Dead-drop as a Service

Introduction

Data breaches have been on the rise in the United States since 2005, from 157 million to a staggering 1.6 billion in 2017 (Clement, J). While not the highest ranking vector of attack, USB sticks have long been seen as threat for leaking information due to their high portability, ease of use, and concealable properties. For these reasons most corporations block mass storage devices from running on internal machines via security policy, BIOs settings, or both to help prevent data from walking out the door in such a fashion.

Enter the wireless USB stick. As the name implies, this kind of device has mass storage capabilities coupled with a WiFi transceiver module allowing for convenient data transmission over the air. The particular make and model used for testing was the Sandisk Connect Wireless Stick, available in multiple storage sizes. There are a few makes and models available, however since focus of this article is to show the risks associated with such a combination of technologies as a whole rather than focusing on a particular brand, the merits of one over the other won’t be explored. Any trade craft or scenario presented are for educational purposes so that security professionals and decision makers can be thoroughly informed about this technology.

Let us begin with a technical description of the device used for this paper. While makes and models will vary, wireless USB sticks are, as their name implies, simply USB drives with a built in WiFi module. These WiFi modules allow for broadcasting a network over which other devices can conduct file-sharing with the device. In addition to the network, the particular device referenced provides file sharing and DNS services as well as a battery pack that allows it to work autonomously, making it essentially a personal cloud-on-a-stick you can carry in your pocket. The following are some pictures taken of the device internals to show its minute size.

Note: Taking these devices apart is not recommended. This particular unit now requires hot-wiring to turn on...

The device is charged over USB exclusively so there is no need for addition ports or adapters for the device. The USB is not used for much else based on my tests, switching the device automatically to charging mode and disabling the networking services when plugged in. Once the battery is charged however the networking and file sharing can begin (Buzzi, M). The device can be set on a table and turned on using the side power switch. After a short time a wireless network will begin broadcasting along with the core services needed for file sharing. You can connect to the WiFi and browse to the web user interface (UI) or you can use the SanDisk app specific to the device to transfer files. Both ways work well and allow for easy upload and download of files.

It’s worth noting there is nothing new about any of these technologies. In fact many of these services, like WiFi, have been around for decades. However it’s the combination of these technologies together in one package that makes this device so useful from a user perspective and intriguing for a potential attacker. It allows the easy transfer of data between trusted parties in close proximity without having to physically exchange files or risk sending files over a public network or cloud service, making it perfect to use anywhere from family gatherings to important board meetings.

While the use cases above are likely what the device is designed, there are certainly other more malicious uses for technologies, which will be demonstrated in the next section.

Scenario 1: Rouge AP

While certainly an obvious use-case, it’s important to point out how this device could be configured to act as a rouge wireless access point for users to connect to and potentially download malicious files or even upload sensitive material. An attacker could pre-configure the device to broadcast a friendly looking SID like “YOURCOMPANYWIFI-GUEST2” then leave it running on battery somewhere discrete to ensnare any wayward user. Given it’s size it could easily be hidden in a bathroom cabinet making it difficult to accidentally run across yet easy to retrieve after the battery was long dead. It would also be less likely to be disturbed than a smartphone running a hot-spot since it doesn’t look like a conventional communication device.

Of course for this scenario to work the attacker would have to convince the user that (1) the new networking is legitimate and (2) get the to download a malicious file from the sticks file share via their web browser. The attack would therefore have to be very targeted and likely involve other social engineering means to be effective. The benefits to leveraging this kind of device for an attacker would be that that the equipment is relatively inexpensive and off-the-shelf. The negatives are that the attacker does not have root access to the underlying OS by default, thus making targeted customization difficult compared to a rooted device or custom hardware. Finally, there are ways for organizations and even home users to quickly detect potentially malicious access points by sweeping the wireless spectrum. In most high security locations this is routine and straightforward as WiFi is usually not allowed, however in other work spaces it could be tedious and fraught with false positives depending on how my devices and nearby networks are muddying the logs.

Scenario 2: Dead-drop as a Service

This scenario has the device working less as an weapon and more in an ex-filtration mode. It could be done by an attacker, but just as easily conducted by Assuming wireless is enabled on a target device, an attacker could use the WiFi USB stick to easily defeat physical (BIOS) or logical (Group Policies) means of preventing unauthorized mass storage usage by simply connecting to the target device to the WiFi USBs wireless network and uploading files. This could be done by an attacker with physical access or an accomplice who would then transfer the drive contents to the attacker. While this scenario might be thwarted on a corporate device by preventing connections to untrusted networks, this would not be feasible in a bring-your-own-device environment or a work-from-home scenario. It’s been my experience even in the tightest environments that devices with WiFi enabled, like laptops for example, can connect to any network the user allows...or attacker in this case.

Once the files are on the device this scenario really begins to showcase the ‘Dead-drop as a Service’ model mentioned in the title. If the attacker is the one doing the transfers then they can simply walk away with the data in hand. However, if the attacker is really a proxy or an agent recruited or coerced into stealing the data on behalf of the attacker, the wireless capabilities and battery pack become a means of concealing the attackers identity as well as maintaining plausible deniability of the agent. Once the agent secures the files, they would be able to take the device to a prearranged location (like a certain coffee shop), turn the device on, and walk away. The attacker, presumably stationed close by, could then log into the network and retrieve the files, all without having to meet the agent in person or physically handle the device. Once the files are retrieved and purged from the device, the dongle could simply be left to die without anyone needing to retrieve it. This accomplishes two goals from the attacker perspective:

  • Limit contact with evidence from the crime (including other parties)
  • Make the transfer nearly impossible to detect even under close surveillance

Scenario 2 would by far pose the greatest threat when combined with a compromised insider threat in the form of a disgruntled employee or an employee being motivated by some sort of threat. It provides the opportunity of anonymity for the attacker, would bypass most conventional security measures, and provide some plausible deniability when attempting to attribute the crime to involved parties. Finally, it’s threat is greatly increased like many others by there very thing that makes these devices popular; convenience. One could accomplish the same sort of attack and ex-filtration using one of many single-board computers for likely even less money, however the barrier of entry for hacking together such of device is steep. It would require decent computer skills and significant knowledge of networking protocols to duplicate, yet this device and others like it could be bought off the shelf and come with a warranty. Given it’s convenience and intuitive user interface, anyone with access to a target computer could use it with effect.

Conclusion

It’s worth reminding the reader neither of these scenarios are based on actual events. They are scenarios based on what could happen given the multiple technologies these WiFi storage devices contain combined with their low cost and ease of use . This report would be incomplete however without mentioning ways individuals and businesses alike can protect themselves from such technologies if weaponized.

There are a number of safeguards companies could enforce to help prevent Scenario 1, as rouge AP devices have been considered a threat for a long time. Periodic or continuous scans for new wireless access points within range of your space is a good technique to adopt. There are off the shelf technologies that can do this even for the home user which could help combat drive-by rouge AP attacks during the recent surge of remote workers. Another way to battle rouge access points is simply through education. Rouge APs can replicate a lot on the surface, however they aren’t going to be able to mimic your corporate logins for example without a much deeper compromise. Always be wary of open access points that require no authentication and teach your family and fellow employees to do the same. Without some form of authentication, like a corporate password known only to you, it is nearly impossible to tell if an wireless access point is one that can be trusted. Even if you local coffee shop password protects their WiFi, the password is likely known by many people and could be faked, so use at your own risk.

Scenario 2 is quite a bit more complicated to prevent than scenario 1 because it would require either an exceedingly unwitting accomplice on the inside or else a dedicated insider threat, defined here as someone who is a legitimate member of the organization but has the means and intent to damage the organization. In this scenario the cloud-on-a-stick is merely a handy tool for pseudo-anonymous transfer of data after the fact rather than a vector in and of itself. Once the data is in the hands of a thief it is very hard to get it back, so in this case vigilance before the breach would be key to hindering it. Common steps taken would be adhering to least privilege access rules to limit the amount of damage a single person could do. The other would be preventing corporate owned workstation from connecting to unknown or unsecured wireless devices along with disabling of mass storage devices from being attached. While certainly not a complete deterrence, these kinds of steps make even inside jobs more difficult to accomplish as well as more likely to be detected assuming the aforementioned vigilance is taking place.

While no piece of data can ever be made 100% secure, it is the intent of this article to illuminate some of the dangers and countermeasures that can be found in almost any organization. Security should be thought of as a trajectory to follow, not a destination to arrive in. Technology changes far too rapidly for any one person to keep up with, so it’s up to all of us to do our part keeping our data and that of our customers as secure as possible.

Bibliography

  • Clement, J. (2020, Oct. 1). Cyber crime: number of breaches and records exposed 2005-2020. Retrieved from Statista.com: https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/
  • Buzzi, M (2015, Nov. 15). SanDisk Connect Wireless Stick (32GB) Review. Retrieved from PCMag.com: https://www.pcmag.com/reviews/sandisk-connect-wireless-stick-32gb
hardware hacking