Hardware-Encrypted USB Flash Drives Stop BadUSB Before It Starts
BadUSB is a class of malware used by hackers worldwide who are determined to create as much havoc in as many lives as they can…BadUSB resides in a USB flash drive that has been programmed to go rogue and do some very bad, destructive things.
- By Richard Kanadjian
- March 22, 2022
It stands to reason that any problem with the word “bad” in its name will not be fun to deal with. However, when the solution for the said problem is a multi-tasker that solves multiple issues, that goes beyond being a good thing—maybe bordering on amazing. Such is the case with the problem of BadUSB and the most practical means of preventing the problems it causes: hardware-encrypted USB flash drives.
USB flash drives are one of the easiest, securest means of storing data, backing up files, booting a computer and transferring data/files/images from one device to another. They are as ubiquitous on campuses as stately, ivy-covered buildings between students, faculty, and administrators.
USB drives are available in a wide range of prices, from free to three-digit figures. With that large a price range, it is not surprising that some lower-end units will be problematic.
What Exactly is BadUSB?
BadUSB is a class of malware used by hackers worldwide who are determined to create as much havoc in as many lives as they can. (Malware—an amalgam for malicious software—is an all-encompassing term for any computer software that was specifically designed with malicious intent.) BadUSB resides in a USB flash drive that has been programmed to go rogue and do some very bad, destructive things.
BadUSB allows these individuals to do some serious firewall breaching to introduce malware into a school's cyber-defenses through USB storage devices. The first USB malware, BadUSB, does not attack data on the device; instead, it attacks the device itself.
When a USB drive is plugged into a computer, the chipset controller of the computer starts a “handshake” with the USB drive controller via firmware. This exchange occurs even before the OS—whether it be Microsoft, macOS, or Linux—is even aware that a USB drive has been connected. (Every USB drive has firmware that runs when the drive is activated in a USB socket.)
The ne'er-do-wells behind BadUSB have learned that they can introduce malware through this “handshake” mechanism by replacing the firmware that runs on the USB drive controller with another, more malicious firmware that injects malware into the target computer system as it communicates with the USB drive.
A standard USB drive has no security on its internal firmware. So, while drives with BadUSB begin their existence as clean, unmarred USB drives, at some point, they are weaponized to penetrate firewalls and breach cyber defenses. Unfortunately, today's anti-malware solutions cannot detect this modified controller firmware, and in many cases, it remains undetectable and free to go about its ruinous work.
While USB manufacturers don't like disclosing their security countermeasures, they do talk about one measure that protects against BadUSB: hardware-encrypted USB drives. This type of drive uses premium encryption controllers and incorporates many security features. As a result, hardware-encrypted USB drives prevent BadUSB from occurring, as well as a multitude of other problems.
At the factory, when the firmware is loaded on hardware-encrypted drives, it is digitally signed and loaded. This means that when these encrypted USBs are plugged in, the encryption controller first checks the integrity of the firmware through the digital signature and only loads it if it passes. Any attempt to replace the firmware will stop the drive and render it non-functional, eliminating any threat.
Yes, hardware-encrypted drives are more expensive than standard USB drives—as well as, God forbid, the freebies handed out at trade shows. But, they earn their keep. The reduction and elimination of risks offered by such drives make the payback cycle very short. Plus, the peace of mind that comes from knowing you are protected from being hacked and suffering the associated legal and public relations costs is priceless.
Non-Technical Ways to Prevent BadUSB
Along with the use of hardware-encrypted USB drives, there are several other ways colleges and universities can prevent a BadUSB hit, although they are highly untechnical means. One is to outlaw anyone connected to or doing business with the school from using USB drives all together. The other is taking the extreme measure of epoxying the USB sockets on all their systems on campus or at satellite sites. Needless to say, either measure is a tad draconian and presents problems of its own.
Schools that have tried either method have run into a major problem: Some of their students and staff simply need to carry data on USB drives. For example, students working on projects, research or other papers who need access to their data, etc., will put it on a USB drive at various locations. Another problem is outside faculty members and contractors, who need data to work on but have restricted or no access to the school's databases. Another possible problem is school recruiters going out and making presentations at various locations and finding it easier to put everything on a USB drive.
How Does BadUSB Affect My Campus?
As to how BadUSB affects you, that all depends on the designers' motives. One particular vulnerability all educational institutions face is the issue of securing Personal Identifiable Information (PII), which can be found in many departments around campus, including admissions, financial aid, human resources, the health center and others.
Personal Identifiable Information in educational settings is protected by the Family Educational Rights and Privacy Act (FERPA). It covers direct identifiers, such as a student's name, identification number, address and social security number; as well as indirect identifiers, such as a student's date of birth; or other information which can be used to distinguish or trace an individual's identity either directly or indirectly through linkages with other information.
FERPA is just one of many regulatory and compliance initiatives introduced worldwide and requires adherents to encrypt and protect personally identifiable data. Several others that you may be familiar with include HIPAA in health care, GDPR in the European Union and CCPA in the state of California. Compliance organizations have multiplied exponentially over the last several years, as these regulations and their associated fines and legal-award risks have skyrocketed.
Hardware-Encrypted USB Drives: Best for Compliance
In every one of these regulatory and compliance instances, hardware-encrypted USB drives—the same ones preventing you from being a victim of BadUSB—are the best option to ensure data security and meet applicable compliance regulations. Here is why:
- Encryption is always ON: There is no way for users to turn off encryption, reset the password rules (minimum length, complexity) and disable the automatic password retries. Unlike software encryption, which does not prevent repeated password guessing through software dictionary attacks, the hardware versions limit password retries to 10 times or fewer—and wipe out the data when the wrong passwords are entered ten times in a row.
- Also, offer custom Product IDs (PIDs) that can be set up for a specific company. These premium drives have a digital identifier programmed into them so that if a drive is plugged into the company's inner or outer firewall, the drive can be identified as a company-issued drive. For example, if an employee loses the company drive and sneakily buys the same model at retail, the newly purchased drive will not validate on the company network. This customization adds another layer of security on the use of USB drives.
- Uses a dedicated processor that is physically located on the encrypted drive.
- Processor contains random number generators to generate an encryption key, which the user's password will unlock.
- Performance is increased by off-loading encryption from the host system.
- Include safeguard keys and critical security parameters within crypto-hardware.
- Authentication takes place on the hardware.
- The host PC does not require any type of driver installation or software installation.
- Protect against the most common attacks, such as cold-boot attacks, malicious code and brute force attacks.
Software Encryption: Big No-No for Compliance Purposes
For many school security professionals, software encryption can offer the same encryption capabilities as hardware-encrypted USB drives but at a lower cost. Schools moving to software encryption for compliance purposes do so at their own risk, as there is a definite dark side to software-based encryption.
Software encryption is considered removable encryption. That means users can remove the software encryption feature from their USB drives. Why, you ask, would they? Simply put, because they can, and they don't want to mess with having to use a password, or they forgot the password but needed to use the USB drive.
All is good, except for compliance purposes. The ease of removing data encryption means that the drive is now unencrypted, and the data that was encrypted on the drive is considered lost forever once the encryption is removed. Therefore, any data copied on the device once the encryption is removed is considered unsecured and potentially out of compliance, which can risk a violation of regulations.
This article originally appeared in the March / April 2022 issue of Campus Security Today.