Wednesday, August 09, 2017

USB Vulnerability

Ever so often, whenever I pick up a USB memory stick, a certain train of thought crosses my mind.
"Here is a miracle device", I remind myself, "which one of the 6 billion+ across the world, one that has made data-transfer and battery charging so amazingly simple, and yet, contains within it the power to destroy nuclear plants, water and power supply grids and to unleash starvation, misery and death across the world!"

A few years ago, the Economist highlighted positive features of the 'thumb-drive' in an article very aptly titled. "In Praise of the Humble USB". While reading this piece, I was delighted to know that a computer architect of Indian origin,  Ajay Bhatt, had a key role to play in creating this amazing interface, which his parent company, Intel, decided to make 'the cheap USB plug and socket an open standard, available to manufacturers everywhere free of all royalty charges and licensing fees'. This one move destroyed the Firewire standard that had been patronised by Apple, and made USB a de facto standard across the world.

The ease with which the USB drive could be used also made it a handy tool in the hands of spies, spooks and saboteurs. The most famous example of this is the Stuxnet virus which CIA and Mossad used to destroy a thousand centrifuges in Iran. Ever since I heard of this cyber-attack, I have been awed by the sheer scale of destruction that can be unleashed through the USB drives. It also led me to the mistaken belief that the Iranian nuclear program had been irreparably damaged because of Stuxnet.

A recent documentary by Alex Gibney - "Zero Days" - suggests that in the real world, things are not what they seem. In their eagerness and impatience to destroy the Iranian nuclear centrifuges, Mossad apparently changed the codes created by their CIA/NSA collaborators, and released a version that was a lot less subtle, and left behind an electronic trail that was being used against the USA. It seems Iran has now built up one of the largest cyber-armies in the world, one that was behind two major warning attacks: one on the largest oil company in the world, SaudiAramco, destroyed every line of code on 30,000 computers, and then a surge attack on banks in the USA that crippled commercial operations.

As a friend recently pointed out, our biggest vulnerability is that new technology is being built on old systems that were not intended to be on a network. So, by default, we have gaping holes in just about all the things that now run our lives - utility supplies, banking & finance.

Even the ubiquitous USB works on FAT-32 system which has since evolved into exFAT and NTFS. However, the base continues to be FAT32, and as long as this is the case, our systems will continue to be inefficient - and utterly vulnerable.


Stuxnet - Alex Gibney's Zero Days -
* FAT32, exFAT and NTFS

No comments: