USB devices have become ubiquitous in our digital infrastructure. From charging our devices to connecting peripherals, the Universal Serial Bus protocol has achieved what its name suggests - becoming truly universal. This ubiquity, combined with the protocol’s inherent trust model, creates a significant attack surface that modern enterprises must address. The challenge lies in balancing security with usability: while USB ports represent a clear security risk, they remain essential for daily operations.
This technical deep dive shares insights from my internship at OVH’s Security Operations Center from September 2016 to February 2017, where I was tasked with developing a comprehensive USB port protection solution.
Understanding the USB Protocol
At its core, USB is an asymmetric protocol designed for peripheral device communication. According to the USB specification, when a device is connected, it announces its capabilities through USB classes - predefined interfaces that describe the device’s functionality. A crucial security consideration is that a single device can implement multiple classes simultaneously. For instance, a USB printer might implement both the Printer class for output and the Image class for scanning functionality.
This flexibility in the USB specification becomes particularly relevant when considering security implications. The protocol’s inherent trust of device-reported capabilities means that a malicious device can masquerade as any class it chooses, or even dynamically switch between different classes during operation.
The Dual Nature of USB Threats
USB security threats manifest in two distinct domains: physical and logical. Understanding this dichotomy is crucial for implementing effective protection measures.
Physical Layer Attacks
During my internship, the most notable physical threat was the USBKill device. Its operation demonstrates the vulnerability of direct hardware connections: the device rapidly charges internal capacitors from the USB port’s power lines, then releases this accumulated charge back into the system. This power surge typically results in permanent hardware damage to critical components like the motherboard. What makes this attack particularly concerning is that it operates entirely at the electrical level, requiring no operating system interaction or software vulnerability.
Software-Based Attack Vectors
The software attack surface is extensively defined by the USB class specification, with each class presenting unique attack vectors. The table below outlines the primary classes and their associated security implications:
| Class ID | Description | Security Risk |
|---|---|---|
| 02h | Communications (Ethernet/Wi-Fi adapter) | Network traffic interception, response manipulation |
| 03h | Human Interface Device (keyboard, mouse) | Command injection, privilege escalation |
| 06h | Image (webcam, scanner) | Data interception through visual channels |
| 08h | Mass Storage (hard drive, USB drive) | Malware propagation, data exfiltration |
| DCh | Diagnostic Device | Direct hardware manipulation |
The full USB class specifications can be found on usb.org.
Real-world exploitation tools demonstrate these vulnerabilities. The LANTurtle and PoisonTap leverage the Communications class (02h) to create rogue network interfaces and intercept traffic. The Rubber Ducky exploits the HID class (03h) by emulating a keyboard to inject commands with system privileges.
Technical Implementation
Our solution centered around the Intel NUC DE3815TYKE, chosen for its balance of performance, connectivity, and cost-effectiveness at approximately €120 per unit. The hardware provides a front-facing USB 3.0 port for user devices and two rear ports for maintenance operations.
The software stack builds upon OpenWRT, specifically leveraging work from OVH’s OverTheBox project. We extended the LuCI web interface framework, implementing a Model-View-Controller architecture for USB device management. The system monitors connected devices through Linux’s /sys/bus/usb/devices interface, with device identification powered by the usb.ids database from linux-usb.org.
Security Controls
The system incorporates multiple layers of security:
- Device Monitoring: Using Linux’s hotplug subsystem to detect and analyze new USB devices
- Malware Detection: ClamAV provides baseline scanning capabilities
- Custom Rules: YARA rules enable granular control over file processing
- Content Sanitization: DocBleach implements a zero-trust approach to document processing
Device Management
The system uses Linux’s hotplug mechanism (technical reference) to execute security checks when new USB devices are connected. Device information is collected from /sys/bus/usb/devices, providing details like bDeviceClass, idVendor, and idProduct.
Market Analysis and Existing Solutions
Our research identified several existing approaches to USB security:
-
CIRClean, developed by CIRCL, provides an open-source solution using a Raspberry Pi to sanitize files between two USB drives. While thorough, this approach introduces significant operational friction.
-
Lexsi’s USB Malware Cleaner took a different approach with a dedicated kiosk system. Despite its impressive 1.5-meter stature and 75-kilogram weight, the solution potentially introduces new attack vectors through its physical accessibility.
-
Traditional antivirus solutions, while effective against known malware signatures, provide minimal protection against sophisticated USB-based attacks.
Project Outcomes
The source code for both USBleach and DocBleach was released on GitHub under open-source licenses. While these repositories are now archived, they remain available as reference implementations for organizations facing similar challenges.
Looking Forward
The USB security landscape continues to evolve, with new attack vectors emerging regularly. Future work might explore kernel-level USB filtering (like USBGuard), hardware-based protection mechanisms, or expanded content sanitization capabilities. As our reliance on USB connectivity grows, so too must our approach to securing these essential interfaces.
This article describes my personal experience during a 6-month security internship at OVH in 2016-2017. Interested in similar opportunities? Check out OVH’s career page for security positions and internships.