USBCaptchaIn: Preventing (Un)Conventional Attacks from Promiscuously Used USB Devices in Industrial Control Systems

TL;DR

USBCaptchaIn is a hardware solution designed to enable safe, promiscuous use of USB thumb drives in industrial control systems by blocking malware and BadUSB attacks without user intervention.

Contribution

The paper introduces USBCaptchaIn, a hardware device that secures USB usage in ICS environments without requiring user changes or decisions, effectively preventing malware spread.

Findings

Prototypes received positive expert feedback.

The approach blocks malware before reaching critical systems.

Compatible with existing ICS products.

Abstract

Industrial Control Systems (ICS) are sensible targets for high profile attackers and advanced persistent threats, which are known to exploit USB thumb drives as an effective spreading vector. In ICSes, thumb drives are widely used to transfer files among disconnected systems and represent a serious security risks, since, they may be promiscuously used in both critical and regular systems. The threats come both from malware hidden in files stored in the thumb drives and from BadUSB attacks [16]. BadUSB leverages the modification of firmware of USB devices in order to mimic the behaviour of a keyboard and send malicious commands to the host. We present a solution that allows a promiscuous use of USB thumbs drives while protecting critical machines from malware, that spread by regular file infection or by firmware infection. The main component of the architecture we propose is an hardware, called USBCaptchaIn, intended to be in the middle between a critical machine and all USB devices. We do not require users to change the way they use thumb drives. To avoid human-errors, we do not require users to take any decision. The proposed approach is highly compatible with already deployed products of a ICS environment and proactively blocks malware before they reach their targets. We describe our solution, provide a thorough analysis of the security of our approach in the ICS context, and report the informal feedback of some experts regarding our first prototypes.