Last week I commented [2] on the test conducted by The U.S. Department of Homeland Security where an alarming 90% of the employees used USB sticks found on the parking lot. But Microsoft [3] has improved the ability to control the autostart function. So, is the USB problem over?

A targeted attack [4] by Netragard [5] on one of their clients shows that the USB problem is still very present. The client limited the attack surface by excluding the use of social attack vectors based on social networks, telephone, or email and disallowed any physical access to the campus and surrounding areas.

By modifying a USB Logitech mouse to include a USB hub, microcontroller and a USB stick. The microcontroller was programmed to act as a keyboard and send keystrokes with commands to access the onboard USB stick. The USB stick contained a custom malware that would connect to a remote server. The hackers had done some social surveillance and found out that the company was using McAfee antivirus software, one of the company employees had complained about it on Facebook. With this information the hackers set up a test environment and successfully connected to the remote server.

The USB mouse was placed back into its original package and a fake marketing flyer made it look like a promotional gadget. A target employee was selected and the package was shipped. A couple of days later the mouse connected to the remote server.

If this had been a real attack on the company the consequences would have been severe of course. This penetration test shows how vulnerable the USB port can be, even with active antivirus software and autostart turned off. In this case a USB port blocking software would have done the trick and stopped the promotional stunt by blocking the hacked USB mouse.

An advice: Think twice before using promotional USB gadgets or USB sticks.