage sales or thrift stores, and much of my collection came from my Dad and friends. I’m not an avid record store guy like John Cusack’s customers in High Fidelity. In fact, I can probably count all the records I got “new” on one hand. So why did I buy this particular album for $30?

I was attending a concert in Sonoma county, and the $30 record was for sale in a merchandise booth. When I first heard the price, I hesitated. But then I thought about it: this was a compilation album, featuring songs from twelve reggae bands that had recently performed at the 2017 California Roots Music and Arts Festival at the Monterrey County Fairgrounds, the same location as the famous Monterrey International Pop Music Festival in 1967.

According to the back cover, all profits from the album sales will be donated to the Guitars Not Guns Music Program. Using music as a catalyst GNG encourages children and teens to use their creativity to foster personal development and to help divert them from the destructive influences of drugs, alcohol, and gang-related violence”. When I read that, the $30 price tag didn’t seem too steep; I considered it a donation to a good cause.

CA Roots Volume 1 inside cover

I also consider the album a souvenir, that will forever hold memories of that concert. The bands I saw at the concert were not on the album, but there is still a connection, between the live music I heard, the people I hung out with, and this vinyl record. If I didn’t buy it that night, would I get another chance? Would I have purchased the album if it were on CD or Spotify? Probably not. Why not? Of course, I could argue that the sound quality of a CD or digital track is not the same as the warmth of an analog record, which is true; but I will leave that blog post for the audiophiles.

I listen to records when I am relaxing at home, which is also the only place I can listen to them. When I have friends over (which is basically never, but let’s pretend I have friends for the sake of this blog post), I encourage them to pick out some albums to listen to while we catch up on life (and talk about other imaginary friends.) I sometimes hunt for a particular record in my collection, but more often, I randomly grab a few and put them on. And I usually listen to the entire album, or at least one side, all the way through. I respect the time the artist put into recording the album, and the order of the songs.

Most Millennials don’t get the concept of an album. They like their music to be on-demand, as they grew up with the ability to listen to any song with a click or two. They never had to rewind or fast forward a cassette tape, or heaven forbid, wait for an 8-track to repeat. To give them some credit, they certainly understand the value of a good playlist, but they don’t understand how Generation Xers spent hours making the perfect mix tape; how some DJ’s would sort their records by BPM (beats per minute) in preparation for a club set; or how alternative rock Compact Discs would often have a “hidden track” that would start 20 or 30 seconds after the last official track. I remember Ministry’s “Psalm 69” CD had a song hidden on track 69; I remember watching the track number go up each second, in silence, until the final track finally played! You think Spotify would allow a band to have 50 or 60 blank tracks, each one second long, before the final hidden track? Imagine what that playlist would look like on a phone!

My point here is that when you listen to music, the media matters. When I say media, I don’t mean the news or social media networks, I mean the plural of medium, whether it be a vinyl record, cassette tape, compact disc, MP3, satellite, or regular radio. How you listen to your music will affect what music you listen to. Let me give you a few examples of what I mean, using my own music collection, and how I listen to it:

When I listen to my LP’s, I typically listen classic rock, jazz, big band, show tunes, and classical music. I have a few exceptions like EDM records I landed at the Winter Music Conferences in Miami, and a handful of new albums I have been given as gifts from friends. But most of the time, the records I put on are from the 1950’s, 60’s, and 70’s.

When I listen to my cassettes, and I have a lot of them, it tends to be mostly 80’s music. Many of these I purchased at full price when I was younger. Some were from BMG memberships, some were hand-me-downs from older siblings, and some are live “bootlegs” of jam bands. I also have a lot of greatest hits compilations, and a lot of those Time Life compilations on cassette. Contemporary Country, anyone? I got the Time Life tapes free from a neighbor who put them on the curb when I lived in Fairfax, CA. Many of the tape series are “brand new”, and still in the original packaging. Score!

Timelife contemporary country cassettes

If I am driving around the Bay, I tend to listen to local radio stations. I especially like Oakland’s old-school rap, hip-hop and hyphy.  When I am in wine country, I hear a lot of Joni Mitchel and the Grateful Dead. If I am back in Connecticut visiting family and friends, I listen to the local radio stations there, where I can count on hearing some Rush, AC/DC, Staind, Metallica, and Ska music. The commercials on the radio are annoying, but they give me a reason to change the channel, and find another station, often with a different kind of music. I love the Sunday radio shows, not the Top 40, but the special jazz, gospel, bluegrass, and live music programs on independent radio stations.

If I am listening to my CD’s, it tends to be 90’s music, but there are plenty of other decades represented. I have done a lot of road trips, and my CD collection is a good way to pass the time while I am driving cross-country. Other times, I will hear an old song on the radio while I am driving, and when I get home, I will dig out the CD to hear the rest of the album. I also listen to my CD’s when I am cleaning.

I have a lot of MP3 files, but I only listen to them when I am working on my computer, and more often, I use Spotify to lookup newer bands. Social media gives me the ability to listen to what my online friends are listening to. I can also find new music on apps like Pandora, after I have searched for a particular band, the algorithm figures out the characteristics of music I enjoy, and gives me similar songs from artists I might like.

spotify home pageThe downside to this feature is I don’t usually hear the entire albums; instead I hear the big radio hits, or songs that are the most popular downloads. This is very different from listening to a record, CD, or cassette tape all the way through. If you listen to satellite radio like Sirius/XM, you almost never hear the deeper cuts from the albums, new or old.

Nowadays, people can purchase one song at a time, which is kind of like buying a 45 rpm record, or a “cassingle”, which was a cassette in a cardboard sleeve, featuring one song that was on the radio; but those still had B-sides: deeper album cuts, live, or alternative versions of the songs. This was a way for the artist and/or record label to get you to listen to a song you might not hear on the radio. Sometimes, the B-side turned out to be better than the A-side. I remember buying Gun’s and Roses’ “Patience” on cassette single and first listening to the B-side “Rocket Queen”, which was never a radio hit, but it is a sick song. I’m going to put it on right now! Yes, I still have all of my Cassingles; unfortunately, most of them are pretty beat.

Guns N Roses Patience Rocket Queen

Which brings us back to digital music. Today’s younger generation does not have to worry about tapes breaking, or record needles wearing out. They don’t need to worry about scratching a CD, or their hard drive crashing. Their music is usually stored in the cloud, with some songs stored locally on their phone or tablet. Live concerts can be streamed on-demand on your TV using set-top boxes. Just about any song can be found with a quick search on YouTube, just watch this short video advertisement first.

Instead of buying albums, Millennials pay for monthly subscriptions that give them unlimited access to literally thousands of albums.  People are happy paying money fees to listen to what they want, when they want, while avoiding the repeating commercials common on traditional terrestrial radio. Others choose to listen to streaming “stations” that are based on their favorite bands, or music genres. This gives them some access to new music, but the bands are still limited, and often chosen by big record labels.

Music is now a service, and people are lazy, so the convenience factor of streaming music is actually affecting what we listen to. If you flip through your old CDs, you will likely choose a different album than you would on Spotify or iTunes. If you listen to a record or cassette, you will likely listen to an entire side, and if you are not too busy, or lazy, you might actually flip it over and hear the B-side.

I encourage my readers to be more mindful of the media that stores their favorite music, and the devices that deliver the music to their ears. Break out your old CD collection, or flip through your parents records, and let the album covers bring back memories, and guide your choices. Listen to the entire albums, top to bottom. Buy a random CD at a truck stop, or from a local band, even if it is a risky because you don’t know most of the songs. Don’t be lame when it comes to music media. Take some risks!

In closing, I would like to get back to that California Roots, Volume 1 record that I purchased last week. When I took it out of the sleeve for the first time, I realized another reason they were charging 30 dollars for it: the vinyl is thick, and decorated with a psychedelic pattern that makes it unique, and memorable, just like the concert I attended. A digital download or YouTube video would never hold those memories like this physical record does. The tracks are great, and the bass from the analog media sounds awesome in my living room. $30 well spent.

California Roots Volume 1

Girl Inside California Roots Volume 1