Why USB Authentication Keys and Tokens are a Bad Idea

01/04/2015 / 0 Comments

Find out how easy and secure a PKI-based two-factor authentication is.
Download the SecSign ID app on your phone and test the login or contact us for more information


For many years, data security experts have been campaigning to convince companies not to allow their employees to connect USB sticks or other peripheral USB devices to enterprise computers. Now, however, they are faced with an alarming trend that threatens to undo all of those efforts and heighten the risks of viruses and malware that can lead to costly breaches of confidential company data.

With the widespread adoption of mobile technologies such as smartphones and tablets, companies are already struggling with the trend of ‘bring your own device’ (BYOD), which has resulted in huge numbers of employees bringing mobile devices into the workplace and potentially connecting them to enterprise computers via USB. This is one of the reasons why some companies have chosen to install computer systems without USB ports, to prevent this kind of connectivity.

However, a more recent development is the move by some companies toward USB keys or tokens to provide authentication security that protects access to enterprise user accounts for websites, software, systems, and networks. Rather than discourage and reject the potential security risks that USB connectivity creates, some companies, including tech industry leaders like Google, are actually embracing vulnerable USB technology in a misguided effort to boost security. If it sounds counter-intuitive and potentially self-defeating, that is because it is.

Take Google’s recent integration of the Universal 2nd Factor (U2F) standard as an example. Google’s adoption of this technology for authentication security enables physical user verification for Gmail and other Google services by using a USB key or token as a second authentication factor.

When applied, the U2F standard ensures that two-factor authentication is used for login security by requiring both a knowledge factor (password) and a physical factor (USB key or token) in order to authenticate access to a secured account or service. It also ensures that access is granted only after verifying that the login site or service is truly a legitimate property.

But Falk Goossens, CTO of SecSign Technologies, is quick to point out two fundamental flaws with using USB technology for authentications security.

“Using the U2F standard or any security scheme that requires USB keys or tokens is a bad idea,” Goossens says.

“USB authentication technologies, like those using the U2F standard, continue to rely on passwords as part of the authentication process, which is very dangerous and completely obsolete for data security. If you use a technology that still requires an ID and password combination for the login process—even with a required USB device as a second authentication factor—you are still inviting attacks on your login server, and your first authentication factor is still a prime target for attackers.”

According to Goossens, even with USB authentication requirements, cybercriminals can still use phishing, malware, and man-in-the middle attacks to steal the other, sensitive login credentials during entry or in transit.

“Even if they can’t complete the second authentication requirement due to your USB security, attackers still have every reason to try and steal the ID and password combination, which could give them access to other services where those credentials are used.”

However, Goossens also points out that the problems with USB authentication extend beyond the use of passwords. There are numerous additional risks introduced by the use of USB keys or tokens that extend far beyond user logins and into major threats to personal and enterprise data security.

 

Firmware Vulnerability Poses Huge Risks for USB Device Security

Recently, researchers uncovered a fundamental flaw in USB design specifications that leaves firmware unprotected and potentially allows attackers to overwrite firmware and take control of USB devices.

As CBS news reported in July of 2014, Karsten Nohl and Jokob Lell of security firm Security Research Labs discovered that this firmware vulnerability could allow USB devices to be reprogrammed to steal the contents of anything written to the drives and spread malicious code to any PC that these devices touch.

Much like self-replicating computer viruses that once spread through the insertion of floppy disks into disk drives in the past, USB malware can potentially infect systems and easily replicate itself and spread to other devices.

 

Nohl and Lell identified several ways that infected USB devices can behave maliciously.

 

  1. A USB device can emulate a keyboard and issue its own commands, including instructions to install malware or steal files
  2. A USB device can pretend to be a network card and change a computer’s domain name system setting, which can secretly redirect your web browsing traffic
  3. A USB device can install malicious code that acts as a man-in-the-middle and secretly spies on communications as it relays them from a compromised machine
  4. A USB thumb drive or external hard disk can infect connected computers at bootup, before antivirus tools can detect it and intervene

 

Beyond these issues, USB is highly vulnerable because an otherwise ‘clean’ and uninfected USB device can potentially become infected by being connected to a computer that has been compromised by malware. So, even if a USB device’s firmware is intact, it can potentially be overwritten without the user’s knowledge, and the user may unwittingly connect that device to additional systems which can subsequently be compromised.

These dangers are underscored by the fact that they are essentially undetectable. As Nohl and Lell have warned, there is no requirement for USB firmware to be digitally signed, and there is no process in place to check or confirm authenticity when a device’s firmware is flash upgraded. And, since these changes occur at the firmware level, antivirus or malware tests cannot detect it.

Of course, some USB devices do not have reprogrammable firmware, so not every device may be vulnerable in this way. However, users are ultimately at the mercy of manufacturers. While some do not use reprogrammable firmware, it’s always technically possible for malicious code to be injected into USB devices at the manufacturing stage.

Moreover, the potential risks of USB technology are not limited to firmware vulnerabilities. The mere use and availability of USB connections and devices poses similar, disturbing data security risks.

 

Understanding the Security Risks of USB Connections

Recently, computer hacker and security researcher Samy Kamkar created a project called USBdriveby, which uses a simple USB microcontroller to exploit systems’ blind trust in USB devices and perform a number of malicious operations.

Accordingly to Kamkar, “a $20 Teensy microcontroller can evade various security settings on a real system, open a permanent backdoor, disable a firewall, control the flow of network traffic, and all within a few seconds and permanently, even after the device has been removed.”

Kamkar demonstrates the USB exploit and provides a proof of concept and a walkthrough of the required code on his web page dedicated to the project. He reports that both Windows and OS X systems can be compromised, which highlights the troubling and universal risks that the use of USB technology creates.

Of course, the risks of using USB devices can also be simpler and more mundane but no less threatening to individual privacy or enterprise data security.

As USB drives and devices have grown in popularity, so have the incidents of people forgetting them and leaving them behind. According to Norton.com’s report of a survey from Credant Technologies, a data security firm, “British dry cleaners found an estimated 9,000 forgotten USB memory sticks in people’s pants pockets in 2008. And more than 12,500 handheld devices, including USB drives, are left behind in London and New York City taxi cabs every six months.”

These shocking numbers of incidents indicate that carelessness is a human factor that can potentially undo any amount of USB device security. A failure to keep devices secure and in a user’s safe possession means that confidential contents or a USB key can easily be stolen and used by virtually anyone.

Even if a user never forgets or leaves behind a USB key or token, the mere act of connecting it to a machine can potentially lead to malware infection and a data security breach. This is why experts like the United States Computer Emergency Readiness Team (US-CERT) recommend that users never connect USB devices to untrustworthy machines like public computer kiosks and never connect them to home or enterprise systems unless they know and trust every connection that the device has ever made.

 

Why Public Key Cryptography is the Safer Alternative to USB Authentication

Ultimately, to ensure the strongest possible authentication security, Goossens says that the best approach is to require two-factor authentication without USB keys or tokens.

“Secure authentication requires removing passwords from the entire process and using truly strong cryptography that is built from the ground up to address all of the flaws of USB and other outdated security solutions.”

According to Goossens, an ideal way to do this is through public key cryptography, which replaces a USB key or token with a 2048-bit encrypted private software key that is stored securely on a mobile device. This allows secured services to require a second, physical authentication factor that is physically separated from the login process and that cannot be compromised through hacking, phishing, or malware of any kind.

It also avoids the risks introduced by USB keys or tokens because there is no requirement that the mobile device be connected to a computer in order to verify identity, and a patented mechanism protects the private key from brute force attack, even if the mobile device is lost or stolen.

Importantly, there is no password or any sensitive credential that must be entered through the login mechanism, transmitted to a server, or stored on a server for the purpose of verifying identity.

Identify verification occurs solely on the mobile device with the entry of a simple 4-digit PIN or fingerprint scan provided by the user. Final verification is provided by confirming a visual access symbol that matches one shown on the login screen of the secured service.

This out-of-band physical authentication process makes it impossible for attackers to compromise user logins because there are no sensitive credentials that they can steal during entry, transmission, or storage. And, ultimately, this also means that logins and servers using public key cryptography no longer provide any incentive for attackers to target them.

“Quite simply,” Goossens says, “there is no better way to protect your user logins and confidential data. It removes the vulnerable mechanisms, processes, and credentials that enable attacks against user logins, and it guarantees that your user accounts cannot be compromised.”

 

Free Expert Advice on Authentication Security

To get a free consultation on integrating advanced login security for your websites, applications, services, or networks, visit the Contact page on the SecSign Technologies website. And to learn more about secure authentication with public key cryptography, visit the SecSign Technologies website to watch an introductory video and learn more details about the SecSign ID approach to login and authentication security.

 

About SecSign Technologies

SecSign Technologies is a sister company of SecCommerce Informationssysteme GmbH, a pioneer of cryptography solutions with more than 16 years of experience in developing public key infrastructure (PKI), electronic signature, and smart card technologies. SecSign’s security experts and cryptography engineers have developed, deployed, and maintained systems that have successfully protected confidential business data and user access for numerous major corporations, including IBM, Siemens, Johnson & Johnson, Fujitsu, T-Systems, BMW, and Audi.

 

Do NOT follow this link or you will be banned from the site!