Cracking Your Computer With an iPod or USB Thumb Drive

|

Bruce Schneier has an article that describes a way that people can steal your passwords just by plugging an iPod or USB thumb drive into your Windows computer:

"...basically you can configure a file on your USB device to automatically run when it's plugged into a computer. That file can, of course, do anything you want it to.

Recently I've been seeing more and more written about this attack.The Spring 2006 issue of 2600 Magazine, for example, contains a short article called "iPod Sneakiness" (unfortunately, not on line). The author suggests that you can innocently ask someone at an Internet cafe if you can plug your iPod into his computer to power it up — and then steal his passwords and critical files."

If you are using Windows, you can protect against this by holding down the shift key when you insert a new device. Even better is to completely disable Autorun — the feature that allows CDs and devices to automatically execute files when they are connected to your computer. If you are running under the Windows "admin" account (as most Windows computers are because it is the default setting) these executed files can do whatever they want to your computer, including copy all your security settings to the attached device.

A similar technique was used in a security audit of a credit union, where USB thumb drives containing trojans were planted for the employees of the credit union. The employee would find what looked like lost USB thumb drives, so they would plug them into their computers to see what the thumb drives contained. It contained a trojan that would steal their passwords and email them to the author of the trojan. This method did not use the Autoplay feature of Windows, but probably use the "hide extensions of known file types" feature.

These techniques demonstrate three extremely insecure features of Windows:

  1. Autorun / Autoplay — automatically executing files when a device is plugged in or a CD is inserted
  2. Hiding the extension of known file types by default — this means that someone can save a dangerous file as mypics.jpg.exe (a trojan) and it will just look like mypics.jpg (an image) to the computer user. Double-clicking on that file will execute the trojan.
  3. Running under the admin account by default — This is one of the worst flaws in Windows because it allows spyware, trojans, malware complete access to your entire system.

These are the kinds of things that make it so risky to use public computers that are running Windows XP.