Much of the computer security blogosphere was abuzz last week over NetraGard's clever hack of a client's network using a specially modified Logitech mouse USB mouse. The mouse contained firmware code that automatically launched when the socially engineered user plugged it in to his or her computer. The attack code simply dialed home to let NetraGard know it had been successful in penetrating the victim's network. Victory and success!
Many readers were unaware that hardware, especially a mouse, could be used to deliver auto-launching exploit code. But for others, this doesn't come as a surprise.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
I developed my first USB virus nearly 7 years ago, when I was working for Foundstone. I figured out I could use hidden desktop.ini files to autolaunch any contained executable. It bypassed autorun- and Autoplay-blocking defense mechanisms. I had discovered that I could do this on a USB key, and my coworker at the time, Aaron Higbee, quickly moved my exploit to USB devices.
In short order, we had built a digital-camera roaming worm as a demo. It was a sweet day for discovery, although we both blew off the real work we'd been hired to do. Luckily, Foundstone was supportive of our efforts and told us to focus on further USB exploits. Ultimately, I was incredibly surprised to see, even heading into this year, USB-infecting vectors remain a major threat (although Microsoft's new default treatment of autorun and Autoplay has significantly diminished that risk).
IT security admins must understand that a computer can be compromised by almost any hardware device plugged into it. Hardware is hardware -- the instructions coded into it and its firmware takes precedence over software. When we talk trust boundaries in computer security, you always have to remember the hardware boundary must be discussed and defended. If I, as the attacker, can convince a victim to plug in some sort of hardware or if I plug it in myself, then it is, for all intense purposes, game over. If I can plug something into your USB, DMA, FireWire, and now mouse port, I'll likely succeed in carrying off a malicious action.