computers & security 70 (2017) 675–688

Available online at www.sciencedirect.com

ScienceDirect

j o u r n a l h o m e p a g e : w w w. e l s e v i e r. c o m / l o c a t e / c o s e

USB-based attacks

Nir Nissim *, Ran Yahalom, Yuval Elovici

Malware Lab, Cyber Security Research Center, Ben-Gurion University of the Negev, Beer-Sheva, Israel

A R T I C L E I N F O A B S T R A C T

Article history: Attackers increasingly take advantage of innocent users who tend to use USB peripherals
Received 19 April 2017 casually, assuming these peripherals are benign when in fact they may carry an embed-
Received in revised form 1 July 2017 ded malicious payload that can be used to launch attacks. In recent years, USB peripherals
Accepted 1 August 2017 have become an attractive tool for launching cyber-attacks. In this survey, we review 29 dif-
Available online 10 August 2017 ferent USB-based attacks and utilize our new taxonomy to classify them into four major
categories. These attacks target both individuals and organizations; utilize widely used USB
Keywords: peripherals, such as keyboards, mice, flash drives, smartphones etc. For each attack, we address
USB the objective it achieves and identify the associated and vulnerable USB peripherals and
Device hardware.
Attack © 2017 Elsevier Ltd. All rights reserved.
Malicious
Malware

engineering in order to make the attack happen (Anderson

1. Introduction and Anderson, 2010; Edwards et al., 2011). With the rising
trend of ransomware attacks (Gorman and McDonald, 2012;
Most individuals and employees of organizations consider Pathak and Nanded, 2016; Stewin and Bystrov, 2015), USB
USB devices a reliable and trusted tool for everyday use based attackers have found the financial motivation to attack
(Tetmeyer and Saiedian, 2010). Although innocent users con- individuals as well (Tischer et al., 2016).
sider USB peripherals safe, over the years attackers have A variety of attack techniques conducted via USB periph-
used USB peripherals to launch a variety of cyber-attacks, erals have been demonstrated against hosts. Data exfiltration
exploiting the vulnerabilities, properties, and capabilities of through USB storage devices represents one of the major ma-
these devices. According to previous studies (Pham et al., licious operations conducted via USB attacks as data exfiltration
2011), the majority of USB attacks executed in the past were can work in both directions using USB peripherals. The first
based on USB device storage, Autoplay USB drive related direction involves a compromised host (i.e., computer) and a
malware, and USB drivers that were maliciously modified to benign USB device, in which a malware resident on the host
enable buffer overflow attacks (mainly achieving privilege steals information from the connected USB storage device
escalation). Preventive measures have been implemented in (Anderson and Anderson, 2010; Hak5, 2006). The second di-
recent years: access and privileges to system resources in rection involves a malicious USB storage device that leaks
the operating systems have been limited, and the Autorun sensitive information from a benign host without the host and
capability has been disabled in most operating systems. USB device owner’s knowledge and, depending on the com-
However, many new and more sophisticated attacks using plexity of the attack, without the ability of most automated
malicious USB peripherals have been introduced. Most of forensic tools to detect it (GREAT and Kaspersky Lab’s Global
the attacks are aimed at organizations and employ social Research & Analysis Team, 2015; Usher).

* Corresponding author.
E-mail address: nirni.n@gmail.com (N. Nissim).
http://dx.doi.org/10.1016/j.cose.2017.08.002
0167-4048/© 2017 Elsevier Ltd. All rights reserved.
676 computers & security 70 (2017) 675–688

Other attack techniques are aimed at stealing network traffic vulnerabilities they exploit, and the peripherals accompanied
(including sensitive information such as credentials, pass- by the greatest risk, will enable cyber security researchers and
words, etc.). These techniques may use USB devices that emulate corporations to develop appropriate security mechanisms (both
a USB Ethernet adapter; this enables the USB device to act as prevention and detection) against these attacks. To the best of
a DHCP server which directs traffic through a malicious DNS our knowledge, there is a gap as neither a comprehensive and
(e.g., via a modified firmware flash drive) or supplies the host trusted detection system nor the systemization of this knowl-
with a malicious default gateway (e.g., via a compromised edge base exist. The contributions of this paper are threefold:
smartphone that is connected to the host for charging pur-
poses but is actually used to direct network traffic through - Presenting an up-to-date and comprehensive survey and tax-
itself). onomy of existing USB-based attacks, including how each
In recent years (Crenshaw, 2010; Elkins, 2010; Feroz; Kamkar; attack is performed and its attack vectors and prerequisites.
RIFT recon), more and more attacks have utilized an attack tech- - Analyzing the vulnerability and exposure of popular USB
nique that includes keystroke/mouse click injection attacks. devices to each of these attacks.
These attacks are usually done by non-USB human interface - Presenting a short up-to-date coverage of existing solu-
devices (HIDs) that pose as a keyboard or mouse whose firm- tions aimed at detection and prevention of USB-based
ware has been modified. Dedicated tools for implementing these attacks, and discussing their advantages and disadvantages.
attacks (e.g., Rubber Ducky (RIFT recon)) use a simple script-
ing language by which anyone is able to create payloads which
are capable of changing system settings, opening back doors, 2. The USB protocol
retrieving data, initiating reverse shells, running malware (e.g.,
ransomware), or any other activities that can be achieved with Before describing the USB based attacks, it is important to un-
physical access – all of which can be automated and ex- derstand the basics regarding USB components and the way
ecuted in a matter of seconds. the USB protocol works; this section provides a brief, yet in-
Newer attacks that have not yet been addressed by previ- formative, introduction to the USB protocol and a thorough
ous research (e.g., Pham et al., 2011) include those that belong description of existing attacks, which utilize the vulnerabili-
to the BadUSB attack family (Caudill and Wilson; Nohl and Lel, ties, and functionalities of the USB peripherals and protocol.
2014; SRLabs). These attacks are initiated when the host per- The USB protocol is probably the most popular standard for
forms a malicious firmware update in which the USB device’s connecting computer peripherals (aka USB devices) to a com-
firmware is modified by the attacker; from then on, the origi- puter host. A typical configuration consists of a single PC host
nal USB device acts according to the way in which it was with multiple devices interconnected by USB cables. The PC
programmed by the attacker. This category of attacks relies host has an embedded hub, also called the root hub, which typi-
mainly on social engineering techniques that take advantage cally contains two or more USB ports.
of the fact that most users are innocent and unaware of the USB devices can be categorized into I/O devices that add ca-
dangers and risks associated with malicious USB devices that pabilities to the host and hub devices that only connect additional
seem, on the surface, to be benign, such as a computer mice, devices to the host.
keyboards, etc. These USB devices are embedded with The USB cable usually has two purposes: (1) it allows com-
microcontrollers, which are small computers that can be pro- munication between a USB device and a host, and (2) it supplies
grammed to meet the attacker’s needs. electrical power to the USB device, if it is a bus-powered device.
Another family of USB-based attacks is the driver-related Alternatively, a hub or an I/O device that is self-powered has an
attacks family in which an attacker plugs in a compromised additional power cable attached to it. The USB cable connec-
malicious USB device that causes the host to download a spe- tors were specifically designed with the power pins longer than
cific malicious driver crafted in such a way as to execute the signal pins, so that power would always be applied before
malicious code on the host, or alternatively, to exploit a buffer signals. USB devices are controlled by a microcontroller chip
overflow vulnerability.There are also “exotic” attacks that cannot that is responsible for all USB interaction with the host con-
be categorized as a specific technique, including attacks that troller. The microcontroller includes a CPU and possibly a
are oriented toward the denial of service (DoS) of the host com- bootloader. The CPU executes the firmware, which tells the
puter. A recent example of this is the USB Killer attack device how to respond to host requests. The bootloader allows
(Kehtarnavaz and Mahotra, 2010; USB killer v2.0), which is a loading firmware on to the device, e.g., for upgrading its post-
device that looks like a simple flash drive, but is actually an production. A USB device may consist of several logical sub-
electric discharger capable of destroying sensitive compo- devices that are referred to as device functions. A single device
nents on the host. It is worth noting that USB devices can also may provide several functions, e.g., a webcam (video func-
be used for attacking isolated computers thought to be pro- tion) with a built-in microphone (audio function). This kind of
tected by air-gapped networks.This capability was demonstrated device is called a composite device. Each function corresponds
by the famous Stuxnet malware, a directed cyberwarfare attack to a logical address on the bus (aka an endpoint). An endpoint
against the Iranian nuclear program (Langner, 2011). forms a logical communication channel called a pipe. There are
The use of USB peripherals and protocols will probably remain two types of pipes:
very popular for both organizations and individuals for some
time (Cunningham, 2014). Therefore, accumulating and struc- 1. Message pipe: used for control transfers in which short, simple
turing knowledge regarding these attacks, including the way commands are sent to the device and status responses are
they have been created and how they are performed, the sent from the device.
 computers & security 70 (2017) 675–688 677

2. Stream pipe: used for any of the following data transfer types:
a. Isochronous transfers for functions that require timing co-
ordination at some guaranteed data rate but with possible
data loss, e.g., real-time audio or video.
b. Interrupt transfers for functions that need guaranteed quick
responses with bounded latency, e.g., mice and keyboards.
c. Bulk transfers for large sporadic transfers using all re-
maining available bandwidth, but with no guarantees on
bandwidth or latency, e.g., file transfers.

Note that in all data transfer types, the host directs all com-
munications, and the USB device cannot transfer any data on Fig. 1 – A taxonomy of USB-based attacks (covered in this
the bus without an explicit request from the host controller. survey), categorized based on the hardware required to
Connecting a USB device to the host initiates a process called execute the attacks. (For interpretation of the references to
enumeration. In general, enumeration involves four steps: colour in this figure legend, the reader is referred to the
web version of this article.)
1. Detecting that a device has been connected: When a USB
device is plugged into a USB host there is a change on the
data lines by which the host detects a device has been required for executing the attacks and that can be classified
connected. into three major categories: (A) programmable microcontrollers
2. Determining device speed: The change on the data lines is (red), (B) the common USB peripheral devices that can be found
also used to identify the speed of a device. in most organizations and households (orange and blue) and
3. Determining device descriptors: Devices are identified by (C) crafted devices composed only from electrical hardware com-
descriptors that they send to the host. Once the host has ponents (purple). The programmable microcontroller (e.g.,
established that a device is connected to it and at what speed Teensy (PJRC) or Arduino (arduino.cc)) devices, aka USB hard-
it should communicate with it, the host will reset the USB ware Trojans (Clark et al., 2010), can emulate USB peripherals
device and attempt to read its descriptors. This step basi- and are often disguised within an innocuous external casing.
cally follows a question and answer process: The USB peripheral devices can be further classified into two
a. First, the host will send a Get_Device_Descriptor command, sub-categories: devices whose firmware was maliciously modi-
and the device will send its descriptor length followed fied in order to perform the attack (orange) and devices that
by the actual descriptor. do not require firmware modification (blue). For convenience,
b. At the completion of this stage, the device is reset again categories are numbered according to the subsections in which
and given a unique logical address via a Set_Address they are described below and attacks are numbered accord-
command. ing to their assigned ID.
c. Next, the host will send a Get_Configuration_Descriptor
command in order to establish the device’s configura-
tion. The device will reply by sending its configuration 4. Description of USB attacks
descriptor which includes a hierarchy of interface, end-
point, and (optionally) class specific descriptors. 4.1. Programmable microcontrollers {A}
4. Loading drivers: After the USB device has been fully iden-
tified by the host, the host needs to load a driver that will 4.1.1. Rubber Ducky {1}
tell it how to control the USB device. Matching the USB device Rubber Ducky (RIFT recon) is a commercial keystroke injec-
to the driver is usually done according to the USB class as- tion attack platform released in 2010. Once connected to a host
sociated with the device, vendor ID (VID, and product ID (PID). computer, the Rubber Ducky poses as a keyboard and injects
Once the driver has been loaded, the USB device becomes a preloaded keystroke sequence. It supports a simple script-
available for applications to access. Standard USB devices ing language that enables an attacker to craft payloads capable
are normally supported by drivers included in the host’s OS. of changing system settings, opening back doors, retrieving data,
However, in cases when a particular USB device has to fulfill initiating reverse shells, or basically anything that can be
non-standard requirements, a custom USB device driver achieved with physical access – all of which are automated and
should be download by the host. can be executed in a matter of seconds. Rubber Ducky’s hard-
ware consists of a powerful Atmel 60 MHz 32-bit processor, a
We now delve into the existing USB based attacks, describ- micro SD card reader for quick loading of different attack pay-
ing the attacks and their taxonomy and categories, and the loads, a payload replay button for easy re-execution, a LED
peripherals used to carry out such attacks. indicator, and a JTAG interface that can be used for I/O.

4.1.2. PHUKD/URFUKED {2}

3. Taxonomy of USB attacks The Programmable HID USB Keyboard/Mouse Dongle (Crenshaw,
2010) (PHUKD) is a Teensy microcontroller (PJRC) based pen
In Figs. 1 and 2, we present a taxonomy of USB attacks and testing device created by Adrian Crenshaw. PHUKD combines
their categories. The taxonomy is based on the USB hardware keyboard emulation with mouse emulation, and it inspired the
678 computers & security 70 (2017) 675–688

Fig. 2 – The attacks themselves covered by this survey, their year of publication, relevance to the categories and taxonomy
presented in Fig. 1 (based as colors used in Fig. 1). (For interpretation of the references to colour in this figure legend, the
reader is referred to the web version of this article.)

development of a radio frequency version by Monta Elkins called channels. They defined an unintended USB channel as one in
the Universal RF USB Keyboard Emulation Device (URFUKED). which the USB protocol is used to communicate in a way not
Once connected to a host computer, URFUKED allows adap- anticipated by the protocol. They created two unintended USB
tive and remote delivery of keystrokes, so an attacker can select channels based on two out of the four types of transfer speci-
the best time to execute the attack, and choose the most ap- fied by the USB standard: Control and Isochronous. Using
propriate method at the moment of execution. keyboard emulation, their Trojan could exfiltrate data via control
transfers used to toggle a keyboard LED when the correspond-
4.1.3. USBdriveby {3} ing modifier key has been pressed. They also emulated a USB
USBdriveby (Kamkar) is another Teensy based USB hardware speaker which provided a higher throughput for data exfiltration
Trojan developed by white hat security researcher, Sam via isochronous transfers used to transmit audio from the host
Kamakar. USBdriveby provides quick covert installation of to the speaker. Their experiments showed that this Trojan could
backdoors and overriding DNS settings on an unlocked OS X successfully:
host via USB in a matter of seconds. It does this by emulating
a keyboard and mouse, typing controlled commands, flailing 1. Steal a user’s credentials and use them to upload and
the mouse pointer around, and generating mouse clicks. Spe- execute arbitrary code using the emulated keyboard func-
cifically, USBdriveby exploits the fact that plugging a mouse tionality. This code was required to establish the unintended
or keyboard into a machine does not require authorization in USB channels.
order to begin using them. USBdriveby can evade security re- 2. Use the unintended USB channels to exfiltrate data from
strictions such as requiring the occurrence of both mouse and a network endpoint to the Trojan.
keyboard events, which are assumed to indicate a real user, 3. Process the exfiltrated data using the Trojan’s processor and
in order to change network settings. USBdriveby accom- analyze the data in order to make a decision regarding
plishes this with the help of some unprotected AppleScript and further action.
carefully controlled mouse movements. 4. Use a tunnel program to exfiltrate data through the Internet.
5. Open a backdoor to the network endpoint in order to further
4.1.4. Evilduino {4} compromise it.
Evilduino is a USB hardware Trojan developed by Rashid Feroz 6. Cover its tracks.
and based on an Arduino microcontroller (Feroz) (in contrast to
the previously mentioned PHUKD/URFUKED attacks which are 4.1.6. TURNIPSCHOOL (COTTONMOUTH-1) {6}
based on the Teensy microcontroller). Evilduino also emulates TURNIPSCHOOL (NSA Playset) is a hardware implant con-
a keyboard/mouse and can send keystrokes/mouse cursor move- cealed within a USB cable developed by wireless security
ments to the host according to a preloaded script. Evilduino is researchers, Michael Ossman, Dominic Spill, and Karoline Busse,
particularly worth noting because of its relatively low price; it as part of the NSA Playset program, an initiative that aims to
can be purchased online for 5–12 dollars, while the Teensy duplicate, in open-source, the technologies exposed in the NSA
microcontroller is priced at $20, and the Rubber Ducky costs $45. surveillance catalog. TURNIPSCHOOL provides short-range RF
communication capability to software running on the host com-
4.1.5. Unintended USB channel {5} puter. Alternatively, TURNIPSCHOOL can serve as a custom USB
Clark et al. (2010) developed a proof of concept (POC) USB hard- device under radio control. It is designed as a USB hub device
ware Trojan that exfiltrates data, based on unintended USB containing both microprocessor and a built-in radio soldered
 computers & security 70 (2017) 675–688 679

onto a circuit board that fits into a molded USB plug. KeySweeper when it was unplugged from the charger. The cost
TURNIPSCHOOL includes both assembly instructions and re- of building a KeySweeper unit ranges from $10 to $80, depend-
quired components, and is a substantially cheaper homemade ing on which of the above functions are required. Due to its
version of the NSA’s Cottonmouth-1 cable. Cottonmouth-1 con- stealth, powerful keylogging capability, and relatively low price,
tains a simple, yet powerful, implant that allows attackers to the FBI issued an official warning to private industry in 2016
wiretap communications with peripheral devices (i.e., key- (American Bar Association) regarding similar devices.
boards, printers) and inject malicious code. This tool was KeySweeper is comprised of the following components: an
intended to provide air-gap bridging, software persistence ca- Arduino microcontroller – for executing the required logic and
pability, “in-field” reprograming capability, applying covert operations for the attacks; a Nordic radio frequency chip (NRF)
communications with malware already running on the host – for sniffing the keystrokes and mouse movements from the
(i.e., for command/data infiltration and exfiltration). USB dongle; Adafruit FONA – allows the user to use a 2G SIM
Cottonmouth-1 was able to communicate with an NSA field card to access the Internet directly from the device in order to
station located up to eight miles away. The price indicated in exfiltrate sniffed data directly to a remote server; a lithium
the NSA surveillance catalog is high due to the sophisticated battery – for powering the KeySweeper when it is unplugged
hardware used; Cottonmouth-1 cost over $1 million per lot of from the charger in the wall; a USB charger that is used for
50 units ($20,000 per device) in 2007. Obviously, since that time, three purposes: (1) to physically hide the other components,
the technology has evolved, and the cost to build devices such (2) to conceptually hide the malicious operation inside a le-
as Cottonmouth-1 has decreased, as shown by Ossman who gitimate and useful USB device that is commonly and frequently
developed a TURNIPSCHOOL prototype that costs less than $20. used by users, and (3) to charge the lithium battery when the
KeySweeper is connected to the wall.
4.1.7. RIT attack via USB mass storage {7} The KeySweeper relies on the fact that Nordic RF chips
Exploitable time of check to time of use (TOCTTOU) condi- require vendors to write their own firmware to implement the
tions may exist for consumer electronics/embedded devices encryption between the USB dongle and its paired peripheral
that allow the installation of applications and firmware up- device. In the case of Microsoft keyboards that are vulnerable
grades from user-provided mass storage devices, even if the to the KeySweeper attack, Microsoft implemented a weak XOR
software (applications or firmware) is protected by crypto- encryption method that was previously cracked by Thorsten
graphic signatures. This is because the software installation Schröder and Max Moser (Remote-Exploit, 2010). However, re-
code assumes that files on a mass storage device cannot change searchers from the Bastille security firm (Bastille, 2016)
while it is connected; the software installation is therefore not demonstrated that in other cases, vendors (including Dell, HP,
bound to the file integrity check, and these two parts (check Logitech, and Microsoft) failed to take advantage of Nordic’s
and install) occur at different times. Mulliner and Michéle (2016) encryption option, making the USB dongles that receive those
described a novel TOCTTOU attack based on changing the communications vulnerable to what they call a MouseJacking
content of files while the mass storage device is connected to attack. The affected dongles correspond to both wireless key-
the attack target. The attack succeeds if the check code veri- boards and mice, because the vulnerabilities that make
fies the signature of the original benign file and the install MouseJacking possible generally fall into one of the flowing
operation uses the maliciously modified file. Mulliner and three categories (Greenberg, 2016):
Michéle implemented a USB mass storage version of this
TOCTTOU attack, called Read It Twice! (RIT). The RIT attack in- 1. Forced pairing: Before a wireless keyboard or mouse leaves
jected a shared object into a Samsung TV, the shared object the factory, it is paired with a dongle. However, some vendors
was then executed with root privileges. This was done by emu- include the ability to pair new devices with a dongle, or pair
lating a USB mass storage device using a Gumstix (Gumstix an existing device with a new dongle (e.g., in cases in which
Inc., 2012) board running Linux (the Linux USB stack sup- only the dongle is lost). Although users must enable a special
ports USB mass storage emulation through the gadget API “pairing mode” on the dongle in order to pair a new device,
(Brownell, 2003)). The emulated device allowed tracking the file Bastille showed that it is possible to bypass this pairing mode
access and switching the original benign configuration file on some dongles and pair a new device without any user
(clmeta.dat) with a maliciously modified version that caused interaction.
the shared object to be injected. 2. Keystroke injection by spoofing a mouse: Some dongles do not
verify that the type of RF packet they are receiving matches
4.1.8. Attacks on wireless USB dongles {8} the type of device that transmitted it. Thus, if the dongle
In 2015, security researcher, Sam Kamkar, released a POC of is supposed to connect a wireless mouse to the computer,
an attack platform named KeySweeper (Samy) that covertly logs an attacker can pair with the dongle as a new mouse, but
and decrypts keystrokes from many Microsoft RF wireless key- transmit keystroke packets instead of mouse movements/
boards. It is done using a microcontroller (Arduino or Teensy) clicks. Since the dongle does not expect mouse packets to
connected to an RF chip manufactured by Nordic Semicon- be encrypted, it will simply accept the keystroke packets.
ductor. KeySweeper can store the logged data on a flash chip 3. Keystroke injection by spoofing a keyboard: Most of the tested
for later extraction, or alternatively, transmit it over cellular keyboards encrypt data before transmitting it wirelessly to
GSM networks by either SMS or a 2G Internet connection. To the dongle, but not all of the dongles require that encryp-
camouflage KeySweeper, Kamkar packed all of its compo- tion is used. Thus, an attacker can pair with such a dongle
nents into a functioning USB wall charger, which would also as a new keyboard and send it unencrypted keystroke
be used to charge a backup battery that could power the packets.
680 computers & security 70 (2017) 675–688

Notably, Bastille’s tests have shown that wireless key- keyboard and mouse. They developed a custom USB gadget
boards and mice can be compromised by a MouseJacking attack driver, and added it to the existing USB composite interface
from as far as 180 meters (Greenberg, 2016) away. on the Android Linux kernel using the USB gadget API (Brownell,
2003). This driver was capable of simulating USB keyboard and
mouse devices, thereby allowing the researchers to stealthily
4.1.9. Default gateway override {9}
send predefined commands and simulate malicious interac-
Nohl and Lel (2014); SRLabs implemented a DHCP override of
tive user activities.
the default gateway over a spoofed USB Ethernet adapter which
Another example of an HID attack via a smartphone is
is emulated by a rooted Android smartphone. The phone was
Kali NetHunter (Offensive Security, 2015). NetHunter in-
supposedly connected to the computer for charging pur-
cludes a USB HID mode, which turns the Android device and
poses, but in actuality the phone set up a new network
its OTG USB cable into a preprogrammed keyboard capable of
connection which an unaware user would be unlikely to notice.
typing any commands issued by the user. In addition, en-
This is possible, because Android comes with an Ethernet over
abling the DuckHunter HID option allows an attacker to convert
USB emulation capability that is relatively easy to reconfig-
USB Rubber Ducky scripts into NetHunter format quickly and
ure. To accomplish this, Nohl and Lehl rooted the phone (giving
easily.
them superuser privileges) and ran a brief shell script that re-
programmed the phone to become an Ethernet adapter over
4.2.1.2. DNS override by modified USB firmware {11}. Because
USB (similar to USB tethering for sharing an Internet connec-
DHCP clients usually do not validate the identity of a DHCP
tion). Then the phone supplied the connected host with a
server, unauthorized DHCP servers (aka rogue DHCP) can be
default gateway over the USB connection and effectively in-
used by attackers to provide incorrect information to DHCP
tercepted all of the network traffic, so that it could be subjected
clients. In general, this can serve either as a DOS attack, pre-
to an MITM attack.
venting the client from gaining access to network connectivity,
Another implementation of this attack is provided by Kali
or as an MiTM attack. Since the DHCP server provides the DHCP
NetHunter (Offensive Security, 2015), an Android ROM overlay
client with server IP addresses, such as the IP address of one
that includes a robust penetration testing platform. It is an
or more DNS servers, a rogue DHCP server can tell a client to
open-source project developed by Offensive Security and the
do its DNS lookups through the attacker’s own DNS server.
community. When the smartphone running the NetHunter app
Nohl and Lel (2014) demonstrated a DNS assignment by
is connected to the host, all network traffic from that host is
DHCP over a spoofed USB Ethernet adapter. They modified
forced to pass through the smartphone.
the firmware of a USB flash drive and used it to emulate a
USB Ethernet adapter. The spoofed USB Ethernet adapter acted
4.2. USB peripherals {B} as a DHCP server which assigned the host that it was con-
nected to a malicious DNS server. This allowed the researchers
4.2.1. Maliciously Reprogrammed Peripherals {B.1} to simply replace network server IP addresses with their own
This category includes existing attacks based on USB periph- server’s address, e.g., the IP address of paypal.com. Their
erals that were reprogrammed. BadUSB refers to a family of DHCP server did not, however, assign a default gateway so
USB attacks that are based on reprogramming a USB device’s the computer could use its connection to the network to
controlling software (e.g., firmware or driver). BadUSB gained forward packets which were consequently sent to their server
notoriety at the 2014 Black Hat conference (Nohl and Lel, 2014), (e.g., the user thought he/she was logging into paypal.com
and code for reproducing BadUSB was demonstrated later that with his/her password, but instead the password was sent to
year at the DerbyCon hacker conference by Adam Caudill and the malicious server).
Brandon Wilson. Caudill and Wilson note that BadUSB is not
a technical flaw or vulnerability, because it is completely com- 4.2.1.3. Keyboard emulation by modified USB firmware {12}. Nohl
pliant with USB specifications. They mentioned that it can be and Lel (2014) demonstrated how a flash drive whose firm-
viewed as a concept made possible due to the coupling of: ware is modified can emulate a keyboard and inject a predefined
sequence of keystrokes. They showed how their emulated key-
1. A set of bad decisions made along the way by various stake- board can infect a Windows system which passes the infecting
holders, namely: malware to a benign USB flash drive that is plugged into it. The
a. The USB standard allows devices to change their persona now infected USB flash drive is then plugged into a Linux
at any time. machine and infects it using a Linux-specific keystroke se-
b. The host is incapable of knowing how many devices are quence. Caudill and Wilson demonstrated how a custom
actually connected to it. firmware replacement turns a USB flash drive into a key-
c. Manufacturers do not integrate firmware signing into the board which executes a sequence of keystrokes when the device
hardware. is plugged into a host. Similarly, Maskiewicz et al. (2014) dem-
2. The way that users perceive these devices, in that users tend onstrated how a modification of the Logitech G600 gaming
to trust USB devices to do what they think the device is sup- mouse’s firmware (which also includes an integrated key-
posed to do, when in reality they are small computers that board) allows them to open a shell, download a malicious
can be programmed to be anything. executable to the host, and execute it. Thus, when the target
host is connected to the Internet, the mouse can be used as a
4.2.1.1. Smartphone based HID attacks {10}. Wang and Stavrou persistent threat that updates and reinstalls malware as desired.
(2010) utilized a malicious Android smartphone to emulate a Maskiewicz et al. also showed that if the host is air-gapped,
 computers & security 70 (2017) 675–688 681

the Logitech G600 has enough space available to host an entire configuration EEPROM and then waits for programming over
malware package inside its firmware. USB. Brocker and Checkoway’s approach was to modify the
AppleUSBVideoSupport I/O Kit driver on the host which is
4.2.1.4. Hidden partition patch {13}. Caudill and Wilson dem- responsible for downloading webcam firmware to the cam-
onstrated how a USB flash drive can be reprogrammed to act era’s microcontroller. Note that the iSeeYou program was an
like a normal drive except for a few seconds after it is ejected unprivileged (non-root) application that executed entirely in
by using the “Safely Remove Hardware” option of the Windows user space.
OS. At that point, the drive was reprogrammed to re-enumerate
and mount a second completely hidden partition which can 4.2.2. Not Reprogrammed Peripherals {B.2}
then be re-hidden by the user. In this case, quick formatting This category includes existing attacks based on USB periph-
the drive will not erase the data in the hidden partition, making erals that have not been reprogrammed.
this a very effective and easy way of exfiltrating data from a
host. 4.2.2.1. LNK stuxnet/fanny USB flash drive exploit (shell exten-
sion exploits) {18}. In June 2010, the Stuxnet (Langner, 2011)
4.2.1.5. Password protection bypass patch {14}. Some flash drives worm was discovered by a Belorussian antivirus company,
support partitions that can be protected by a user specified pass- VirusBlokAda. Stuxnet used a vulnerability in the Windows
word. Caudill and Wilson described how a small modification .LNK file shell icon handler to infect PCs from USB flash
of a USB flash drive’s firmware allows them to override the pass- drives,
word that the user enters so that any password will be also known as the CVE-2010-2568 vulnerability (National
considered legal. Vulnerability Database (NVD)). The Stuxnet worm was able to
spread for months using this vulnerability without being de-
4.2.1.6. Virtual machine break-out {15}. Nohl and Lel dis- tected. In 2014, Kaspersky Labs showed that this vulnerability
cussed the scenario of a cloud instance’s VMs whose backup was also used by the Fanny computer worm as early as 2008
storage is connected via USB. They suggested that the VM tenant (Kaspersky Lab’s Global Research & Analysis Team, 2015).
can potentially reprogram the storage device (assuming it is The original CVE-2010-2568 vulnerability was one of a string
accessible from the VM) to spawn a second device that gets of zero-day vulnerabilities exploited by Stuxnet. Targeting
connected to the host machine by default. Brocker and Windows systems, this particular exploit served as the initial
Checkoway (Brocker and Checkoway, 2014) demonstrated an attack vector on a flash drive that allowed rapid on-host
example of how reprogramming the firmware that runs on an execution of an arbitrary DLL located on the flash drive, without
iSight webcam (a class of Apple internal USB webcams used relying on the Autorun feature. CVE-2010-2568 takes advan-
in some versions of MacBook laptops and iMac desktops) tage of the fact that Windows will render custom icons for
enables a similar virtual machine breakout. They showed how certain files when displaying them in a folder. The custom
malware running inside a VM reprograms the camera to act icon handling code will parse the .LNK file content in order
as a USB keyboard which executes code in the host operating to determine what icon to display, and a malicious .LNK file
system. can exploit a vulnerability in that icon handling code to cause
the execution of malicious code which is also located on the
4.2.1.7. Boot sector virus {16}. If a target computer relies on flash drive. The specific details of the attack mechanism are
protective software that will run only after the OS is booted, described in Ferrie and Lavasoft. This class of vulnerabilities
an effective attack would be to infect the computer before the is known as a shell extension exploit (Larimer, 2011), and it
OS boots. Nohl and Lel (2014) discussed the possibility of de- also encompasses exploits of shell extension handlers other
ploying a so-called boot-sector virus via BadUSB. They than icon handlers.
programmed a USB flash drive to distinguish between differ-
ent host OSs that the drive was plugged into via the different 4.2.2.2. USB backdoor into air-gapped hosts {19}. USB flash drives
enumeration behaviors (similar to Wang and Stavrou (2010)). have long been used by attackers to establish a backdoor into
They also emulated another drive (which is concealed if it is air-gapped hosts. In fact, as we mentioned, one of the recently
connected to an OS and shown only to the BIOS when the host discovered examples of such an attack is the Fanny Malware
boots) and a keyboard (in case they will need to press F12 and (Kaspersky Lab’s Global Research & Analysis Team, 2015), de-
other keystrokes in order to get the host to boot from the con- veloped in 2008 by the Equation group (GREAT and Kaspersky
cealed drive).The concealed drive contains a rootkit from which Lab’s Global Research & Analysis Team, 2015) (presumably af-
the host is booted. filiated with the creators of Stuxnet). It used two zero-day exploits
also used by Stuxnet, the .LNK exploit (see attack {18}, Section
4.2.1.8. iSeeYou: disabling the MacBook webcam indicator LED 4.2.2.1) for initial infection, and a privilege escalation exploit.
{17}. Brocker and Checkoway (2014) developed a POC program The main purpose of Fanny appears to have been the mapping
called iSeeYou which reprograms the firmware of a class of Apple of air-gapped networks. In order to accomplish this, Fanny creates
internal iSight webcams (used in some versions of MacBook a hidden storage area on the stick using its own FAT16/FAT32
laptops and iMac desktops) so that an attacker can covertly filesystem driver when a USB stick is infected. This hidden
capture video without the LED indicator warning the user that storage contains pending commands from the command and
the camera is recording. The host computer interacts with the control (C&C) server (to be executed on the air-gapped system),
iSight webcam entirely through a USB connection to a Cypress code modules, and exfiltrated data. If it infects a computer
EZ-USB microcontroller. When iSight is powered, it checks the without an Internet connection, it will collect basic system
682 computers & security 70 (2017) 675–688

information and save it onto the hidden area of the stick. Later, was based on these features could execute automatically
when a stick containing hidden information is plugged into without any user interaction. For these reasons, Microsoft dis-
an Internet-connected computer infected by Fanny, the data abled the AutoPlay feature for removable drives by default on
will be scooped up from the hidden area and sent to the C&C Windows 7 (Microsoft Support), and it soon became common
server. If the attackers want to execute commands on the practice to disable the AutoRun functionality entirely (such a
air-gapped networks, they can save these commands in the measure would also effectively disable the U3 smart drives by
hidden area of the USB stick. When the stick is plugged into blocking the Launchpad application (TechJourney)).
the air-gapped computer, Fanny will recognize the commands One of the first famous examples of an AutoRun based attack
and execute them. This effectively allowed Fanny’s authors was the pod slurping attack. The term pod slurping was coined
to execute commands inside air-gapped networks (utilizing by Abe Usher and refers to the act of copying large amounts
infected USB sticks), and map the infrastructure of such of sensitive files from the host to USB storage devices such as
networks. the then popular iPod. This is done by a malicious program
present on the USB storage device which executes automati-
4.2.2.3. Data hiding on USB mass storage devices {20}. Data cally when the device connects to the host. In 2010, Anderson
hiding attacks on digital storage media have long been an im- described a few easy steps to recreate a basic pod slurping
portant area of research in cyber forensics (Berghel et al., 2008), attack (Anderson and Anderson, 2010).
and USB mass storage devices are no exception. Such attacks Another popular example is the hacksaw/switchblade family
range from simple user interface (UI) “tricks” for concealing the of tools (Anderson and Anderson, 2010; Hak5, 2006). These tools
existence of files to more sophisticated tactics for hiding data are based on configurable flash drives that can be custom-
in digital warrens where it will go unnoticed. ized with a compact disc, read-only memory (CD-ROM) partition.
UI tricks, which hide a file from the user, while the user is When connected to the host, these flash drives silently install
navigating through the flash drive content with Windows Ex- a malicious program on the host which monitors the host for
plorer, include the following. (1) Changing the file’s attributes the connection of new external drives, and when detected, com-
so that it is visually hidden and/or marking it as an important presses, splits, and sends all data stored on them to the
operating system file.That way Windows will not display it even attacker’s email account. On the same work, Anderson also de-
if Explorer is set to display hidden files and folders. (2) Hiding scribed the steps to recreate this attack (Anderson and
the file inside an invisible folder by making that folder’s icon Anderson, 2010).
and name transparent (Esengulov; IronGeek). (3) Camouflag-
ing the file as a different file, e.g., a bitmap or DLL. (4) Adding 4.2.2.5. Cold boot {22}. The cold boot attack, aka the RAM dump
the file as an alternate data stream (if the flash drive includes attack (Anderson and Anderson, 2010), relies on the fact that
an NTFS partition). In contrast to simple UI tricks, hiding data most PCs can boot from an external USB device such as a hard
within digital media (e.g. flash drives) requires intimate knowl- drive or flash device. Halderman et al. (2008) implemented a
edge of the underlying filesystem structure (Berghel et al., 2008). small (10 KB) plug-in for the SYSLINUX bootloader that can be
Such attacks can include combinations of the following: (1) booted from an external USB device and saves the contents
storing data outside of the partitions, e.g., within the master of system RAM onto a designated data partition on the USB
boot record (MBR), volume boot record (VBR) or reserved sectors; device. They succeeded in dumping 1 GB of RAM onto a flash
(2) storing data within sectors that are marked as “bad” or “in drive in approximately four minutes. Beyond gaining full access
use;” (3) manipulating filesystem metadata (e.g., the file allo- to any mounted secure hard drives (even if the host com-
cation table in a FAT filesystem or $BadClus in NTFS) so that puter is screen locked or in sleep mode), this attack allowed
usable sectors are marked as bad and therefore will no longer Halderman et al. to recover Mac OS X users’ login passwords
be accessed by the operating system. and extract RSA private keys from Apache web servers.
The Fanny malware (Kaspersky Lab’s Global Research &
Analysis Team, 2015) is an impressive example of sophisti- 4.2.2.6. Buffer overflow based attack {23}. When a new device
cated data hiding within digital warrens via filesystem is inserted into a USB port, the host controller will enumer-
manipulation. Fanny used its FAT16/FAT32 driver to change ate the devices and functions on that port (Larimer, 2011). The
entries in the root directory table, so that they would be ignored host will then request the device descriptor from the device.
by the host’s filesystem driver as if it were a data corruption The device descriptor contains information about the hard-
or bad sector. As a result, this entry is not visible in Windows, ware device that the OS needs to load a driver for, namely the
Mac and Linux OSs, and likely is not visible in all other imple- USB specification version, the USB device class and sub-
mentations of the FAT driver as well. However, Fanny was able class, the vendor ID (VID), product ID (PID), and other important
to find those entries, because it marked them using a magic data. Once this descriptor is adequately obtained, the appro-
value. It then navigated to the address on the partition that priate driver is loaded into memory for use by the operating
appears after a special flag value in those entries. This address system to facilitate communication between software and
will have a different magic value serving as a marker for the plugged in USB devices. USB drivers that fail to correctly check
beginning of the hidden storage. the boundaries of the input provided by the USB devices may
cause a buffer overflow.
4.2.2.4. AutoRun exploits {21}. The previous decade was char- Several examples for USB driver buffer overflow related vul-
acterized by an influx of AutoRun/AutoPlay/U3 based attacks nerabilities, can be found in (Anderson and Anderson, 2010)
via USB flash drives (Anderson and Anderson, 2010; Pham et al., and (Davis, 2011). If an attacker were to maliciously alter the
2011). Depending on how the host was configured, malware that response returned from the device (e.g., using a malicious device
 computers & security 70 (2017) 675–688 683

such as one of the USB hardware Trojans described above) to connected to a host with access to a maliciously modified firm-
the driver, it would be possible to overflow the memory on the ware image, that image can be used during the DFU process,
target computer and insert arbitrary code (Anderson and and the device will become a BadUSB device (see Section 4.2.1).
Anderson, 2010). A POC was initially provided by Darrin Barral Attackers can obtain a patched image of the firmware by reverse
and David Dewey at the Black Hat conference in 2005 (Barral engineering the firmware updater software, as described by
and Dewey, 2005); they were able to locate specific drivers that (Nohl and Lel, 2014). Another method is to use dedicated tools
were vulnerable to a buffer overflow attack and could thereby that emulate upgradeable USB devices in order to catch
be used for executing malicious code. They emulated the in- firmware updates as they are sent from a host to the device
sertion of alternate devices into the host and sent it a different (a comprehensive demonstration of this is provided by
VID and PID during enumeration, causing the vulnerable drivers (Goodspeed, 2012)).
to be loaded. Once installed, the driver can send a message to
the device indicating that it is running, and the device itself 4.2.2.9. USB thief {26}. USB Thief is a USB flash drive based data
can send a “secret message” back to the driver; this message stealing malware that was recently discovered by ESET (Gardoň,
could be a response indicating that the driver should initiate 2016). This malware spreads through portable versions of
a backdoor, e.g., to unlock the screensaver. popular applications (e.g., Firefox, NotePad++ and TrueCrypt)
on USB drives. It does this by inserting itself into the command
4.2.2.7. Driver update {24}. It is possible for any third party who chain of such applications, in the form of a plug-in or DLL, and
can obtain a VeriSign Class 3 Organizational Certificate and write will thus be run in the background when the applications are
a USB device driver that passes the Windows Hardware Cer- executed. Perhaps the most interesting feature of USB Thief
tification (WHC) requirements, to submit a driver to the is its focus on self-protection and stealth, as is evident from
Microsoft website that allows developers to upload drivers for its unique cryptographic multi-stage loading process (de-
a Windows Update. This driver can be automatically installed scribed in detail in (Gardoň, 2016)). Its (relatively simple) data
on a host when a matching USB device is plugged in (Larimer, stealing executable gathers information from the host, en-
2011). While the Level 3 certificate requirement and WHC testing crypts it, and copies it to the flash drive. It does not leave any
are designed to ensure that only high quality and profession- evidence on the affected computer, so after the flash drive is
ally written drivers are uploaded, it could be possible for a removed, it is difficult to identify that data was stolen.
malicious entity to:
4.2.2.10. Attacks on smartphones via the USB port {27}. Several
1. Create a fake corporation. attacks on smartphones via their USB port have been de-
2. Obtain a certificate. scribed. A juice jacking (Wikipedia) attack occurs when an
3. Develop a malicious driver for a non-existent device and attacker leverages the fact that power and data are both pro-
fulfill the testing requirements. vided to a phone via the same USB port and attacks the
4. Submit the signed driver. smartphone during the charging process; leveraging the USB
5. Wait for their submission to be approved. data/power cable to illegitimately access the phone’s data and/
or inject malicious code onto the phone. Lau et al. (2013a, 2013b)
Since Microsoft accepts signed driver binaries and not source presented a POC juice jacking attack tool called Mactans dis-
code, it could be possible for a driver author to slip in some guised as a malicious USB wall charger which allowed them
obfuscated malicious code. Furthermore, even without going to inject arbitrary software into iPhone devices equipped with
through the effort of obtaining the Class 3 Certificate, it might iOS versions up to and including iOS 6. Wang and Stavrou (2010)
be possible to simply steal credentials, e.g., the Stuxnet authors described the steps required to take over an Android smart-
used stolen certificates and credentials to sign rootkit drivers phone when it is connected to a computer via the USB port.
used by the worm. First, they unlocked the phone by sending touchscreen input
For this attack to work, a malicious driver would be regis- events directly via the USB connection. Upon completion of the
tered for a unique VID and PID pair within the USB device unlocking process, they replaced the phone’s system images,
descriptor. When a device matching that ID is inserted into a so that all software on the phone (including kernel, libraries,
host with automatic driver installation enabled, the host will utility binaries, and applications) was under their control. Wang
connect to Windows Update and request that driver. As in the and Stavrou (2010) also showed how a malicious phone is fully
case of the buffer overflow attack, the driver can now send a capable of assuming the role of a computer host by setting its
message to the device indicating that it is running, and the USB port to be a USB hub. In this case, the attacker connects
device itself can send a response indicating that the driver a malicious smartphone to a targeted smartphone and takes
should initiate the execution of the malicious code. it over stealthily as described above.

4.2.2.8. Device firmware upgrade (DFU) {25}. The Device Firm- 4.2.2.11. USBee attack {28}. We surveyed several attacks that
ware Upgrade (DFU) is a legitimate process supported by the performed data exfiltration from air-gapped computers such
USB standard (USB Implementers Forum, Inc., 2004), during as KeySweeper (Samy) (attack {8}, Section 4.1.8) and the famous
which the host issues a USB reset command (reconfiguration TURNIPSCHOOL (COTTONMOUTH-1) (NSA Playset) attack (attack
phase) to the device and then sends it the updated firmware {6}, Section 4.1.6). The latter is considered more dangerous and
image (transfer phase). For this to be possible, the device’s sophisticated, since it is generic and relevant to every USB pe-
original firmware must support DFU as described in (USB ripheral rather just to USB peripherals that communicate via
Implementers Forum, Inc., 2004). Once such a device is a USB dongle such as the KeySweeper attack. COTTONMOUTH
684 computers & security 70 (2017) 675–688

is indeed more generic, however it requires hardware modi-

Table 1 – The attacks covered in this survey and the
fication of the USB plug or device, in which a dedicated RF
associated hardware used to execute the attack (green
transmitter should be embedded. Recently, Guri et al. (2016) check mark in cell) and the hardware that is being
presented the USBee attack which performed short-range data attacked (red check mark in cell).
exfiltration from air-gapped computers without any hardware
Persona of USB
or firmware modification. USBee actually utilizes the data bus USB Peripheral Connected Micro- Host
in a USB connector to generate electromagnetic radiation of controller
a specific frequency. All that is needed to exfiltrate data from

Network Adapter
Attack

Smartphone

Smartphone

Smartphone
Keyboard

Keyboard
either the computer or the connected USB device is a mali-

Speaker

Speaker
Camera
Storage

Storage
Mouse

Mouse

Cable
PC
cious code on a contaminated computer. This malicious code
should be able to modulate data that generates electromag-
netic emissions from the USB dongle and thus create a covert
communication channel that can be absorbed by a nearby re- 1) Rubber Ducky
2) PHUKD /
ceiver. Their experimental results showed that, using USBee, URFUKED
an attacker is able to transmit data to a nearby receiver at a 3) USB driveby
bandwidth of 80 bytes per second. 4) Evilduino
5) Unintended USB
Channel
6) TURNIPSCHOOL
4.3. Electrical only USB hardware {C} (COTTONMOUTH-1)
7) RIT attack via
USB mass storage
USB attacks that only involve the application of electrical hard- 8) Attacks on
wireless USB
ware components are classified as a special category. To the dongles
best of our knowledge, this category currently includes only 9) Default Gateway
Override
the USB Killer attack described below, however it is likely that 10) Smartphone
additional electrical USB attacks (e.g., in order to drain the target based HID
attacks
host’s/device’s power (Kim et al., 2008; Racic et al., 2006)) will 11) DNS override by
modified USB
be created by future attackers. firmware
12) Keyboard
emulation by
4.3.1. USB killer (power surge attack) {29} modified USB
firmware
In 2015, a Russian security researcher, nicknamed Dark Purple, 13) Hidden Partition
built a USB stick that was capable of destroying sensitive com- Patch
14) Password
ponents of a computer via a power surge attack. A few months protection
bypass patch
later he launched a newer version called USB Killer v2.0, which
15) Virtual Machine
was more compact and twice as powerful. Connecting the new Break-Out
16) Boot Sector
version to a host’s USB port starts the operation of a voltage Virus
converter on USB Killer, which charges a capacitor to −220 V. 17) iSeeYou
When this voltage is achieved, the converter is switched off, 18) .LNK Stuxnet /
Fanny
the capacitor is discharged, and its accumulated energy is sup- 19) USB Backdoor
into air gapped
plied to the signal lines of the USB interface. This cycle is hosts
repeated, and within just a few seconds, it can incapacitate the 20) Data hiding on
USB Mass
device. USB Killer has also been commercialized, e.g., by the Storage drive
Hong Kong based company USBKill.com (USBKill), and can be 21) Autorun
exploits
purchased online for USB power surge attack testing. Note that 22) Cold Boot
additional DOS attacks which do not destroy the target can also 23) Buffer
Overflow
be carried out through the use of hardware capabilities that
24) Driver Update
can eventually affect both the USB devices and hosts (Brandt 25) Device
and Stamp, 2014). Firmware
Upgrade (DFU)
26) USB Thief
27) Attacks on
smartphones via
the USB port
5. Mapping USB attacks to their 28) USBee attack
associated hardware 29) USB Killer

As can be readily understood from the attacks presented and

described in the previous section, the different types of attacks
utilize a variety of techniques and can be carried out via one presented above. Column 1 lists the 29 attacks we surveyed in
or more USB peripherals. In order to understand which pe- the previous section, along with their identification number.
ripherals are more vulnerable and which attacks pose a greater Columns 2–6 refer to common USB devices that are associ-
threat to them, we summarized in Table 1, the attacks and the ated with each attack. For some of the attacks, the devices
associated hardware required for carrying them out. Table 1 must undergo malicious firmware modification. Columns 7–13
organizes the attacks according to the categorization refer to the type of device emulated by a USB connected
 computers & security 70 (2017) 675–688 685

programmable microcontroller (e.g., Teensy (PJRC) or Arduino as was already demonstrated by the Stuxnet attack’s cre-
(arduino.cc)), often disguised by an external casing of an in- ators, signing keys and certificates can be shared and stolen,
nocuous USB device. making solutions such as IronKey ineffective. In 2011, Pham
As can be seen in Table 1, the peripheral by which more than et al. (2011) presented a multilayered security mechanism that
51% of the 29 attacks can be carried out is the USB storage device included the development of software implementations in the
(i.e., USB flash drive), followed by the keyboard device and user mode layer of the operating system. However, since 2011,
microcontrollers that impersonate a keyboard. In addition, the many new attacks have been created and are addressed in our
buffer overflow {23} and driver update {24} attacks can also be survey, attacks which are not covered by the solution pre-
applied to every peripheral, given the prerequisites described sented by Pham et al. (2011).
above.The USB Killer attack {29} is different from all of the other Caudill and Wilson suggested dumping the device’s firm-
attacks, since it is neither a proper USB peripheral and nor is ware and comparing its hash to hashes of firmware from
it a microcontroller programmed to impersonate a USB pe- different instances of the same device prior to enabling the op-
ripheral; it only involves electrical hardware components, so eration of the device. Tian et al. (2015) proposed the GoodUSB
its entry in the table only contains indications on the attacked framework which provides a graphical interface that allows
host. Malicious firmware attacks {25} (USB Implementers Forum, users to compare their expectation of the device’s function-
1997) can be conducted through each of the peripherals, as other ality with the functionality declared by the device. Although
attacks {11 and 12} also attack each of the peripherals and first it is clearly a step in the right direction, GoodUSB cannot serve
requires a firmware update to be done. as a full-scale USB attack detection framework for the follow-
ing reasons:

6. Existing tools and devices for the detection 1. It is only focused on defending against BadUSB and device
of USB attacks emulation attacks, and does not attempt to deal with the
many other types of USB attacks discussed in this survey.
Detecting USB attacks as they occur is an important require- 2. It is not a cross-platform framework and has not yet been
ment for any prevention system. Several tools and techniques implemented on various OS types and kernel versions.
have been suggested over the years for the detection of USB 3. It must be used with a benign host and cannot serve as an
related attacks. Some commercial products, e.g., Lumension ad hoc detection system for an arbitrary host whose state
Endpoint Security (Lumension, 2014), can recognize second- is unknown. Indeed, Tian et al. (2015) assume that host is
ary hardware devices and disable them. For example, if a network in an uncompromised state prior to connecting to any USB
administrator unknowingly allowed a device emulating a devices; if the host is compromised, there is no guarantee
network card to connect to an endpoint, the device would be that GoodUSB will function properly.
identified as a second network card, by this product, and this 4. It is not a trusted solution, because it must interact di-
may be indicative of a network card emulation attack. There rectly with the malicious firmware. This means that a well-
are also advanced USB malware scanning kiosks that effec- crafted malicious firmware might be able to bypass GoodUSB,
tively detect malicious USB storage payloads (OLEA Kiosks, Inc., e.g., by exploiting a buffer overflow vulnerability in the host’s
2015; OPSWAT, 2013). Different fuzzing methods have been pro- USB driver; for this reason, Tian et al. (2015) assume that
posed to detect faults that might lead to buffer overflow attacks the host’s USB software stack does not contain any exploit-
(Davis, 2011; Schumilo et al., 2014; van Tonder and Engelbrecht, able software flaws.
2014).The use of USB tools that monitor communication packets 5. It cannot deal with advanced BadUSB attacks in which the
between the host and device has been proposed for detecting user’s expectations match the device’s declared function-
malicious intent. However, some of these tools (e.g., Lomont ality. For example, a keyboard whose firmware was
and Jacobus, 2014; Wireshark) are untrusted and intrusive (in maliciously modified will be expected by the user to enu-
contrast to other tools such as the Beagle (Beagle USB 480 Protocol merate as a keyboard, so GoodUSB will not detect any attack.
Analyzer) USB protocol analyzer) since the attacking malware
might be able to detect and thus subvert them. Tian et al. (2016) presented the USBFILTER system which
Recent attempts have been made to deal with the sophis- is a packet-level access control (firewall) for USB. By creating
ticated BadUSB attacks. Attempts to defend systems against specific rules, it can allow or deny functionality of USB devices.
BadUSB attacks were proposed by Yang et al. (2015) in which The researchers actually instrumented the host’s USB stack
the use of USB storage devices in industrial control systems between the driver of the USB device and the USB controller,
was wrapped by their mediated and trust management scheme. and thus they were able to have filter packets at the low level
However, their conclusion regarding the BadUSB attack was that of the operating system (kernel). In addition, USBFILTER can
their method was unable to prevent malicious storage devices indicate which programs (e.g., Skype) are allowed to use which
from requesting additional interfaces and thus was unable to USB devices (e.g., webcams, speakers, and microphone), and
prevent potential and additional associated attacks. Ironkey by doing this, it can prevent malicious software resident on
(2013), another more successful defensive measure against the host from enabling or accessing protected USB devices.
BadUSB attacks, is based on the simple notion that if the device However, USBFILTER suffers from the following shortcomings:
manufacturer is trusted and the signing key is kept safe, the
firmware can be signed by this key. 1. Since it is based on a relatively simple set of rules, an ad-
Practically speaking, IronKey was found to be costly and was versary can evade the rules by utilizing different attack
not integrated in most enterprise environments. In addition, techniques which don’t meet the detection rules.
686 computers & security 70 (2017) 675–688

2. USBFILTER is a deterministic solution that relies on the de- aware that their behavior is being monitored, and thus cannot
tection of known attacks only; it does not have any alter the attack’s functionality); noninvasive (the detection
generalization capabilities or anomaly detection abilities, does not require invasion into a USB peripheral or its compo-
which can be used to cope with new unknown attacks. nents); lightweight (detection takes place quickly and in real-
3. USBFILTER is exposed to power analysis attacks, as well as time for practical and scalable use); extendable (additional
sniffing attacks such as those that perform attacks on detection modules and features can be integrated as needed);
wireless USB dongles (American Bar Association; Bastille, modular (existing modules can be easily replaced by new
2016; Remote-Exploit, 2010; Samy) in which packets are components and different implementations); and updatable
transported via channels other than the channel moni- and adaptable (the framework is capable of including new
tored by USBFILTER. attacks in the repository, as well as incorporating new knowl-
4. It is unclear whether USBFILTER is completely transpar- edge and results regarding detection techniques).
ent and in fact, cannot be detected by the attacking malware.
In the case of a zero-day attack, which is resident in the
REFERENCES
kernel level with higher privileges, it will be able to evade
this detection solution.

arduino.cc. [Online]. Available from: https://www.arduino.cc/en/

As far as we could determine, current detection and pre-
Main/arduinoBoardMicro.
vention solutions largely tend to concentrate on specific attacks Adafruit. Available from: https://www.adafruit.com/products/
or fail to provide a comprehensive and effective solution. Thus, 1946.
in the following section, we suggest a comprehensive, trusted, American Bar Association. Digital asset abstract. Available from:
and multidisciplinary methodology called USBEAT, which is http://www.americanbar.org/tools/digitalassetabstract.html/
aimed at detection and the prevention of known, and poten- content/dam/aba/administrative/cyberalert/keysweeper.pdf.
Anderson B, Anderson B. Seven deadliest USB attacks. Elsevier;
tially unknown, USB-based attacks.
2010.
Asbeh N, Lerner B. Learning latent variable models by pairwise
cluster comparison. In: Asian conference on machine
7. Discussion and conclusion learning. 2012. p. 33–48.
Barral D, Dewey D. Plug and root: the USB key to the kingdom.
In this paper, we have presented an up-to-date and compre- 2005.
hensive survey and taxonomy of existing and recent USB- Bastille. MouseJack technical details. 2016. Available from:
https://www.bastille.net/research/vulnerabilities/mousejack/
based attacks, including how each attack is performed and
technical-details.
its attack vectors, thereby systemizing the domain of USB- Beagle USB 480 Protocol Analyzer product page.
based attacks. We analyzed the vulnerability and exposure of Berghel H, Hoelzer D, Sthultz M. Data hiding tactics for Windows
popular USB peripherals to each of these attacks and out- and Unix file systems. Adv Comput 2008;74:1–17.
lined the attack objectives that can be achieved when Brandt NB, Stamp M. Automating NFC message sending for good
performing each attack. We also surveyed existing detection and evil. J Comput Virol Hack Tech 2014;10(4):273–97.
Brocker M, Checkoway S. iSeeYou: disabling the MacBook
and prevention solutions and explained why these solutions
webcam indicator LED. In: Proceedings of the 23rd USENIX
do not provide a comprehensive solution. We expect that
security symposium, San Diego. 2014.
new attacks will increase and become more frequent, inten- Brownell D. USB gadget API for Linux. 2003. Available from:
sifying the scope and complexity of USB-based attacks http://www.kernel.org/doc/htmldocs/gadget.html.
(including new domains such as medical devices, IOT devices, Caudill A, Wilson B. Making BadUSB work for you, Derbycon 4.0.
autonomous cars, and more). Therefore, in future work we [Online]. Available from: https://youtu.be/xcsxeJz3blI.
intend to develop a comprehensive detection framework aimed Clark J, Leblanc S, Knight S. Compromise through USB-based
hardware Trojan horse device. Future Gener Comput Syst
at mitigating USB-based attacks that is based primarily on
2010;27:555–63.
machine learning approaches (Asbeh and Lerner, 2012; Kelner Crenshaw A. Programmable HID USB keystroke dongle: using the
and Lerner, 2012; Nissim et al., 2012, 2014, 2015a, 2015b, 2016a, teensy as a pen testing device. [Online]. 2010. Available from:
2016b). We plan to include an evaluation of the framework’s http://www.irongeek.com/i.php?page=security/programmable
ability to detect the attacks presented in the current survey. -hid-usb-keystroke-dongle.
The evaluation will be based on a unique repository of USB- Cunningham A. A brief history of USB, what it replaced, and
based attacks (currently under development) that will be made what has failed to replace it. 2014. Available from: http://
arstechnica.com/gadgets/2014/08/a-brief-history-of-usb
available to the research community. The abovementioned
-what-it-replaced-and-what-has-failed-to-replace-it/2/.
framework will be aimed at the accurate detection of both Davis A. USB – undermining security barriers. 2011.
known and unknown USB-based attacks and utilize a process Edwards C, Kharif O, Riley M. Human errors fuel hacking as
that efficiently enhances the framework’s detection capabili- test shows nothing stops idiocy. [Online]. 2011. Available
ties over time. The framework will integrate two types of from: http://www.bloomberg.com/news/articles/2011-06-27/
security approaches in order to enhance the detection of human-errors-fuel-hacking-as-test-shows-nothing-prevents
-idiocy.
USB-based attacks associated with a variety of USB peripher-
Elkins M. Universal RF USB keyboard emulation device –
als. The detection framework will be designed to be:
URFUKED. In: DEFCON 18. 2010.
multidisciplinary (the use of multiple methods from differ- Esengulov A. 2 ways to hide “important” files and folders in
ent domains improves detection capabilities); trusted and Windows. [Online]. Available from: http://www.makeuseo
transparent (detection is invisible, as attackers must not be f.com/tag/2-ways-to-hide-porn-important-folders/.
 computers & security 70 (2017) 675–688 687

Feroz R. Evilduino! – USB hack tool. [Online]. Available from: Lomont CC, Jacobus CJ. USB firewall apparatus and method. 4
http://hackwhiz.com/2015/03/evilduino-usb-hack-tool-can February US Patent US8646082 B2. 2014.
-hack-into-any-computer-within-30-seconds/. [Accessed 16 Lumension. Preventing USB device firmware attacks (BadUSB)
February 2016]. using lumension endpoint security – FAQ. Lumension; 2014.
Ferrie P. The missing LNK. [Online]. Available from: http:// [Online]. Available from: https://www.lumension.com/kb-1697
pferrie2.tripod.com/papers/lnk.pdf. .aspx.
Gardoň T. New self-protecting USB trojan able to avoid detection. Maskiewicz J, Ellis B, Mouradian J, Shacham H. Mouse trap:
2016. Available from: http://www.welivesecurity.com/2016/03/ exploiting firmware updates in USB peripherals. In: WOOT,
23/new-self-protecting-usb-trojan-able-to-avoid-detection/. San Diego. 2014.
Goodspeed T. Emulating USB DFU to capture firmware. [Online]. 9 Microsoft Support. How to disable the autorun functionality in
October, 2012. Available from: http:// Windows. [Online]. Available from: https://support.microsoft
travisgoodspeed.blogspot.co.il/2012/10/emulating-usb-dfu-to .com/en-us/kb/967715.
-capture-firmware.html. Mulliner C, Michéle B. Read It twice! A mass-storage-based
Gorman GO, McDonald G. Ransomware: a growing menace, vol. 1. TOCTTOU attack. In: WOOT, 6 August 2012. 2016. p. 105–12.
Symantec; 2012. p. 16. National Vulnerability Database (NVD). CVE-2010-2568. [Online].
Greenberg A. Flaws in wireless mice and keyboards let hackers Available from: http://www.cve.mitre.org/cgi-bin/
type on your PC. 2016. Available from: https://www.wired cvename.cgi?name=CVE-2010-2568.
.com/2016/02/flaws-in-wireless-mice-and-keyboards-let Nissim N, Moskovitch R, Rokach L, Elovici Y. Detecting
-hackers-type-on-your-pc/. unknown computer worm activity via support vector
GREAT, Kaspersky Lab’s Global Research & Analysis Team. machines and active learning. Pattern Anal Appl 2012;15:459–
Equation group: questions and answers. 2015. 75.
Gumstix Inc. gumstix. 2012. Available from: http://www Nissim N, Moskovitch R, Rokach L, Elovici Y. Novel active
.gumstix.com/. learning methods for enhanced PC malware detection in
Guri M, Monitz M, Elovici Y. USBee: air-gap covert-channel via windows OS. Expert Syst Appl 2014;41(13):5843–57.
electromagnetic emission from USB. arXiv preprint Nissim N, Cohen A, Glezer C, Elovici Y. Detection of malicious
arXiv:1608.08397. 2016. PDF files and directions for enhancements: a state-of-the art
Hak5. USB hacksaw. [Online]. 2006. Available from: http:// survey. Comput Secur 2015a;48:246–66.
hak5.org/usb-hacksaw. Nissim N, Boland MR, Moskovitch R, Tatonetti NP, Elovici Y,
Halderman JA, Schoen SD, Heninger N, Clarkson W, Paul W, Shahar Y, et al. (2015b). An Active Learning Framework for
Calandrino JA, et al. Lest we remember: cold boot attacks on Efficient Condition Severity Classification. In Artificial
encryption keys. In: 2008 USENIX Security Symposium. 2008. Intelligence in Medicine (pp. 13-24).
IronGeek. ALT + NUMPAD ASCII key combos: the α and Ω of Nissim N, Cohen A, Moskovitch R, Shabtai A, Edri M, BarAd O,
creating obscure passwords. [Online]. Available from: http:// et al. Keeping pace with the creation of new malicious PDF
www.irongeek.com/alt-numpad-ascii-key-combos-and-chart files using an active-learning based detection framework.
.html. Secur Inform 2016a;5(1):1–20.
Ironkey. Imation. 2013. Available from: http://www.ironkey.com/ Nissim N, Moskovitch R, BarAd O, Rokach L, Elovici Y. ALDROID:
en-US/resources/. efficient update of Android anti-virus software using
Kamkar S. USBdriveby. [Online]. Available from: http://samy.pl/ designated active learning methods. Knowl Inf Syst
usbdriveby/. 2016b;49:795–833.
Kaspersky Lab’s Global Research & Analysis Team. A Fanny Nohl K, Lel J. slides by). K. S. BlackHat (2–7.8.2014). [Online]. 2014.
equation: “I am your father, Stuxnet”. [Online]. 17 February, Available from: https://srlabs.de/blog/wp-content/uploads/
2015. Available from: https://securelist.com/blog/research/ 2014/07/SRLabs-BadUSB-BlackHat-v1.pdf.
68787/a-fanny-equation-i-am-your-father-stuxnet/. NSA Playset. TURNIPSCHOOL. [Online]. Available from: http://
Kehtarnavaz N, Mahotra S. Digital signal processing laboratory. www.nsaplayset.org/turnipschool. [Accessed 2 March 2016].
Brown Walker Press; 2010. Offensive Security. Kali NetHunter documentation. Offensive
Kelner R, Lerner B. Learning Bayesian network classifiers by risk Security. [Online]. 2015. Available from: https://github.com/
minimization. Int J Approx Reason 2012;53(2):248–72. offensive-security/kali-nethunter/wiki#60-kali-nethunter
Kim H, Smith J, Shin KG. Detecting energy-greedy anomalies and -attacks-and-features.
mobile malware variants. In: MobiSys ‘08: proceeding of the OLEA Kiosks, Inc. Malware scrubbing cyber security kiosk. 2015.
6th international conference on Mobile systems, applications, Available from: http://www.olea.com/product/cyber-security
and services (New York, NY, USA, 2008). ACM; 2008. p. 239–52. -kiosk/.
Langner R. Stuxnet: dissecting a cyberwarfare weapon. IEEE OPSWAT. 2013. Available from: https://www.opswat.com/
Secur Priv 2011;9(3):49–51. products/metascan.
Larimer J. Beyond Autorun: exploiting vulnerabilities with Pathak PB, Nanded YM. A dangerous trend of cybercrime:
removable storage. 2011. ransomware growing challenge. Int J Adv Res Comput Eng
Lau B, Jang Y, Song C. Mactans: injecting malware into iOS Technol 2016;15(2):371–3.
devices via malicious chargers. 2013a. Available from: Pham DV, Syed A, Halgamuge MN. Universal serial bus based
https://media.blackhat.com/us-13/US-13-Lau-Mactans software attacks and protection solutions. Digit Investig
-Injecting-Malware-into-iOS-Devices-via-Malicious 2011;7(3):172–84.
-Chargers-WP.pdf. PJRC. Teensy USB development board. PJRC Electronics Projects
Lau B, Jang Y, Song C. Mactans: injecting malware into iOS Components Available Worldwide. [Online]. Available from:
devices via malicious chargers. In: Black hat® USA 2013, https://www.pjrc.com/teensy/.
Caesars palace, Las vegas, NV, July 27–August 1, 2013. 2013b. Racic R, Ma D, Chen H. Exploiting mms vulnerabilities to
Available from: http://www.blackhat.com/us-13/briefings stealthily exhaust mobile phone’s battery. In: SecureComm
.html#Lau. 06. 2006. p. 1–10.
Lavasoft. LNK exploits. [Online]. Available from: http:// Remote-Exploit. Keykeriki v2.0 2.4 GHz. 2010. Available from:
www.lavasoft.com/mylavasoft/securitycenter/whitepapers/ http://www.remote-exploit.org/articles/keykeriki_v2_0__8211
lnk-exploits. _2_4ghz/.
688 computers & security 70 (2017) 675–688

RIFT recon. The Hak5 USB Rubber Ducky + ACCESS PROHIBITED. Dr. Nir Nissim is a researcher and the
[Online]. Available from: http://shop.riftrecon.com/products/ Head of the Malware-Lab at the Cyber
rubberducky. Security Research Center of Ben-
Samy. KeySweeper. Available from: http://samy.pl/keysweeper/. Gurion University. Dr. Nissim
Schumilo S, Spenneberg R, Schwartke H. Don’t trust your USB! completed his Ph.D. with honors at
How to find bugs in USB device drivers. In: Blackhat Europe, BGU’s Department of Information
October 2014. 2014. Systems Engineering; Dr. Nissim pub-
SRLabs. [Online]. Available from: https://srlabs.de/badusb. lished several noteworthy papers
Stewin P, Bystrov I. Cutting the Gordian Knot: a look under the dealing with the development of a
hood of ransomware attacks. In: Detection of intrusions and generic active learning framework
malware, and vulnerability assessment, vol. 7591. Springer; aimed at the detection and acquisi-
2015. p. 21–41. tion of various types of malware in
TechJourney. Disable auto-run and auto-play of U3 smart drives a variety of platforms. His main areas
launchpad. [Online]. Available from: https://techjourney.net/ of interests are mobile and com-
disable-auto-run-and-auto-play-of-u3-smart-drives puter security, Machine-Learning and
-launchpad/. Bio-Medical informatics. Dr. Nissim
Tetmeyer A, Saiedian H. Security threats and mitigating risk for is also the head of the ICSML
USB devices. IEEE Technol Soc Mag 2010;29(4):44–9. program, an international cyber-
Tian DJ, Bates A, Butler K. Defending against malicious USB security, and Machine-Learning
firmware with GoodUSB. In: Proceedings of the 31st annual academic and professional program.
computer security applications conference, December 2015.
ACM; 2015. p. 261–70. Ran Yahalom is a Researcher at
Tian DJ, Scaife N, Bates A, Butler K, Traynor P. Making USB great the Malware Lab. His research
again with USBFILTER. In: Proceedings of the USENIX security currently focuses on the security
symposium, August 2016. 2016. of peripheral bus communica-
Tischer M, Durumeric Z, Foster S, Duan S, Mori A, Bursztein E, tion protocols (e.g., USB). Ran’s
et al. Users really do plug in USB drives they find. In: primary areas of interest include:
Proceedings – 2016 IEEE Symposium on Security and Privacy, anomaly detection of discrete data
SP 2016. Institute of Electrical and Electronics Engineers Inc.; sequences, application of biological
2016. p. 306–19. and immunological defense mech-
Usher A. Pod slurping. [Online]. Available from: http://www anisms to cyber security, data
.sharp-ideas.net/pod_slurping.php. mining, and machine learning. Ran
USB Implementers Forum. An analysis of wireless device holds B.Sc. and M.Sc. degrees in com-
implementations on universal serial bus. [Online]. 1997. puter science and bioinformatics
Available from: http://www.usb.org/developers/hidpage/ and is currently studying for a Ph.D.
usbwire.pdf. degree in cyber security at BGU.
USB Implementers Forum, Inc. Universal serial bus device class
specification for device firmware upgrade. [Online]. 5 August, Yuval Elovici is the Director of the
2004. Available from: http://www.usb.org/developers/docs/ Telekom Innovation Laboratories at
devclass_docs/DFU_1.1.pdf. Ben-Gurion University (BGU) of the
USB killer v2.0. Available from: http://habrahabr.ru/post/268421/. Negev, head of BGU’s Cyber Security
USBKill. Available from: https://www.usbkill.com/. Research Center (CSRC), Research Di-
van Tonder R, Engelbrecht H. Lowering the USB fuzzing barrier by rector of iTrust at SUTD, and a
transparent two-way emulation. USENIX Association; 2014. Professor in the Department of In-
Wang Z, Stavrou A. Exploiting smart-phone usb connectivity for formation Systems Engineering at
fun and profit. In: Proceedings of the 26th annual computer BGU. For the past 11 years he has led
security applications conference. ACM; 2010. the cooperation between BGU and
Wikipedia. Juice jacking. Available from: https://en.wikipedia.org/ Deutsche Telekom. Prof. Elovici has
wiki/Juice_jacking. published articles in leading peer re-
Wireshark. USB capture setup. Available from: https:// viewed journals and conferences. His
wiki.wireshark.org/CaptureSetup/USB. primary research interests are com-
Yang B, Feng D, Qin Y, Zhang Y, Wang W. TMSUI: a trust puter and network security, cyber
management scheme of usb storage devices for industrial security, web intelligence, informa-
control systems. Cryptology ePrint Archive, Report 2015/022. tion warfare, social network analysis,
2015. Available from: http://eprint.iacr.org/. and machine learning.