Hardware-Encrypted USB Flash Drives Stop BadUSB Before It Starts

Hardware-Encrypted USB Flash Drives Stop BadUSB Before It Starts

BadUSB is a class of malware used by hackers worldwide who are determined to create as much havoc in as many lives as they can…BadUSB resides in a USB flash drive that has been programmed to go rogue and do some very bad, destructive things.

  • By Richard Kanadjian
  • March 22, 2022

It stands to reason that any problem with the word “bad” in its name will not be fun to deal with. However, when the solution for the said problem is a multi-tasker that solves multiple issues, that goes beyond being a good thing—maybe bordering on amazing. Such is the case with the problem of BadUSB and the most practical means of preventing the problems it causes: hardware-encrypted USB flash drives. 

USB flash drives are one of the easiest, securest means of storing data, backing up files, booting a computer and transferring data/files/images from one device to another. They are as ubiquitous on campuses as stately, ivy-covered buildings between students, faculty, and administrators. 

USB drives are available in a wide range of prices, from free to three-digit figures. With that large a price range, it is not surprising that some lower-end units will be problematic.

What Exactly is BadUSB? 

BadUSB is a class of malware used by hackers worldwide who are determined to create as much havoc in as many lives as they can. (Malware—an amalgam for malicious software—is an all-encompassing term for any computer software that was specifically designed with malicious intent.) BadUSB resides in a USB flash drive that has been programmed to go rogue and do some very bad, destructive things. 

BadUSB allows these individuals to do some serious firewall breaching to introduce malware into a school's cyber-defenses through USB storage devices. The first USB malware, BadUSB, does not attack data on the device; instead, it attacks the device itself.

When a USB drive is plugged into a computer, the chipset controller of the computer starts a “handshake” with the USB drive controller via firmware. This exchange occurs even before the OS—whether it be Microsoft, macOS, or Linux—is even aware that a USB drive has been connected. (Every USB drive has firmware that runs when the drive is activated in a USB socket.)

The ne'er-do-wells behind BadUSB have learned that they can introduce malware through this “handshake” mechanism by replacing the firmware that runs on the USB drive controller with another, more malicious firmware that injects malware into the target computer system as it communicates with the USB drive. 

A standard USB drive has no security on its internal firmware. So, while drives with BadUSB begin their existence as clean, unmarred USB drives, at some point, they are weaponized to penetrate firewalls and breach cyber defenses. Unfortunately, today's anti-malware solutions cannot detect this modified controller firmware, and in many cases, it remains undetectable and free to go about its ruinous work.

Preventing BadUSB

While USB manufacturers don't like disclosing their security countermeasures, they do talk about one measure that protects against BadUSB: hardware-encrypted USB drives. This type of drive uses premium encryption controllers and incorporates many security features. As a result, hardware-encrypted USB drives prevent BadUSB from occurring, as well as a multitude of other problems. 
 
At the factory, when the firmware is loaded on hardware-encrypted drives, it is digitally signed and loaded. This means that when these encrypted USBs are plugged in, the encryption controller first checks the integrity of the firmware through the digital signature and only loads it if it passes. Any attempt to replace the firmware will stop the drive and render it non-functional, eliminating any threat.

Yes, hardware-encrypted drives are more expensive than standard USB drives—as well as, God forbid, the freebies handed out at trade shows. But, they earn their keep. The reduction and elimination of risks offered by such drives make the payback cycle very short. Plus, the peace of mind that comes from knowing you are protected from being hacked and suffering the associated legal and public relations costs is priceless. 

Non-Technical Ways to Prevent BadUSB

Along with the use of hardware-encrypted USB drives, there are several other ways colleges and universities can prevent a BadUSB hit, although they are highly untechnical means. One is to outlaw anyone connected to or doing business with the school from using USB drives all together. The other is taking the extreme measure of epoxying the USB sockets on all their systems on campus or at satellite sites. Needless to say, either measure is a tad draconian and presents problems of its own.

Schools that have tried either method have run into a major problem: Some of their students and staff simply need to carry data on USB drives. For example, students working on projects, research or other papers who need access to their data, etc., will put it on a USB drive at various locations. Another problem is outside faculty members and contractors, who need data to work on but have restricted or no access to the school's databases. Another possible problem is school recruiters going out and making presentations at various locations and finding it easier to put everything on a USB drive. 

How Does BadUSB Affect My Campus?

As to how BadUSB affects you, that all depends on the designers' motives. One particular vulnerability all educational institutions face is the issue of securing Personal Identifiable Information (PII), which can be found in many departments around campus, including admissions, financial aid, human resources, the health center and others. 

Personal Identifiable Information in educational settings is protected by the Family Educational Rights and Privacy Act (FERPA). It covers direct identifiers, such as a student's name, identification number, address and social security number; as well as indirect identifiers, such as a student's date of birth; or other information which can be used to distinguish or trace an individual's identity either directly or indirectly through linkages with other information.  
 
FERPA is just one of many regulatory and compliance initiatives introduced worldwide and requires adherents to encrypt and protect personally identifiable data. Several others that you may be familiar with include HIPAA in health care, GDPR in the European Union and CCPA in the state of California. Compliance organizations have multiplied exponentially over the last several years, as these regulations and their associated fines and legal-award risks have skyrocketed.

Hardware-Encrypted USB Drives: Best for Compliance

In every one of these regulatory and compliance instances, hardware-encrypted USB drives—the same ones preventing you from being a victim of BadUSB—are the best option to ensure data security and meet applicable compliance regulations. Here is why:

  • Encryption is always ON: There is no way for users to turn off encryption, reset the password rules (minimum length, complexity) and disable the automatic password retries. Unlike software encryption, which does not prevent repeated password guessing through software dictionary attacks, the hardware versions limit password retries to 10 times or fewer—and wipe out the data when the wrong passwords are entered ten times in a row.
  • Also, offer custom Product IDs (PIDs) that can be set up for a specific company. These premium drives have a digital identifier programmed into them so that if a drive is plugged into the company's inner or outer firewall, the drive can be identified as a company-issued drive. For example, if an employee loses the company drive and sneakily buys the same model at retail, the newly purchased drive will not validate on the company network. This customization adds another layer of security on the use of USB drives. 
  • Uses a dedicated processor that is physically located on the encrypted drive.
  • Processor contains random number generators to generate an encryption key, which the user's password will unlock.
  • Performance is increased by off-loading encryption from the host system.
  • Include safeguard keys and critical security parameters within crypto-hardware.
  • Authentication takes place on the hardware.
  • The host PC does not require any type of driver installation or software installation.
  • Protect against the most common attacks, such as cold-boot attacks, malicious code and brute force attacks.

Software Encryption: Big No-No for Compliance Purposes

For many school security professionals, software encryption can offer the same encryption capabilities as hardware-encrypted USB drives but at a lower cost. Schools moving to software encryption for compliance purposes do so at their own risk, as there is a definite dark side to software-based encryption.

Software encryption is considered removable encryption. That means users can remove the software encryption feature from their USB drives. Why, you ask, would they? Simply put, because they can, and they don't want to mess with having to use a password, or they forgot the password but needed to use the USB drive.

All is good, except for compliance purposes. The ease of removing data encryption means that the drive is now unencrypted, and the data that was encrypted on the drive is considered lost forever once the encryption is removed. Therefore, any data copied on the device once the encryption is removed is considered unsecured and potentially out of compliance, which can risk a violation of regulations.

This article originally appeared in the March / April 2022 issue of Campus Security Today.

Featured

  • Electrified Latch Retraction Locks Key Benefits for Retrofits

    Building owners and facility managers increasingly rely on electrified hardware to enhance security while meeting accessibility standards. Among these technologies, electrified or motorized latch retraction locks are especially effective for retrofit projects where existing door and frame conditions complicate upgrades. Latch retraction capable locks combine security, accessibility and code compliance benefits, making them ideal for retrofitting fire-rated and non-rated openings in schools, healthcare facilities, commercial buildings and more. Read Now

  • How Cloud Security Solutions Are Transforming Campus Safety

    Campus administrators today face a challenging mandate: deliver stronger security across their facilities while working within tighter budget constraints. From school districts focused on student safety to hospitals protecting patients and staff, the question remains the same: how do you build security infrastructure that evolves with your needs without requiring massive capital investments? Read Now

  • Rethinking Campus Security From the Inside

    For decades, campus security strategies focused on keeping threats outside school walls. But since the tragedy at Columbine High School, data has shown that many attacks begin inside the building, often in classrooms and corridors. This shift has prompted schools to rethink security from the inside and place greater emphasis on interior elements such as classroom doors. This shift is evidenced by a new generation of classroom door systems engineered to delay inside intruders and an ASTM standard that raises the bar on how these systems must be designed to defend against attack. Read Now

  • AI in Security: Advancing Campus Safety and Considerations for Implementing

    Artificial intelligence (AI) continues to capture attention across every sector, and the physical security industry is no exception. Once seen as experimental, AI-enabled analytics now underpin how organizations monitor environments, detect threats, and make decisions. What was once futuristic is now a practical necessity for safety professionals managing growing volumes of data, tighter resources, and increasing expectations for faster, more accurate responses. Read Now

Most   Popular