Getting infected USB sticks inside large firms and government organisations would be child’s play for determined cybercriminals, Kaspersky Lab has found after one of its researchers successfully persuaded staff at several to open a PDF file during a staged visit.
The details of the experiment are contained inside a larger and largely unreported report from September, Exposing Weaknesses from the Security Weaknesses We Tend to Overlook that attempted to expose mundane but potentially dangerous security vulnerabilities.
Swedish Kaspersky Lab researcher David Jacoby walked in on eleven organisations off the street – three hotels, two large private firms and six government organisations - with a USB stick and a cover story that he needed help printing a file for an appointment.
Jacoby found that two of the hotels and one of the private firms refused to touch the USB stick. The private firm and hotel that did try to help him in his bogus request discovered that the ports on their computers had been disabled; helpfully both found ways around this layer of security, one by asking him to email it to them and the other by walking to a separate department lacking USB port security.
A mixed success then but the researcher found the government organisations much more accommodating. Two opened the files using reception PCs while another two again bypassed port lock-down by getting him to email the document for printing.
“What is really surprising is that the hotels and privately-owned companies had greater awareness and security than the governmental institutions/organizations. While David did visit fewer hotels and privately-owned companies, from this experience we think it’s fair to say that we have a real problem,” concluded Jacoby.
Although a modest experiment in one country, Kaspersky Lab believes it has demonstrated the principle that social engineering can be used to bypass physical security controls such as disabled USB ports with remarkable ease. It would not work at every organisation but it could clearly work at enough with the point of weakness probably never being detected.
USB stick malware might sound like an old problem organisations have got on top of but it still has the ability to cause the odd panic. In October, Italian reports claimed that senior politicians at the G20 summit in Russia the previous month had been given USB sticks containing Trojan malware as well as devices such as mobile chargers designed to carry out surveillance.
The most infamous USB stick attack ever was probably that by Stuxnet, which is believed to have launched its initial assault on Iranian nuclear facilities from infected drives that were the only way to reach physically isolated SCADA systems.