This is the second in a series of publications that will explore various aspects of today’s pervasive “Deploy Now, Patch Later” culture and its impact on national security and sector resiliency. Click here to read our first on Mitre’s Deliver Uncompromised proposal.
Every cyber security practitioner has experienced or heard about the malware-laced USB flash drives that past attackers have left in parking lots, passed along at conferences, or otherwise distributed in wide-scale or precision-targeted campaigns. While that risk continues to threaten organizations, an even greater attack vector exists which adversaries can potentially leverage to weaponize USB devices such as chargers, keyboards, and any other system that connects to PCs via USB.
In this paper, entitled “The USB Threat No One is Talking About: Research on Firmware-Based Attacks Reveals the Urgent Need to Improve Supply Chain Security for all USB-Enabled Devices,” ICIT focuses on this underreported threat and highlights research that demonstrates how USB devices can be leveraged to deliver malware using methodologies that do not require flash storage and are significantly more difficult to detect.
The authors of this publication intend to educate readers on the fact that virtually every device with a USB connection can be weaponized and used as an attack vector to infiltrate an organization’s layered defenses. The proffered solution lies in improved supply chain security on the part of manufacturers coupled with awareness and stricter policies by organizations to minimize their risk exposure.