This content is part of the Essential Guide: How air gap attacks challenge the notion of secure networks

How does USBee turn USB storage devices into covert channels?

USB storage devices can be turned into covert channels with a software tool called USBee. Expert Nick Lewis explains how to protect your enterprise data from this attack.

Researchers have demonstrated a software tool called USBee that can turn unmodified USB storage devices into secret transmitters that can exfiltrate data from otherwise secure, air-gapped systems. How does USBee get around the air gaps and transmit data? And should enterprises start doing away with USB connections to prevent attacks like this?

Many enterprises with high security requirements are very concerned about covert channels. These same organizations may have also banned USB storage devices or disabled USB ports to prevent attack methods like USB Killer or to avoid the use of USB devices to steal passwords. Their caution might be warranted, as researchers from Ben-Gurion University of the Negev in Israel have found a way to create a covert channel using just USB drives.

The researchers found that, when data is written to a USB device, it creates an electromagnetic emission that can be detected and decoded by a nearby receiver. There doesn't need to be malware or a specific driver on the target computer, the USB device just needs to be used as the manufacturer expected. The receiving system must consist of a hardware radio receiver connected to a laptop that uses a software radio to monitor the electromagnetic emission and to decode the binary data.

The risk to enterprises of a USBee attack is minimal, but only further illustrates the threats that are possible via USB connections and covert channels. It is impractical to transmit a large amount of data quickly with USBee, but a small volume of high-value data could be transmitted.

For all but the most sensitive systems and data, the benefits of using USB storage devices outweigh the risk of a USBee attack.

If your enterprise doesn't use USB devices, then disabling or removing USB ports might make sense. However, an advanced persistent threat would still find a way to create a covert channel using one of the other methods mentioned in the researchers' paper, "USBee: Air-Gap Covert-Channel via Electromagnetic Emission from USB."

The most practical defense against this type of attack is strong physical security. However, an enterprise concerned about this specific attack could make it more difficult on threat actors by using multiple USB storage devices simultaneously to create so much electromagnetic noise that the receiving system won't be able to identify the specific targeted data.

Next Steps

Learn how the stealth malware USB Thief infects air-gapped systems

Find out how to prevent cyberattacks via USB ports in healthcare organizations

Discover how remote desktop USB redirection can run more smoothly

This was last published in January 2017

Dig Deeper on Data security and privacy