Security Risks of USB Ports on Embedded Devices

A recent BBC article explained how USB devices can be used for malicious purposes without the user opening an infected file on a USB flash drive, for example. In fact, the USB device doesn’t have to be a USB flash drive at all. It could be a smart phone or even a USB light or fan. The article and associated videos explain how the USB device can spoof being a network card and steal username and password data when it unknowingly takes a user to a legitimate looking site that is set up to harvest this data.

While the article focused on risks to personal computer users, there are likely parallel risks to embedded computers. Instead of stealing usernames and passwords, this technique could be used for cyber-terrorism or cyber-warfare. A now famous attack, mentioned in the article, was the Stuxnet computer worm. The Stuxnet worm was designed to attack programmable logic controllers (PLCs), automation equipment that is commonly used in manufacturing. In 2010, it reportedly destroyed several of Iran’s uranium-enrichment centrifuges that were controlled by PLCs. A USB flash drive is credited with delivering the Stuxnet worm to a PC on the same network as a PC running automation software that could control the PLCs controlling the centrifuges. For more information on the Stuxnet worm and the attack on Iran’s uranium enrichment program, read The Real Story of Stuxnet on the IEEE website.

So how can designers of embedded systems eliminate or limit their exposure to these types of attacks that come through USB ports? The most obvious solution is to eliminate USB ports from the design, but that might not be practical for some applications. You may be able to limit support to just those classes of USB devices that your product needs to support, but your operating system may support many by default. Some of our Datakey customers who need USB flash drive functionality, but don’t want to open their systems up to the huge world of devices that can plug into a USB Type A socket, have integrated our RUGGEDrive™ system. The UFX RUGGEDrive™ memory token functions just like a USB flash drive, but uses Datakey’s proprietary SlimLine™ contact system rather than the familiar USB Type A nose found on traditional consumer flash drives. Their embedded device uses a SlimLine™ receptacle rather than a USB connector. This elegantly simple solution means that only the approved memory devices can plug into the port. There are no USB connectors, so non-authorized, non-trusted USB devices have no place to plug in. For more information on our RUGGEDrive™ product line, visit our RUGGEDrive product page or contact us to speak to one of our Datakey product specialists.

Paul Plitzuweit
Senior Product Manager - Datakey, ATEK Access Technologies, LLC