Assessing the threat posed by USB devices

Sammanfattning: The introduction of the USB standard in 1996 made life easier for users, by removing the need for different hardware connectors and custom drivers, as well for manufacturers of computer peripherals, who no longer had to develop new drivers for each new peripheral. But, as is often the case with new technology, it did not take long for people to start using this ill purposes. Publicly available in 2010, the Rubber Ducky device introduced the concept of BadUSB, which is a device that looks like a specific kind of USB device but acts as another in order to enable hacking into an IT-system. From being an extremely expensive technique, mostly used by state actors, BadUSB devices can now be bought on the Internet, or manufactured at home, for a few dollars. This means that actors like criminal ransomware groups, activists or teenage hackers can, and will, use the technique. This thesis explores why systems are being hacked with BadUSB, and if this is a realistic cyber security threat to users and organisations. Since there are some commercially available BadUSB products on the market the ambition was to use them with a scientific approach, to see if the technique is a realistic IT-security threat. This was done through four experiments, using different devices, scenarios, and targeting different aspects of information security policies. The results shows that BadUSB is indeed a highly realistic threat, which is proved both by the experiments and known real-life incidents. Of note is that organisations do not even have to be high value targets, targets could just be selected by random. While the existence of BadUSB devices should be well known within the cyber security community, the findings of this thesis should be something that all organisations using portablemedia, such as USB flash drives, should be aware of.