Although it has been a while since I posted anything about USB security, I have not stopped obsessing about it. Almost a year ago, when the world’s biggest health crisis was the voluntary inhalation of vaporized nicotine, I spoke about how easy it was to use USB devices as attack vectors. There was a small moment during that presentation when I talked about the scope of the USB vector. I mentioned it almost offhandedly, but it has been nagging at me ever since. What I said was, “every USB interface can be home to a whole network of devices, all communicating in a way that is eerily similar to Ethernet.
And because almost everything out there today has at least one if not many USB interfaces on it, the USB protocol essentially extends every one of our networks into something exponentially bigger.” I probably did not say it that eloquently, but the point was that USB devices and hosts communicate over a network (the “bus” of universal serial bus), and that in turn is connected to every other network.
Now vaping has taken back seat to a global pandemic that has everyone doing everything possible remotely. . .and I keep thinking about what this means for the threat landscape, and specifically for USB threats. So while I felt pretty smart back at RSA Conference, it is time to go back to school—on the bus? Get it? Things have changed a lot in just one year.
And, as the security industry has continued to evolve at its typical lightning speed, I have been thinking back to that offhand comment about USB being a network, and how that network could potentially interact with other networks. My worry is that everything out there in the world today is connected, and everything out there in the world today has USB. Because a single USB host can connect to dozens of logical interfaces, and each of those can have multiple end points, there could be any number of things on our networks that we do not really know about. It is like every traditional network node is carrying another tiny network around with it.
If there was an easy way for an attacker to move freely between the Ethernet network and the USB bus, it would mean there is a new softer, less secure “edge network” coupled to our infrastructure that we are not even paying any attention to. It is a daunting theory, and unfortunately one that in the past year has become a reality. Sure, it was always technically possible, but over the past year it has become not only real but really easy. At DEF CON 2019, there were two new wireless USB platforms available for purchase (that I am aware of), and at least one more platform was introduced in one of the demo sessions. USB attacks are becoming more interactive, and they are starting to blur that line between a network threat and a local, physical one.
To show just how easy it can be, I wrote this article in notepad remotely, by sending commands over a network to an O.MG cable —a clever and powerful pen-testing tool that hides a tiny server inside a USB cable. That cable was connected to my laptop (as a human interface device, or HID), but also to Wi-Fi. It is a silly example, but one that easily proves that you can remotely influence computers via locally attached USB devices. What can we do about it? Well, we can and should continue to experiment and learn.
To that end, we have been planning on hosting a USB threat challenge later this summer (although that may need to be virtual now, or postponed) to see how clever the hacking community can get. My personal hope is to see just how far we can push the boundaries using USB as a vector. Armed with that knowledge, we can find new and better ways to cope with this rapidly developing threat vector. 
Automation 2020: Vol. II Industrial Cybersecurity
| Automation 2020 ebooks (pdfs) from Automation.com focus on the fundamentals of essential automation components. This May 2020 edition covers industrial cybersecurity. View other articles in the issue .
