
No one, not even the Secret Service, should randomly plug in a strange USB stick - MagicPropmaker
https://techcrunch.com/2019/04/08/secret-service-mar-a-lago/
======
jimrandomh
It's a severe discredit to the major operating system vendors that plugging in
a USB stick can still compromise a system.

If a USB device identifies itself as a keyboard, the system shouldn't accept
its keystrokes until that keyboard has typed the user's login password (EDIT:
or the user explicitly authorizes the device using a different keyboard). If
it identifies itself as a storage device, the filesystem driver should be
hardened. If it identifies itself as an obscure 90s printer with a buggy
driver written in C, it should prompt the user to confirm the device type
before it loads the driver.

It's 2019. Why the f __* haven 't Windows, MacOS and Linux all implemented
these basic precautions?

~~~
bdamm
Recently I tried out some USB temperature sensors. They present as both a
proprietary temperature sensor and also as a USB keyboard. In the event you
don't have a driver for the sensor, you can still get your readings by
_toggling the caps lock_ which sends a "turn on caps lock lamp" signal to the
"keyboard", which responds by "typing" the temperature data.

I'd rather this device presented itself as a drive containing various virtual
files that contain temperature data in them, but the cat's out of the bag, so
to speak.

~~~
netsharc
The keyboard trick is quite a hack, but creative. At the same time afaik most
barcode scanners also act as keyboards, you scan a number, it "types in" those
numbers.

I can't see how the filesystem hack would work, if the OS has the drive
mounted, it would cache files in memory, and not notice the file contents
changing. You can't even modify the metadata, because most of that might also
be in memory.

~~~
daigoba66
Before chip embedded credit/debit cards were prevalent, most magnetic strip
reader (MSR) peripherals would often operate as a USB keyboard. It allows them
to work with web app based POS systems without requiring things like ActiveX.

~~~
mleo
Same but different... I was working to get a Hotel property management web
application running on iPad so host could check in people away from desk. The
web application supported MSR swipe keyboard entry, but you can’t plug in a
generic USB MSR device into iPad. I wrote a custom iOS keyboard that
interfaces with lightning MSR and its API and the “typed” the characters into
Safari. It was nice to be able to use generic Safari and not some App wrapper.
And it wasn’t too difficult on host to change keyboards to swipe.

------
skywhopper
_it immediately began to install files, a “very out-of-the-ordinary” event
that he had never seen happen before during this kind of analysis. The agent
had to immediately stop the analysis to halt any further corruption of his
computer_

This makes it sound like plugging USB sticks guests are carrying into a
computer is standard procedure for the Secret Service. That might make sense
if they have some sandboxed computer designed for this purpose, as suggested
by other commenters. But then the rest of the quote makes it sound like the
agents were unprepared for files to be copied and they panicked and aborted
the "analysis" to prevent "corruption". Which makes it sound like, no, they
just plug it into their own computers...

~~~
bdamm
The Secret Service as an organization has sophisticated cyber capabilities.
That a specific agent within the president's detail didn't is less surprising.
Still, I'd expect more from the organization, and I bet that the specific
agents involved are getting disciplined and trained.

~~~
lvs
Well, the head of USSS was fired today. Unclear if it's related.

~~~
sehugg
I'm of the opinion that a POTUS that carries a unsecured iPhone against the
recommendations of his staff (and overrules their security clearance decisions
for his son-in-law) isn't going to fire anyone due to quibbles over OPSEC.

~~~
lvs
Generally agree. One thing can nevertheless be used as an excuse for the
others, as certain little aides carry out their certain little agendas.

------
rblatz
_Williams said the best way to forensically examine a suspect USB drive is by
plugging the device into an isolated Linux-based computer that doesn’t
automatically mount the drive to the operating system.

“We would then create a forensic image of the USB and extract any malware for
analysis in the lab,” he said. “While there is still a very small risk that
the malware targets Linux, that’s not the normal case.”_

That's an ok start, but you not only want to prevent it from auto-mounting the
filesystem, you want it to not even auto-configure any USB HIDs presented to
the OS. And even then that may not be enough if there are flaws deep in the
usb stack that are being exploited. Ideally you'd have an analyzer in the
middle that records everything and allows analysis later, think Wireshark or
Fiddler.

~~~
AlphaWeaver
For people unfamiliar with this strategy, check out a commercialized version,
the USB Rubber Ducky.

[https://shop.hak5.org/products/usb-rubber-ducky-
deluxe](https://shop.hak5.org/products/usb-rubber-ducky-deluxe)

~~~
kweks
Or the USBNinja that crams that functionality into a cable identical to major
vendors, and is triggerable up to 100m away via Bluetooth....
[https://lab401.com/products/usbninja](https://lab401.com/products/usbninja)

~~~
tedmiston
That is terrifying

------
steven777400
I don't know much about this case but depending on the level of concern, even
just plugging the device into a safe, isolated machine and performing an image
may be insufficient.

You could imagine a USB device that presented as a harmless file store unless
certain conditions were detected, in which case the device could re-present as
a keyboard (providing pre-programmed keystrokes) or potentially a bluetooth or
wireless network receiver that could log or analyze traffic to a hidden
partition.

I think the question of how to safely analyze suspect USB devices, at the
level of potential nation-state actors, needs a lot more consideration and
probably some custom tooling.

~~~
jakeinspace
I can't think of many things more fun than coming up with some clever USB
descriptor hacks to allow an innocuous drive full of pictures of grandchildren
to carefully switch into an HID device when it thinks the coast is clear. I
have to imagine there's a lot of little tricks you could implement which would
be difficult to trigger in a sandbox and might require dumping the EEPROM (if
that's possible).

~~~
j16sdiz
There are quite a few usb descriptor related exploits.

e.g.
[https://www.cvedetails.com/cve/CVE-2013-3200/](https://www.cvedetails.com/cve/CVE-2013-3200/)

------
verst
I have a mysterious USB stick I received as a thank you from a delegation of
the Chinese department of Customs (中华人民共和国海关总署) after presenting to them in
Palo Alto. The USB is branded with the Chinese Customs logo and their slogan.

I haven't dared plugging this in. First and foremost I'm afraid it isn't
standards compliant and will somehow fry my motherboard, secondly I don't have
a burner device and the necessary knowledge to determine if anything
suspicious is happening.

So for now my USB stick and its decorative case in Chinese art style are
purely for display.

~~~
depressed
On the "determine if anything suspicious is happening" front, you can
configure Wireshark to capture USB packets and show you what is going over the
wire.

~~~
verst
Oh nice! I've used Wireshark for TCP / UDP captures before but that's about
it.

Maybe I can use a raspberry pi as burner device and check it out.

~~~
NikkiA
A pi zero would do the job and only risk about $5 to find out what's on the
stick.

------
elagost
Similar concerns should be made for Thunderbolt devices, which have direct
PCIe access - much more low-level and dangerous than USB could be. The only
system I've seen implement this is Gnome3 - it has a section in its system
preferences for configuring Thunderbolt devices[0] and the Bolt daemon.[1]

[0]
[https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess](https://wiki.gnome.org/Design/Whiteboards/ThunderboltAccess)

[1] [https://www.phoronix.com/scan.php?page=news_item&px=Bolt-
Pro...](https://www.phoronix.com/scan.php?page=news_item&px=Bolt-Project-
Thunderbolt-Secure)

~~~
gruez
Apparently windows has this too:
[https://www.startech.com/faq/thunderbolt-3-authentication-
po...](https://www.startech.com/faq/thunderbolt-3-authentication-pop-up-
messages). Not sure whether that's the default behavior or how to enable it.

------
_bxg1
[gets apprehended by Secret Service]

"And what do we have here?" [holds up thumb drive]

"That? Uhh, that's, my secrets! Don't look at my secrets! Please don't plug
them into your Microsoft Windows® computer!"

------
mitchellgoffpc
No one, ESPECIALLY the Secret Service, should randomly plug in a strange USB
stick.

~~~
siwatanejo
That should have been the correct title indeed. I was confused for a minute.

------
salgernon
For all the complaining about usb devices, the agent behaved recklessly in
trying to handle the device. If the person of interest had instead been
carrying a quantity of unlabeled pills, the agent would be as wrong to gulp
them down.

I would think the secret service would have a policy in place for handling
unknown media already, and I’m sure a Very Urgent Memo is wending it’s way
from division headquarters as we speak.

------
runciblespoon
Ha haa haaaa .. you can not be serious :]

‘Secret Service agent. Samuel Ivanovich, who interviewed Zhang Mar-a-Lago,
testified at the hearing. He stated that when another agent put Zhang's thumb-
drive into his computer, it immediately began to install files, a "very out-
of-the-ordinary" event that he had never seen happen before during this kind
of analysis. The agent had to immediately stop the analysis to halt any
further corruption of his computer, Ivanovich said. The analysis is ongoing
but still inconclusive, he testified.’

~~~
gowld
That's the new go-to for asking embarassing questions.

"How do I fix my computer after I plug in a malware USB device? I meant, I
didn't do that, I'm asking for a f-- _another agent_."

------
netwanderer3
Many voting machines being used still have USB ports wide open. It's
absolutely horrifying!

I also don't like the new design of Macbook in which they merged the USB port
and charging port into one. This really opens up huge security risks in my
opinion.

------
beamatronic
I doubt they would release their “real” operational procedures to the press.
Surely they attached the USB to some sort of sandboxed environment? On the
other hand why would they be carrying around such equipment?

~~~
meowface
I can totally buy some low-level Secret Service agent with little tech
knowledge plugging it into a machine without thinking twice.

~~~
gowld
Or a high-level agent. There are many dimensions where level is independent of
tech savvy. I'm sure >50% of Fortune 500 CEOs could be tricked in the same way
-- at least among the ones who use a computer.

~~~
meowface
Absolutely. I was just thinking, perhaps naively, that a high-level Secret
Service agent would be a bit more cautious and would think "I better report
this thing to my superiors and not touch it at all, just in case", even if
they know nothing about technology. You want cautious and paranoid people in a
job like that.

------
Mikho
Remember reading a story about Russian agents organizing for USB sticks with
spyware were sold in every kiosk selling gadgets around a US military base.

------
depressed
Shouldn't preventing this be as easy as turning off autorun? In fact, I
thought Windows had that off by default for USB devices.

(Of course, I'm assuming we're not dealing with a zero-day in the USB stack or
filesystem drivers. But that probably is something that the Secret Service
should be on top of, as well.)

~~~
analog31
Good question. As I understand it, the USB stick can present itself as a
keyboard, which is automatically mounted, and begins entering a series of
keystrokes that program the system to compromise itself.

In essence, modern OS's give "autorun" privilege to keyboards and mice. That's
the HID in this discussion -- Human Interface Device.

~~~
depressed
Aha, I missed that piece of the puzzle. Thank you.

------
Taniwha
The thing that no one seems to point out is that just about any normal person
carrying around a windows USB stick is likely to have malware on it. Just
possessing a bad USB stick doesn't seem to be particularly incriminating by
itself.

~~~
ceejayoz
True, but there's a lot more going on here than "had a USB stick".

> She was caught by the Secret Service with four cellphones, a laptop, cash,
> an external hard drive, a signals detector to spot hidden cameras, and a
> thumb drive.

~~~
joering2
That's exactly how I travel to tech-related summits around the world, and I
have nothing to do with espionage I assure you.

I have 3 cellphones - one private (family calls, face time etc), one CDMA
phone and one separate GSM for the most of EU countries. And external SSD
drive with all my important backups and projects that would take forever to
download off of DropBox. And yes - recently even cheap signal detector, as I
don't want to be watched in my hotel room, even only for "security reasons" as
to whether I will demolish the room or not. (call me paranoid but so was I
before Snowden files and I was proven right)

I usually carry about $3,000 USD total in different currency - usually 20%
AUD, 20% CAD, 30% USD and rest EUR/GBP. Trust me so many times paying with
cash comes to be much cheaper, and at some occasions the only way to go!

Yes, thumb drive too; usually empty so that if I am at the meeting and someone
wants to send me some heavy files, I can give them my thumb and viola!

If all this makes me a spy then I definitely need to change my profession :|

~~~
ceejayoz
> That's exactly how I travel to tech-related summits around the world, and I
> have nothing to do with espionage I assure you.

Do you typically sneak into these summits, telling the security staff a
variety of lies to do so?

~~~
joering2
“Sneaking” can be anything. If her mother tounge wasn’t english and she
couldn’t communicate with SS, obviously they assumed the worst; that’s what
they are paid for. So no wonder they stated she sneaked in. Also as a tourist
you could wander in hotel with foreign signs and they will asume you sneaked
in as well.

------
dTal
>it immediately began to install files, a “very out-of-the-ordinary” event
that he had never seen happen before during this kind of analysis. The agent
had to immediately stop the analysis to halt any further corruption of his
computer

I've seen some versions of Windows present a conspicuous file copy dialog box
when it sees a new flash drive plugged in (or even the same flash drive
plugged in to a new port) - some song and dance about copying *.INF driver
files. On the other hand I would expect a malicious flash drive to be as
silent as possible. What are the odds the agent was just misinterpreting this?

------
NoPicklez
No one, especially the Secret Service should randomly plug in a strange USB
stick.

It blows my mind that someone from the secret service wasn't informed that
they shouldn't plug evidence from a suspected spy into their laptops.

------
bubblewrap
Last time I found a memory stick on the street, in the end I tested it with of
these "print your own photos" machines in a drug store. I hope they had good
security :-/ (stick was unreadable).

------
ineedasername
The article assumes (or at least implies) the secret service member was
plugging it into his own personal laptop or something. Why? It may very well
be a computer specifically setup to screen devices, including USB drives. It
may be a sandboxed and sanitized environment. Or not, but we just don't know,
and this article seems a little sensationalist in casting a negative light in
the secret service absent details.

~~~
eckza
If it were set up for this purpose, they wouldn’t have ripped it out in a
panic.

~~~
ineedasername
It sounds like they had a computer specifically configured for analysis of
drives. I'm going to guess that's not just Agent Smith's normal computer
he/she uses to write reports, email, etc. In which case, taking out the drive
was an unnecessary reflex as the malware wouldn't get much traction on a
system isolated from others and not used for much else. But I could also be
wrong, I'm just speculating. Which is my point-- that's all the article was
doing too, speculating.

------
rootlocus
> “It’s entirely possible that the sensitivities over determining whether
> Zhang was targeting Mar-a-Lago or the president — or whether she was a
> legitimate guest or member — may have contributed to the agent’s actions on
> the ground,”

Plot twist: she was a legitimate member with a personal malware ridden usb
stick she wasn't aware was infected. /joke

------
grifball
can't ctrlf on my phone, but I didn't see usbfilter yet
[https://davejingtian.org/2016/08/04/making-usb-great-
again-w...](https://davejingtian.org/2016/08/04/making-usb-great-again-with-
usbfilter-a-usb-layer-firewall-in-the-linux-kernel/) might take some advanced
tech skills to install, but this is the only way to be theoretically secure
against the most powerful attack vector of these types of attacks, which is to
act as an HID and input malware into the computer. basically, you flag a
physical USB port as being data-storage-only and your os will prevent any
device being plugged into that port as being recognized as a mouse or keyboard
or any other powerful USB device.

------
zzo38computer
You can avoid software issues by proper configuration (I want to configure
Linux not to automatically enable USB input devices). Of course hardware
issues such as damaging the computer is different, but there may be another
way to mitigate that. (For several reasons I also do not like the USB so much,
though)

------
adrianmonk
"Not even", TechCrunch? I think the word you're looking for is "especially".

------
anonoholic
I was surprised from the get-go that no-one seem to be talking about the
legality of an ad-hoc search of a USB thumb-drive.

The stupidity of it (from an infosec standpoint) should be a given, yet this
aspect appears to be the focus of the debate.

Am I missing something?

~~~
csours
The Secret Service is charged with securing any Presidential residence, so I'm
sure there are statutes that let them do that.

Totally aside from that, all of Florida is in the 100 mile civil rights
suspension zone: [https://www.aclu.org/other/constitution-100-mile-border-
zone](https://www.aclu.org/other/constitution-100-mile-border-zone)

------
Communitivity
I think it's important to note that I always consider even a USB stick fresh
out of the packaging to be a 'strange USB stick', because I've seen cases of
USB sticks being infected at the factory.

------
gbrown
I hate it when colleagues and students hand me a USB stick to use. We have
great file sharing infrastructure, there's no reason for me to plug in your
USB stick to access some powerpoint you want me to look at.

Now get off my lawn.

------
fulafel
Isn't the whole premise of the discussion jilted? This is a security person
doing forensics on the USB stick. Why should he not examine it (if lawful) and
why would you call this "random"?

------
fghtr
Qubes OS has a defense agains USB attacks. It just reads the USB stick inside
a dedicated VM and then, if necessary you attach it to another VM.

------
redleggedfrog
Man, good thing he was working from a virtual machine...

------
sandov
This whole situation is absurd on so many levels.

------
Havoc
Meanwhile even the shittiest hollywood plotline has "we'll infect their
systems with this virus - infiltrate and plug it into their servers"
narrative.

I know secretive service agent =/= computer expert but jesus...both my little
sister and 60 year old mother know better.

