The versatility and ubiquity of Universal Serial Bus (USB) devices are vulnerabilities fundamental to the design of USB. Attackers can turn USB devices into effective tools for attacking and controlling a computer or for infecting it with malware. Even “known-good” devices, trusted by the user, can be subverted by an attacker and turned “evil”.
Architecture Technology Corporation’s USB Sentry™ is a cutting-edge, platform-independent hardware firewall for USB that can protect any system against USB-based attacks.
USB Sentry is the only available technology that protects against protocol-level attacks such as BadUSB. Its cutting-edge, patented security technology effectively defends against USB-delivered attacks that cannot yet be prevented by any other approach. USB Sentry can be used on any computer, embedded device, or other host system.
What is USB Sentry?
USB Sentry is a hardware device that is similar to a four-port powered USB hub. A green status LED above each USB Sentry port indicates to the user that a device is connected and operational. If the device plugged into the USB Sentry ever attempts to violate any USB protocol that has been established, or if it exhibits one of the malicious behaviors USB Sentry is designed to protect against, the LED status changes from green to red to alert the user and the device is immediately disconnected.
How Does it Work?
USB Sentry is a hardware device that acts as a combination of a policy-enforcing firewall and USB hub:
- It immediately disconnects any device that attempts to abuse the USB protocol, including the device-emulation attacks demonstrated in BadUSB.
- It protects against protocol violation attacks and data exfiltration by bus snooping.
- It blocks dangerous hybrid devices, such as a combination flash drive and keyboard.
- Finally, it enables system administrators to securely set policies that limit what USB devices can be used on the protected system.
USB Sentry contains a microcontroller and custom security-focused firmware. Like a transparent proxy or network firewall, the microcontroller is a logical barrier between the upstream (host-side) and downstream (device-side). In normal operation, USB packets are transferred between the host and device side of the bus transparently, so that the USB device behaves as if USB Sentry were not present. The device’s communications are monitored to ensure that the USB specification is not violated and that the device is not acting maliciously. Any malicious activity causes USB Sentry to immediately disconnect the device from the system.
When a device is connected to a USB Sentry, the USB Sentry determines the identity of the connected device. It uses this information and the established “firewall rules” to determine whether the device is permitted on the system.
What Attacks Does USB Sentry Prevent?
- Device Emulation
- USB Sentry prevents a device from changing its capabilities while in use. Device emulation is one of the most common protocol-level USB attacks. For example, a flash drive could electrically disconnect from the host computer, reconnect as a keyboard, automatically type commands to install malware or reconfigure the host computer, and then reconnect as a flash drive again.
- Dangerous Hybrid Devices
- Similar to device emulation, a USB device can initially present itself to the system as a combination of a normal device, such as a flash drive, and a malicious device, such as a fake keyboard. The BadUSB research showed that such devices can be created from common, trusted flash drives by using malware to reprogram the flash drive’s firmware. USB Sentry blocks such hybrid devices.
- Protocol Violations
- USB Sentry strictly enforces the USB protocol, disabling devices that violate it.
- Bus Snooping
- USB devices can observe data that is being transmitted to other USB devices on the bus. For example, a malicious keyboard could record and then later export the contents of files being copied to an encrypted flash drive. USB Sentry transparently drops all packets addressed to other devices, preventing the device connected to USB Sentry from snooping on other devices’ communications. Each port on the USB Sentry has a separate firewall microcontroller, so devices connected to USB Sentry cannot see one another’s traffic.
- Electrical Attacks
- USB Sentry prevents malicious or malfunctioning devices from causing electrical damage to the host computer.
- Unauthorized Devices
- USB Sentry uses customizable firewall rules to determine whether a connected USB device is allowed to communicate with the host computer. This enables system administrators to restrict users to a set of trusted devices and enforce device policies.
- Re-Enumeration Attacks
- USB devices can circumvent device policies or search for exploitable device drivers by rapidly disconnecting and reconnecting using different device identities. USB Sentry prevents devices from re-enumerating.
Contact Us to Learn More about USB Sentry
Marshall Graham, Managing Partner
Indian River Advisors, LLC