USB Attack Taxonomy

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Introduction

Since the upcoming of USB in 1995[1], attackers have used USB peripherals to launch a variety of cyber-attacks, exploiting the vulnerabilities and properties of these devices[2]. This article provides an overview of how the variety of existing USB attacks can be categorized by the USB attack taxonomy. For indepth details, please refer to the respective work. The graphics are a reconstruction of the original graphics in the respective papers.

Goal of an USB Attack Taxonomy

Though there are plenty of publications including threat models and analysis, attacks taxonomy hasn’t been much of a goal of investigations. Many of those investigations refer to cyber-attacks in whole, whereas USB-based attacks remain unreviewed. Providing a comprehensive classification in regard to USB attacks allows to assess the qualification and equipment level of the adversary or group of adversaries, predict potential consequences, estimate possible attack vectors and even identify adversary’s probable affiliation with a specific group/groups according to attack aspects. Furthermore it can be useful in developing appropriate security mechanisms - both prevention and detection - against these attacks[2][3].

USB Attack Taxonomy Variants

Taxonomy based on the required hardware[2]

2017 Nissim et.al. reviewed 29 different USB-based attacks and utilized a new taxonomy to classify them into four major categories. For each attack, the objective it achieves was addressed and the associated and vulnerable USB peripherals and hardware identified. In Fig. 1 and 2 the authors presented a taxonomy based on the USB hardware required for executing the attacks.

Fig.1: A taxonomy of USB-based attacks, categorized based on the hardware required to execute the attacks[2]

Fig. 1 presents three major categories:

A. programmable microcontrollers
B. the common USB peripheral devices that can be found in most organizations and households

B1. devices whose firmware was maliciously modified in order to perform the attack

B2. devices that do not require firmware modification

C. crafted devices composed only from electrical hardware components

Underneath lists the attacks covered by Nissim et.al.’s survey, their year of publication and relevance to the categories and taxonomy presented in Fig.1:

A. Programmable microcontrollers:

  1. Rubber Ducky - 2010
  2. PHUKD/URFUKED - 2010
  3. USBdriveby - 2014
  4. Evilduino - 2014
  5. Unintended USB channels - 2011
  6. TURNIPSCHOOL (COTTONMOUTH-1) - 2015
  7. RIT attack via USB mass storage - 2012
  8. Attackson wireless USB dongles - 2015
  9. Default gateway override - 2014

B1. Devices whose firmware was maliciously modified in order to perform the attack:

  1. Smartphone based HID attacks - 2010
  2. DNS override by modified USB firmware - 2014
  3. Keyboard emulation by modified USB firmware - 2014
  4. Hidden partition patch - 2014
  5. Password protection bypass patch - 2014
  6. Virtual machine break-out -2014
  7. Bootsectorvirus - 2014
  8. iSeeYou: Disabling the MacBook webcam indicator LED - 2014

B2. Devices that do not require firmware modification:

  1. .LNK Stuxnet/Fanny USB flash drive exploit (Shell extension exploits) - 2010
  2. USB Backdoor into air-gapped hosts - 2014
  3. Data hiding on USB mass storage - 2010
  4. Autorun exploits - 2005
  5. Cold boot - 2008
  6. Buffer overflow - 2005
  7. Driver update - 2011
  8. Device firmware upgrade (DFU) - 2014
  9. USB Thief - 2016
  10. Attacks on smartphones via the USB port - 2010
  11. USBee attack - 2016

C. Crafted devices composed only from electrical hardware components:

  1. USB Killer

Furtheron, the attacks were summerzied in a table, weather each was associated to:

  • "USB Peripheral (keyboard, mouse, storage, smartphone, speaker, camera)", were some devices underwent malicious firmware modification, and/or
  • "Persona of USB Connected Microcontroller (keyboard, mouse, storage, smartphone, speaker, network adapter, cable)", refering to the type of device emulated by a USB connected programmable microcontroller, often disguised by an external casing of an innocuous USB device

The table made visible, that the peripheral by which more than 51% of the 29 attacks can be carried out is the USB storage device, followed by the keyboard device and microcontrollers that impersonate a keyboard.

Taxonomy based on attack characteristics[3]

2019 Mamchenko and Sabanov collected already existing taxonomy, based on general cyberthreat models, some of them including USB, see Fig.3.

Fig.3: By Mamchenko and Sabanov (2019) analyzed cyberattacks- and USB-based attacks taxonomies[3]

Based on the collection, see Fig. 3, they created a more complete, enhanced taxonomy. Other than the taxonomy in Nissim et.al., each category reflects one way of categorizing a certain attack within that given category. It is listed as follows:
Attack:

  1. Source of Threat
    1. outsider threats;
    2. insider threats.
  2. Level of Complexity
    1. no special training required;
    2. of intermediate complexity;
    3. complex.
  3. Level of Secrecy
    1. very hard to be detected;
    2. covert;
    3. not-to-be-hidden.
  4. Attack Mechanism
    1. code injection;
    2. data extraction;
    3. protocol masquerading;
    4. protocol corruption
    5. signal eavesdropping;
    6. signal injection.
  5. Object of Impact
    1. operation systems and system software/drivers;
    2. servers;
    3. hardware;
    4. applications;
    5. mobile technology devices;
    6. user data;
    7. networks.
  6. Adversary Intensions
    1. to steal data;
    2. to modify data;
    3. to delete information;
    4. to destroy hardware;
    5. to gain access to system resources;
    6. to cause malfunctions/DOS.
  7. Impact Layer
    1. human;
    2. application;
    3. transport;
    4. physical.
  8. Assets
    1. programmable microcontrollers;
    2. maliciously reprogrammed peripherals;
    3. not re-programmed peripherals;
    4. electrical devices;
    5. special hardware;
    6. malicious programs.
  9. Actions
    1. probe;
    2. scan;
    3. flood;
    4. authenticate;
    5. bypass;
    6. spoof;
    7. read;
    8. copy;
    9. steal;
    10. modfy;
    11. delete;
    12. destroy hardware;
    13. eavesdrop;
    14. cause malfunction/DOS.
  10. Severity of Consequences
    1. disastrous effects;
    2. severe;
    3. intermedeate severity;
    4. irresponsible.
  11. Type of Damage from Attack
    1. physical;
    2. psychological;
    3. economic;
    4. political;
    5. reputational.

References

  1. Goodrich, Joanna. "How USB Came to Be." IEEE Spectrum, 22 February 2022. Accessed 22 September 2024
  2. 2.0 2.1 2.2 2.3 Nir Nissim, Ran Yahalom, and Yuval Elovici. Usb-based attacks. Computers & Security, 70:675–688, 2017.
  3. 3.0 3.1 3.2 Mark Mamchenko and Alexey Sabanov. Exploring the taxonomy of usb-based attacks. In 2019 Twelfth International Conference ”Management of large-scale system development” (MLSD), pages 1–4, 2019.

Further Reading

  • Chengzhi Sun, Jiyu Lu, and Yunqing Liu. Analysis and prevention of information security of usb. In 2021 International Conference on Electronic Information Engineering and Computer Science (EIECS), pages 25–32, 2021.
  • Jianming Fu, Jianwei Huang, and Lanxin Zhang. Curtain: Keep your hosts away from usb attacks. In Phong Q. Nguyen and Jianying Zhou, editors, Information Security, pages 455–471, Cham, 2017. Springer International Publishing.
Retrieved from "https://wiki.elvis.science/index.php?title=USB_Attack_Taxonomy&oldid=17157"