USB Attack Prevention: Physical Access Security

TL;DR

Physical access to USB ports can let attackers bypass normal security measures and directly access your computer’s memory (DMA attacks). This guide explains how to prevent these attacks using BIOS settings, device control policies, and physical security.

Understanding the Threat

Direct Memory Access (DMA) allows hardware components to access system memory independently of the CPU. While useful for performance, it can be exploited by malicious USB devices. An attacker with a specially crafted USB device can potentially:

• Steal data directly from your hard drive
• Install malware without triggering security software
• Bypass operating system protections

These attacks often leave little or no trace.

Step 1: Disable USB Boot in BIOS/UEFI

1. Access your BIOS/UEFI settings. This usually involves pressing a key like Delete, F2, F12, or Esc during startup (check your computer’s manual).
2. Find the boot order options. Look for settings related to USB boot or removable media boot.
3. Disable USB boot. Ensure that USB devices are not listed as a boot option. This prevents attackers from booting from malicious USB drives.
4. Save your changes and exit BIOS/UEFI.

The exact location of these settings varies depending on your motherboard manufacturer.

Step 2: Disable Legacy USB Support (If Possible)

1. Access your BIOS/UEFI settings. As in Step 1.
2. Find the USB configuration options. Look for settings related to legacy USB support or USB compatibility mode.
3. Disable Legacy USB Support. This can help prevent older, potentially vulnerable USB devices from being recognized. Be careful as this may affect some older peripherals.
4. Save your changes and exit BIOS/UEFI.

Not all motherboards offer this option.

Step 3: Implement Device Control Policies (Windows)

Device control policies allow you to restrict access to USB devices based on various criteria. This is a powerful way to prevent unauthorized devices from being used.

1. Open Group Policy Editor. Press Win + R, type gpedit.msc and press Enter.
2. Navigate to: Computer Configuration > Administrative Templates > System > Removable Storage Access.
3. Configure the following policies:
   • Removable Disks: Deny execute access. Enable this policy to prevent running programs from USB drives.
   • Removable Disks: Deny read access. Enable this policy to prevent reading data from USB drives (use with caution).
   • Removable Disks: Allow access only to removable disks with Read-only access. Enable this if you want to allow viewing files but not modifying them.
4. Configure the following policies for CD and DVD drives as well, if applicable.
5. Apply the changes. Open Command Prompt as administrator and run gpupdate /force.

These settings can be quite restrictive; test thoroughly before deploying in a production environment.

Step 4: Use Third-Party USB Control Software

Several third-party software solutions offer more granular control over USB devices and enhanced security features. Examples include DeviceLock, Endpoint Protector, and USBGuard.

• Research available options. Choose a solution that meets your specific needs and budget.
• Install and configure the software. Follow the vendor’s instructions carefully.

Step 5: Physical Security

1. Secure your computer physically. Prevent unauthorized access to your machine. Use locks, alarms, or secure locations.
2. Be cautious about using unknown USB devices. Never plug in a USB drive from an untrusted source.
3. Educate users. Train employees and family members about the risks of USB attacks and safe practices.

Physical security is often the first line of defense against these types of attacks.