1 00:00:03,759 --> 00:00:11,400 HEELERB is a commercial name for a USB device that kills the computer you connected, 2 00:00:11,480 --> 00:00:17,359 and it sends two hundred most through the data lines and it completely burns 3 00:00:17,399 --> 00:00:29,000 the computers. Welcome, Everyone's the Industrial Security Podcast. My name is Nate 4 00:00:29,039 --> 00:00:34,039 Nelson. I'm here with Andrew Ginter, the vice president of Industrial Security at 5 00:00:34,119 --> 00:00:38,439 Waterfall Security Solutions, who's going to introduce the subjects and guest of our show 6 00:00:38,479 --> 00:00:41,679 today. Andrew, how are you? I'm very well, Thank you, 7 00:00:41,759 --> 00:00:46,920 Nate. Our guest today is Mario Prieto Santez. He is a solution architect 8 00:00:47,159 --> 00:00:52,600 at off USB, and we're going to be looking at USB firmware attacks and 9 00:00:52,960 --> 00:00:57,000 what we can do about them. These are not just you know, open 10 00:00:57,079 --> 00:01:00,119 the USB drive and click on a malicious file. Oops, they got us. 11 00:01:00,759 --> 00:01:06,519 These are attacks where the USB device itself is attacking us. Okay, 12 00:01:06,840 --> 00:01:12,680 then let's get into it. Here's your interview with Mario. Hello Mario, 13 00:01:12,840 --> 00:01:15,920 and thank you for joining us. Before we get started, can you tell 14 00:01:15,959 --> 00:01:19,120 us a few words about yourself and about the good work that you're doing at 15 00:01:19,120 --> 00:01:26,359 all USB. Hello Andrew, thank you for invite me. I'm Mario for 16 00:01:26,519 --> 00:01:34,000 a OLDCHB. I'm appreciache engineer and I worked three years ago for OUTDSB. 17 00:01:36,599 --> 00:01:49,079 I started computer science engineer and also higher technician on micro computer systems and networks 18 00:01:51,000 --> 00:02:00,760 which we are focus on the cybersecurity systems to provide protect our cients. He 19 00:02:00,920 --> 00:02:07,079 now on now to be we contact the clients to prevent the company to be 20 00:02:07,200 --> 00:02:15,960 attacked with some different kinds of malware attacks or also hardware attacks. Thanks for 21 00:02:16,000 --> 00:02:19,560 that. And you know you've used the word USB a couple of times. 22 00:02:19,639 --> 00:02:22,840 I've used it a couple of times. We all, you know, vaguely 23 00:02:22,840 --> 00:02:27,919 know what the USB is, especially a USB thumb drive. But we're here 24 00:02:27,960 --> 00:02:32,240 talking about attacks. Why is the USB a problem? How can you attack 25 00:02:32,280 --> 00:02:37,960 anybody across the USB? What? What sort of the spectrum? What's possible 26 00:02:38,479 --> 00:02:43,159 bad you know, badness wise on the USB? For example, the FBI 27 00:02:43,439 --> 00:02:52,039 told us to prevent us to connect something to the USB charging ports on the 28 00:02:52,080 --> 00:02:57,159 airport, for example, because we can get infect our phone or our iPad 29 00:02:57,319 --> 00:03:05,080 or our whatever. For example, we we can get infect connecting something to 30 00:03:05,199 --> 00:03:10,240 your computer storage device apparently storage device. You connect to your computer and you 31 00:03:10,319 --> 00:03:19,120 get infected, or for example, you get your device killed by by the 32 00:03:20,360 --> 00:03:25,719 device. There are many many ways to to to attack your system. For 33 00:03:25,719 --> 00:03:32,199 example, that killer us B is a commercial name for a use B device 34 00:03:32,280 --> 00:03:39,159 that kills the computer you connected, and it sent two hundred balls through the 35 00:03:39,240 --> 00:03:45,919 data lines and it completely completely burns the computer. So there are many many 36 00:03:46,000 --> 00:03:53,479 ways to get infected with the electrical three, the software three, or for 37 00:03:53,520 --> 00:04:00,560 example, the hardware three that start injecting code in your machine. So there 38 00:04:00,560 --> 00:04:08,479 are several ways to attack your system with the USB devices. So that's interesting. 39 00:04:08,759 --> 00:04:12,759 I've I've heard the word killer USB before. I thought. I thought 40 00:04:12,840 --> 00:04:15,759 killer USB with software, some kind of software hack. You're telling me it's 41 00:04:15,759 --> 00:04:21,680 hardware. Yeah, the killer used is a hardware device that have electrical components 42 00:04:21,720 --> 00:04:30,600 built inside the apparently normal USB. So when you connect to computer, the 43 00:04:30,720 --> 00:04:34,920 killer is we charged dot electrical components and then send two hundred and twenty boats 44 00:04:34,920 --> 00:04:40,920 through the data lines or maybe just sixty boats through the data lines, so 45 00:04:41,079 --> 00:04:46,920 it completely burns the computer. It seems like a lightning strict to your computer 46 00:04:47,120 --> 00:04:55,759 that burns the power supply, but in reality is a USB that kills the 47 00:04:55,879 --> 00:05:05,639 motorboard and it's used to the first lot of security and companies. You know, 48 00:05:05,800 --> 00:05:10,519 I had some notion already that USBs could be dangerous. You know the 49 00:05:10,560 --> 00:05:14,120 classic you leave a USB in the parking lot, someone picks it up, 50 00:05:14,199 --> 00:05:17,079 brings it into their nuclear facility and it has stuck in it on it situation. 51 00:05:17,360 --> 00:05:21,879 But this thing where it delivers like voltage to kill a computer is I've 52 00:05:21,920 --> 00:05:28,000 never heard of anything in that ballpark. Yeah, I had surprising, you 53 00:05:28,040 --> 00:05:31,439 know, I thought I understood attack techniques, but this one is new to 54 00:05:31,480 --> 00:05:36,199 me. So I did some reading afterwards, and yeah, the apparently the 55 00:05:36,199 --> 00:05:41,680 way it works is the device has capacitors in the USB drive. You plug 56 00:05:41,720 --> 00:05:45,000 it in and it starts drawing power. I mean, USB devices can do 57 00:05:45,040 --> 00:05:47,639 that. You can draw power from these interfaces, draws the power, charges 58 00:05:47,680 --> 00:05:53,120 the capacitors, and then discharges the capacitors at two hundred volts and fries your 59 00:05:53,120 --> 00:05:58,040 motherboard. So, and you know, these devices are commercially available, you 60 00:05:58,079 --> 00:06:03,120 can buy them. They're not apparently illegal. Using them is illegal, but 61 00:06:03,199 --> 00:06:09,959 the device themselves isn't illegal. In theory. Their devices that manufacturers can use 62 00:06:10,000 --> 00:06:14,480 to test their motherboards and harden their motherboards. You know, in practice, 63 00:06:14,680 --> 00:06:16,079 I don't know any pentester who does this. I mean, why would you 64 00:06:16,120 --> 00:06:20,319 go and burn out a dozen of your client's computers. How can you do 65 00:06:20,399 --> 00:06:25,120 that with with you know, without consequences? But you know, the reading 66 00:06:25,120 --> 00:06:30,519 I've done online does include a caveat It says basically, don't do this at 67 00:06:30,519 --> 00:06:34,319 home, kids. So has this kind of thing ever actually been pulled off 68 00:06:34,360 --> 00:06:41,240 by anybody? Apparently, you know, one student did use a device like 69 00:06:41,279 --> 00:06:46,519 this, burned out sixty six to zero computers at their school, videoed themselves 70 00:06:46,600 --> 00:06:51,959 doing this, and went to jail for a year. Well that's nasty. 71 00:06:53,000 --> 00:06:56,879 I mean I really didn't know that, Thank you. I had heard of 72 00:06:56,920 --> 00:07:00,360 the charging port scenario. You know, I dimly understand what's happened in there, 73 00:07:00,360 --> 00:07:02,439 but you know you're the expert on it. Can you tell us what's 74 00:07:02,480 --> 00:07:06,680 happening under the hood in the airport when one of these charging ports is compromised. 75 00:07:08,800 --> 00:07:15,839 The FBI told us we should not connect anything to the charging ports because 76 00:07:15,160 --> 00:07:21,160 the bad guys can change the filmwork of the of the charging port. The 77 00:07:21,279 --> 00:07:28,759 charging port is built with a chip set or a component that its name is 78 00:07:28,879 --> 00:07:40,360 a BMS. Is that a component that controls the electricity that needs to be 79 00:07:40,480 --> 00:07:45,199 sent to the device, so they can change the behavior of that chip set 80 00:07:45,759 --> 00:07:50,879 to In fact, whatever is connected or for example, do you know bad 81 00:07:51,040 --> 00:08:00,079 USB is is a commercial name of apparently starts device, but in reality is 82 00:08:00,079 --> 00:08:07,319 a chipset that sends data to the computer. It acts like a keyboard, 83 00:08:07,120 --> 00:08:13,600 but it physically is a part. It's like a normal USB. So when 84 00:08:13,600 --> 00:08:18,959 you connected that but the USB to your computer, you get infected by some 85 00:08:18,199 --> 00:08:26,519 script injected by uh but UH a cyber criminal. So I've heard of bad 86 00:08:26,639 --> 00:08:28,399 us B before. I thought, you know, you said you could buy 87 00:08:28,439 --> 00:08:33,200 it. I thought bad USB was was open source, was sort of a 88 00:08:33,240 --> 00:08:37,559 demonstration of you know, for the for the penetration testers, the demonstration of 89 00:08:37,559 --> 00:08:43,559 what's what's available for what's possible attack wise. Yeah, but the USB is 90 00:08:43,720 --> 00:08:48,480 uh is open source. You can build your own, but you also can 91 00:08:50,279 --> 00:08:58,879 buy it like started kid with some threads, some scripts that are already injected 92 00:08:58,919 --> 00:09:07,759 on the one you buy from the network. So there's a lot of scripts 93 00:09:07,120 --> 00:09:11,720 already on for example, githab that you just need to follow a few steps 94 00:09:13,000 --> 00:09:22,159 to configure your USB in order to get for example, passwords or inject backdoor 95 00:09:22,320 --> 00:09:30,799 for the system or wherever. There are already published on GitHub, so you 96 00:09:30,919 --> 00:09:33,759 just need to download it. So bad USB, I mean, can you 97 00:09:33,799 --> 00:09:37,279 take us a little bit deeper. What is bad USB? How does it 98 00:09:37,320 --> 00:09:41,279 work? Okay, So when you can get a thundrack, a normal thundrap, 99 00:09:41,720 --> 00:09:48,519 you see a normal screen with the explorer of what's inside, what is 100 00:09:48,600 --> 00:09:56,159 store stored on that thundrap. But when you connect bad USB, do you 101 00:09:56,200 --> 00:10:00,720 only see for example, in Windows, in Windows system, you only see 102 00:10:00,759 --> 00:10:07,799 the console, the console of the system that is injecting something. But just 103 00:10:09,360 --> 00:10:13,879 a few seconds, less than one second, maybe that injects something and that 104 00:10:15,159 --> 00:10:20,879 is living on your on your system is a backdoor or a software that the 105 00:10:22,200 --> 00:10:26,200 service that is running in your computer. You only see a black screen for 106 00:10:26,279 --> 00:10:31,440 a little a little seconds, one second maybe, uh, And when it's 107 00:10:31,480 --> 00:10:37,799 closed, nothing's happened. Nothing's happening, and you only see a thundraid connected, 108 00:10:37,879 --> 00:10:45,080 but you don't know what is happening. There are a lot of sophisticated 109 00:10:46,519 --> 00:10:56,679 but ESV with for example an electrical component then even a first connection so explorer 110 00:10:56,799 --> 00:11:01,919 with the software inside. But when you connect later in the second connection, 111 00:11:03,440 --> 00:11:09,639 it sends the payload, it sends the descript injected on the on the computer. 112 00:11:11,320 --> 00:11:20,480 So there are sophisticate sophisticated the kinds of bad use piece not sure if 113 00:11:20,519 --> 00:11:24,080 I missed some crucial bit of detail there, But it sounds like what Mario's 114 00:11:24,120 --> 00:11:28,559 describing is more along the lines of the kinds of USB attacks that I'm already 115 00:11:28,600 --> 00:11:33,840 aware of. Yeah, I mean the classic attack is one where there's a 116 00:11:33,960 --> 00:11:39,360 nasty in the data of the USB drive. So I mean that was stucksnet. 117 00:11:39,679 --> 00:11:46,120 The structure of the you know, the file system entries in the USB 118 00:11:46,240 --> 00:11:52,000 drive itself confused the Windows explore exploit de volvability, and off you went. 119 00:11:52,279 --> 00:11:54,840 The more conventional one is, you know, forget that kind of sophistication, 120 00:11:56,080 --> 00:12:01,879 just put a nasty you know, hackers r us dot X on the USB 121 00:12:01,080 --> 00:12:05,279 and trick someone into double clicking it. Yes, I know it says hackers 122 00:12:05,279 --> 00:12:07,320 are us, but that's why you have to click click it now, click 123 00:12:07,360 --> 00:12:09,240 there, You're done. It's over. You know, that's the contents, 124 00:12:09,279 --> 00:12:13,200 that's you know, there's there's gigabytes, tens of gigabytes of space on these 125 00:12:13,240 --> 00:12:18,000 devices. If you fill it with malware and you trick someone or trick the 126 00:12:18,039 --> 00:12:20,639 computer into executing it, it's all over. This is a different attack. 127 00:12:22,679 --> 00:12:26,279 This is where you know, every one of these USBs has a tiny little 128 00:12:26,320 --> 00:12:30,039 CPU in it. People imagine it's a device. It's not a device, 129 00:12:30,440 --> 00:12:33,720 it's a computer. There's a CPU in the USB device. It has its 130 00:12:33,759 --> 00:12:37,600 own software. That little CPU is executing its own software that's called the firmware, 131 00:12:39,440 --> 00:12:43,279 and normally the software, you know, you connect to the computer that 132 00:12:43,480 --> 00:12:48,519 the computer inside the USB fires up and says, hey, I'm here, 133 00:12:48,159 --> 00:12:52,120 I'm a uh, you know, a storage device. What do you want 134 00:12:52,159 --> 00:12:54,320 me to do? And the computer says, well, you know, show 135 00:12:54,360 --> 00:12:58,080 me what's in your you know what, what files you got, and and 136 00:12:58,120 --> 00:13:01,679 it goes back and forth that way. There's a conversation between the computer and 137 00:13:01,759 --> 00:13:07,879 the USB and in your computer. What's happening here is you connect it up 138 00:13:07,879 --> 00:13:09,720 and it says, hey, I'm a storage device. And that conversation starts, 139 00:13:11,399 --> 00:13:15,320 and the USB says, by the way, I'm also a keyboard, 140 00:13:15,960 --> 00:13:20,360 and it starts typing as if it were an external keyboard on your computer. 141 00:13:20,759 --> 00:13:24,799 And it brings up a command window and starts typing into that window. For 142 00:13:24,840 --> 00:13:26,960 a second or two, you might catch it, you might be glancing away, 143 00:13:28,000 --> 00:13:33,600 you might not. The window closes, and it has injected a nasty 144 00:13:33,919 --> 00:13:37,919 into your computer as if it had typed it from the keyboard. That seems 145 00:13:39,440 --> 00:13:43,559 so remarkable to me. Is there no easy way for a computer to catch 146 00:13:43,639 --> 00:13:48,320 that kind of attack before it happens. Well, this is what we're talking 147 00:13:48,360 --> 00:13:52,399 about. We're describing the problem here, but we're going to see the solution 148 00:13:52,480 --> 00:13:56,440 in a minute. This is what ath USB does. Yeah, okay, 149 00:13:56,480 --> 00:14:01,360 So basically though, the lesson is that, besides it's the contents the files 150 00:14:01,360 --> 00:14:05,120 on USB drive, it's the device itself too that you have to worry about 151 00:14:05,159 --> 00:14:13,519 trust with. So maybe you don't accept a USB on those grounds from anyone 152 00:14:13,600 --> 00:14:18,240 besides like a very trusted source. Yeah, it's it's worse than that. 153 00:14:18,360 --> 00:14:22,080 Actually, you know, there's there's stories out there. You know, pen 154 00:14:22,159 --> 00:14:24,679 testers have published scenarios saying you've got to be aware of this because we just 155 00:14:24,720 --> 00:14:28,039 did it to our client. The scenario was, you know, the pen 156 00:14:28,080 --> 00:14:33,399 testers were tasked with getting into a heavily defended client and they looked around and 157 00:14:33,440 --> 00:14:37,159 said, you know, we just can't get in through these people's network. 158 00:14:37,200 --> 00:14:41,919 It's it's locked up tight. So what they did was one of these you 159 00:14:41,919 --> 00:14:48,000 know USB things. They went out and purchased a very expensive mouse, a 160 00:14:48,360 --> 00:14:54,159 very nice mouse, carefully took the packaging apart, carefully took the mouse apart, 161 00:14:54,399 --> 00:14:58,639 inserted a USB drive into the mouse, connected it all up to the 162 00:15:00,000 --> 00:15:03,720 house's USB, put it all back together, shrink wrap the whole thing, 163 00:15:03,000 --> 00:15:07,200 and sent it to you know, one of the victims in this the company 164 00:15:07,240 --> 00:15:13,279 they were testing because they've done some social media research. They figured out this 165 00:15:13,320 --> 00:15:18,200 person just came back from an expensive conference and said, thank you for attending 166 00:15:18,200 --> 00:15:22,080 the conference. Here's a thank you gift, you know, complete with the 167 00:15:22,080 --> 00:15:26,639 conference logo, very official looking. This person says, lovely, opens it 168 00:15:26,720 --> 00:15:28,039 up. Oh, this is nice. This is a two hundred dollar mouse 169 00:15:28,080 --> 00:15:31,679 from my three thousand dollar conference. Thank you, plugs it in, starts 170 00:15:31,720 --> 00:15:35,759 using it. Twelve hours later in the dead to night. It says, 171 00:15:35,840 --> 00:15:39,960 yes, I'm a mouse, I'm also a USB drive, And you know, 172 00:15:41,440 --> 00:15:43,720 the window pops up and the mouse starts moving, double clicks on the 173 00:15:45,519 --> 00:15:50,960 contents, and now the computer's compromise. So it's not just USB drives that 174 00:15:50,000 --> 00:15:54,759 are at issue here. If you're given a gift of any USB device, 175 00:15:56,240 --> 00:16:02,960 be deeply, deeply suspicious of it. So this is all nasty, but 176 00:16:03,360 --> 00:16:07,600 you know, this is the Industrial Security podcast. Can you talk about the 177 00:16:07,600 --> 00:16:15,279 industrial environment? I mean, I see USBs everywhere I mean, what what 178 00:16:15,320 --> 00:16:19,799 should industrial users be worried about? What should they be thinking about? Here? 179 00:16:21,759 --> 00:16:26,799 The best way to prevent an attack with use the devices is just don't 180 00:16:27,080 --> 00:16:34,840 use in them. Don't use them. So in ot environments, in industrial 181 00:16:36,159 --> 00:16:41,960 environments, uh, they cannot do that. They are they need to use 182 00:16:42,200 --> 00:16:53,080 use the devices because they have legacy devices where they cannot carry their update or 183 00:16:53,120 --> 00:17:00,120 whatever. So they need to use use the devices. They are forced to 184 00:17:00,320 --> 00:17:06,200 use USB devices on all the environments. You know, I kind of expected 185 00:17:06,200 --> 00:17:10,839 that I see people using USBs and industrial sites. I assume it's because they 186 00:17:10,880 --> 00:17:17,200 have to, you know, because they're aware of these problems. The what 187 00:17:17,200 --> 00:17:21,400 what's the solution? I mean, if you have to use a USB to 188 00:17:21,680 --> 00:17:29,160 load a new I don't know letter logic program into a PLC, how do 189 00:17:29,200 --> 00:17:37,480 you avoid this kind of of exposure. You need something that checks everything that 190 00:17:37,640 --> 00:17:44,880 is started on the device. You need something that when you came with thundra, 191 00:17:45,400 --> 00:17:51,200 you connected to that device, to that system, and the it's it 192 00:17:51,319 --> 00:17:56,720 says, if it's fair enough to the company, if you can go inside 193 00:17:56,759 --> 00:18:00,000 with that thundrick. How do we all this problem? I mean, I 194 00:18:00,039 --> 00:18:04,319 see people using USB's at industrial sites because presumably they have to they have to 195 00:18:04,319 --> 00:18:08,519 load a PLC ladder logic program into the device, and then you know the 196 00:18:08,720 --> 00:18:12,440 the USB is the only way to do it. How do they do? 197 00:18:12,559 --> 00:18:19,240 How do you address this problem? So the only way you can get protect 198 00:18:21,880 --> 00:18:27,680 through to these attacks is three checking three kinds of three the electrical one, 199 00:18:27,960 --> 00:18:34,039 the hardware one, and the software attack. You need to check the behavior 200 00:18:34,440 --> 00:18:40,279 of the thund drive in order to detect these three kinds of three. If 201 00:18:40,319 --> 00:18:47,599 you can get that, your protect of every kind of attack with the USB 202 00:18:47,759 --> 00:18:52,559 protocols. Okay, So, so there's three things that we have to protect 203 00:18:52,599 --> 00:18:55,519 against. We have to protect against the the you know, the high voltage 204 00:18:55,559 --> 00:19:00,160 electrical nasty. We have to do something about the hardware. Can you can 205 00:19:00,200 --> 00:19:03,640 you tell us? You know what what you guys do this? What do 206 00:19:03,720 --> 00:19:08,079 you guys do when you say the words electrical, hardware and software? When 207 00:19:08,119 --> 00:19:11,599 you do this, what does it mean? What do you guys actually do 208 00:19:11,839 --> 00:19:18,319 with your product? Okay? So we develop a device, a hardware device, 209 00:19:18,839 --> 00:19:27,519 physical device which the text the behavior of wherever is connected to our device. 210 00:19:29,359 --> 00:19:33,839 So if you connect a killer US via electrical thread, when you connect 211 00:19:33,880 --> 00:19:40,160 it, we check the behavior and if if it breaks they used be protocol 212 00:19:40,359 --> 00:19:45,400 for storage device. We block it, we detect it, we block it, 213 00:19:45,599 --> 00:19:52,079 and we also report to the admin that something someone is connecting. Killer 214 00:19:52,200 --> 00:19:59,400 used to be on the poor number one in the in the device in the 215 00:19:59,759 --> 00:20:04,160 com company, or on the floor three or your company. So the idea 216 00:20:04,200 --> 00:20:18,079 is to check the USB protocol that which is which is very strict the USB 217 00:20:18,160 --> 00:20:23,880 protocols said you need to do this in this exactly time. So if something 218 00:20:23,960 --> 00:20:33,039 is connected and don't follow strictly the USB protocol, it means that it's talking 219 00:20:33,240 --> 00:20:40,839 with some other components, is talking with or is typing to the computer, 220 00:20:41,119 --> 00:20:48,119 or is charging the electrical components to to send the boats through the daylimees. 221 00:20:48,440 --> 00:20:52,960 So it means it's doing something else that needs to be needs to do. 222 00:20:53,440 --> 00:21:02,079 If it was startage device, you check the hardware. If there's over voltage, 223 00:21:02,119 --> 00:21:07,839 you know you you block that. That's great, you've checked the the 224 00:21:07,960 --> 00:21:11,240 USB protocol. It's supposed to be a drive, it's not supposed to be 225 00:21:11,279 --> 00:21:15,079 a keyboard. When you say checking the protocol, you've said electrical hardware and 226 00:21:15,119 --> 00:21:18,920 software is checking the protocol. Hardware and software, what's you know? What 227 00:21:19,559 --> 00:21:22,920 did we miss something here? I only heard two things. I heard I 228 00:21:22,960 --> 00:21:30,039 heard I heard electrical, I heard protocol. What what is what is the 229 00:21:30,079 --> 00:21:34,599 hardware? What is the software? The electrical one is the killer US with 230 00:21:34,759 --> 00:21:41,680 that charge the electrical components and then send the boats through the daytimes. The 231 00:21:41,759 --> 00:21:48,559 hardware attack is the raberday the bad USEV with all the we talked. And 232 00:21:48,839 --> 00:21:53,599 then is the software that is this kind of three? The software three is 233 00:21:53,640 --> 00:22:02,920 a completely normal thund drive but with some software, some malware inside. So 234 00:22:03,359 --> 00:22:11,920 we checked the US protocol for for the to the electrical We checked the used 235 00:22:11,079 --> 00:22:15,599 protocol for the electrical attack, and we checked the used protocol for the hardware 236 00:22:15,599 --> 00:22:23,359 attack. And we have antibious built inside on our device to check the software 237 00:22:23,400 --> 00:22:26,440 attack. Can you tell me, I mean, how does your device? 238 00:22:26,960 --> 00:22:30,599 What does it look like physically? I mean, is this something that I, 239 00:22:30,880 --> 00:22:34,559 you know, plug into the wall to have power and I put my 240 00:22:34,720 --> 00:22:37,759 USB in and it gives me a green light and says your USB is good, 241 00:22:37,799 --> 00:22:41,079 go use it wherever you want. And then I go plug the USB 242 00:22:41,160 --> 00:22:45,480 into the PLC. Or do I plug your device into the PLC and then 243 00:22:45,519 --> 00:22:48,400 plug the USB into your device? Is it between the USB and the and 244 00:22:48,440 --> 00:22:52,359 the PLC or is it is sort of off on the side somewhere. Okay, 245 00:22:52,400 --> 00:22:59,400 So the our device is the it's gonna be the first layer of security. 246 00:22:59,480 --> 00:23:08,440 Or your co company is located on the first door of your industrial facilities. 247 00:23:08,799 --> 00:23:19,920 So when someone came to your industrial organization with with the thund drive, 248 00:23:21,880 --> 00:23:30,680 they go to the security the security office with the security guy. He connected 249 00:23:33,039 --> 00:23:37,960 the thund drave to our solution, and from our solution you can transfer the 250 00:23:38,039 --> 00:23:45,400 files to the net through the network to your LC or to the start folder 251 00:23:45,519 --> 00:23:51,119 you want to s STPs a folder you want in order to get that files 252 00:23:51,160 --> 00:23:59,279 directly from our device without connecting that thround drive, that thund drive to your 253 00:23:59,319 --> 00:24:06,160 computer and exposing yourself to thunder. That change the behavior, for example in 254 00:24:06,319 --> 00:24:12,720 the second connection, so our device is connected to a power supply and and 255 00:24:12,799 --> 00:24:22,480 also with the Ethernet coal to your network. Andrew, I'm going to need 256 00:24:22,519 --> 00:24:26,079 a little bit of help here. I follow how this device handles you know, 257 00:24:26,319 --> 00:24:30,559 typical software threats, right, he mentioned anti virus, But how does 258 00:24:30,599 --> 00:24:36,640 it prevent the you know, the USB that is going to fry my motherboard. 259 00:24:37,720 --> 00:24:40,880 That's just it. This is a separate physical device plugged into the wall. 260 00:24:41,200 --> 00:24:45,920 It does not prevent the USB frying your motherboard. It detects. So 261 00:24:45,960 --> 00:24:51,799 you stick the USB drive in there, and you know it's going to give 262 00:24:51,799 --> 00:24:56,000 you a red flashing light saying whatever you do, don't plug this thing into 263 00:24:56,119 --> 00:24:59,960 the POC, it will fry your POC. It detects rather than prevent. 264 00:25:00,960 --> 00:25:06,640 Okay, but then why doesn't this USB fry the device itself that's detecting this? 265 00:25:07,279 --> 00:25:11,000 Well, you know that's the thing that the device is designed understanding that, 266 00:25:11,480 --> 00:25:15,079 you know, nasty stuff physically electrically could be coming at it. So 267 00:25:15,079 --> 00:25:21,200 it's designed to withstand electrical abuse. You know, you can design a circuit 268 00:25:21,240 --> 00:25:23,799 board for two hundred volts. You know, there's there's things you can do. 269 00:25:23,880 --> 00:25:27,359 You just you have to know what's coming at you. And they they've 270 00:25:27,400 --> 00:25:30,240 they've taken this into account, you know, and they so you know, 271 00:25:30,279 --> 00:25:33,920 they do detection, They do antivirus, just like you said, they do 272 00:25:34,599 --> 00:25:41,400 the electrical saying something electrical just happened, and they do the firmware detection as 273 00:25:41,440 --> 00:25:44,720 well. Really, you know what he said was, look, we understand 274 00:25:45,000 --> 00:25:49,200 electrically, you know, voltage wise and signal wise electrically, what a normal 275 00:25:49,359 --> 00:25:56,079 USB drive behaves like it behaves at five volts. We understand USB protocol wise, 276 00:25:56,519 --> 00:26:00,240 what a normal USB drive behaves like. You say, did this question? 277 00:26:00,359 --> 00:26:03,839 It sends you back that answer, you send it this other thing. 278 00:26:03,839 --> 00:26:10,960 You understand the USB protocol for a thumb drive. And so what they're doing 279 00:26:11,039 --> 00:26:15,279 is looking hard at what the USB is doing. Is it deviating from the 280 00:26:15,319 --> 00:26:21,279 electrical protocol with high voltage? Is it deviating from the drive protocol by saying, 281 00:26:21,279 --> 00:26:23,839 hey, I'm a keyboard. Any deviation gives you a red light saying, 282 00:26:23,880 --> 00:26:27,319 whatever you do, do not plug this thing into your industrial network. 283 00:26:27,880 --> 00:26:32,240 Yeah. It also occurs to me, now that you're describing all of this 284 00:26:32,400 --> 00:26:36,519 that if were the USB to fry this device, which as you mentioned, 285 00:26:36,599 --> 00:26:38,839 it won't because they've prepared for that, that would be a pretty good detection 286 00:26:38,960 --> 00:26:41,960 mechanism in and of itself, because they need to have a broken machine, 287 00:26:42,000 --> 00:26:45,599 and then you'd probably not want to plug that USB in anywhere. It kind 288 00:26:45,599 --> 00:26:52,680 of sounds like an advanced version of something we've talked about on prior episodes, 289 00:26:52,759 --> 00:26:59,240 the USB sanitation station, where if you bring a device like that into manufacturing 290 00:26:59,279 --> 00:27:02,440 plan or something, you've got to plug in your USB there or else, 291 00:27:02,519 --> 00:27:06,279 you're not going to be allowed to use it elsewhere, but maybe like one 292 00:27:06,359 --> 00:27:08,799 or two extra steps involved. That's exactly what it is. I mean, 293 00:27:08,920 --> 00:27:14,319 you've used the term sanitation station. I've heard the term kiosk. This is 294 00:27:15,200 --> 00:27:19,039 a physical device that sits at physical security. You know, you come into 295 00:27:19,079 --> 00:27:25,079 the secure zone in the plant, You're asked to empty your pockets. Do 296 00:27:25,160 --> 00:27:29,200 you have any USBs? Stick all the USBs in the device. You're not 297 00:27:29,319 --> 00:27:33,720 allowed to carry the USBs into the system anyway. It takes the files off 298 00:27:33,759 --> 00:27:40,119 the system, you know, puts the files into the network, the clean 299 00:27:40,119 --> 00:27:42,799 ones that antivirus has blessed. So, yeah, this is a kiosk. 300 00:27:42,920 --> 00:27:48,039 It's a sanitation station. It lives as part of your physical security system, 301 00:27:48,359 --> 00:27:56,400 sort of checking information and people and devices on the way into physically on the 302 00:27:56,440 --> 00:28:03,720 way into the secure area. Okay. And so if I have a PLC 303 00:28:03,799 --> 00:28:07,119 and the only way to change the latter logic is with the USB, then 304 00:28:07,119 --> 00:28:11,440 what I have to do is take my sort of external USB, my suspect 305 00:28:11,880 --> 00:28:17,519 USB, run it through your device, get the files off of it on 306 00:28:17,559 --> 00:28:21,960 the other side, and then you know, inside the industrial network, I 307 00:28:22,039 --> 00:28:25,559 need a bunch of I don't know, color coded USBs that have never touched 308 00:28:25,599 --> 00:28:27,799 the outside world. I put the file back on one of those and I 309 00:28:27,839 --> 00:28:32,519 carry it over to the PLC. Is that how it works? Yeah, 310 00:28:32,599 --> 00:28:38,119 we have several modes to work with our product. We have an automatic mode 311 00:28:38,319 --> 00:28:44,559 for people who's working on the factory that is only there for working, not 312 00:28:44,680 --> 00:28:51,720 for knowing how to use our product or other kinds of products. So we 313 00:28:51,799 --> 00:29:00,720 have a mode that automatically transfer everything from the external fun drive to a internal 314 00:29:00,039 --> 00:29:07,720 thund drive that is protected by you. That is an inventory bye by you, 315 00:29:07,480 --> 00:29:14,839 so it's known by our device. So that all makes sense. Can 316 00:29:14,880 --> 00:29:18,400 you give us some examples in the industrial space in your experience? Who is 317 00:29:18,559 --> 00:29:22,400 using these kind of products? What are they using them for? You know, 318 00:29:22,440 --> 00:29:30,799 are they finding anything? Yeah, our main clients are big companies with 319 00:29:32,839 --> 00:29:48,200 critical infrastructures, also defense and the public infrastructures. They find attacks with the 320 00:29:48,480 --> 00:30:00,200 USB devices and something that is important from our devices. When you cannot check 321 00:30:00,799 --> 00:30:08,680 something, you are not knowing nothing about that about the tour of your company. 322 00:30:08,720 --> 00:30:15,440 For example, if you don't have something that checks the email, you 323 00:30:15,519 --> 00:30:22,880 are not checking if someone is downloading something from the from the email. So 324 00:30:23,799 --> 00:30:33,680 at this time nobody has nothing to control what is moving with the sun drives 325 00:30:33,720 --> 00:30:41,920 on your company. So at the first time, at the first day you 326 00:30:41,039 --> 00:30:48,680 connect our product, you start having everything that is running on the sun drives 327 00:30:48,720 --> 00:30:56,000 on your company is reported in real time to a central console, so the 328 00:30:56,079 --> 00:31:00,920 admin can check everything that is running on sun drives and from there we have 329 00:31:02,039 --> 00:31:10,200 clients that the techt someone is trying to inject the company with bad use be. 330 00:31:11,000 --> 00:31:15,680 So that means that you are under attack because that you. The bad 331 00:31:15,799 --> 00:31:25,880 used be are built specifically for you. There are not there. They are 332 00:31:25,920 --> 00:31:30,319 built by because of you. They are built specifically for you. It is 333 00:31:30,359 --> 00:31:38,680 a strange to detect the bad use be that is not target to you. 334 00:31:41,039 --> 00:31:47,519 So with the text killer used to be with the tech we have clients that 335 00:31:47,599 --> 00:31:55,839 the text killer used be also bad use be. The attack the software attack 336 00:31:56,079 --> 00:32:02,759 is very very common. It is it's normal to have thoundraid that half that 337 00:32:02,960 --> 00:32:09,920 half a malware site. So the most important is the most important to detect 338 00:32:10,359 --> 00:32:20,599 and unblocked and also report is the electrical and the hardware attacks. So that 339 00:32:20,799 --> 00:32:24,279 was a long answer. Let me let me summarize. What I heard Mario 340 00:32:24,440 --> 00:32:30,799 say was that, yeah, their systems in use, and most of their 341 00:32:30,799 --> 00:32:36,920 customers are large critical infrastructure sites. Their systems have detected all three kinds of 342 00:32:36,920 --> 00:32:39,319 attacks. The most common attack that they detect is, you know, the 343 00:32:39,319 --> 00:32:43,480 stuff that the anti virus catches. There's a nasty in you know, you 344 00:32:43,480 --> 00:32:45,400 know, one of your files in the six hundred files on the drive, 345 00:32:45,920 --> 00:32:52,599 you know, and quarantine it. So that's sort of commonplace. He also 346 00:32:52,759 --> 00:32:57,680 said that the killer US be the high voltage, has been detected in the 347 00:32:57,720 --> 00:33:01,400 wild, which surprises me. I would have thought that, you know, 348 00:33:01,799 --> 00:33:05,920 if that was going on in the wild, you'd hear more about it, 349 00:33:05,960 --> 00:33:07,839 and you know, this is the first I've heard of it, so that's 350 00:33:07,880 --> 00:33:13,480 a bit of a surprise. He also said that the firmware attacks have been 351 00:33:13,519 --> 00:33:19,119 detected in the wild, and these are in a sense particularly alarming because he 352 00:33:19,200 --> 00:33:23,680 says, in practice, when they've been detected, pretty much always they have 353 00:33:24,200 --> 00:33:32,240 identified a targeted attack, meaning someone with a lot of resources put together an 354 00:33:32,279 --> 00:33:39,240 attack that is specific to this critical infrastructure site or that you know, very 355 00:33:39,319 --> 00:33:44,240 valuable in industrial site. You know, who has those kinds of resources for 356 00:33:44,319 --> 00:33:49,279 that kind of investment in attack technology, It's usually a nation state, So 357 00:33:49,559 --> 00:33:52,319 that's disturbing. That these have been discovered in the wild as well. Yeah, 358 00:33:52,359 --> 00:33:57,400 it strikes me that these kinds of attacks wouldn't be cyber criminal in nature, 359 00:33:57,440 --> 00:34:01,480 but also that I haven't really heard about them before. Is there a 360 00:34:01,519 --> 00:34:06,880 reason why they wouldn't make the news? You know, you have to ask 361 00:34:07,039 --> 00:34:10,119 who's detecting these attacks. If if it is nation state, it may well 362 00:34:10,159 --> 00:34:15,360 be you know, nation state attacks on very sensitive targets. You know, 363 00:34:15,440 --> 00:34:19,320 he did not say that they have I don't know military customers. If you've 364 00:34:19,320 --> 00:34:24,039 got a very sensitive target, they if you know, let's say a large 365 00:34:24,079 --> 00:34:28,920 government owned facility, whatever kind of facility it is, you know, they 366 00:34:28,960 --> 00:34:35,239 might just not report, Hey, we think the Russians or Iran or someone, 367 00:34:35,280 --> 00:34:37,400 you know, North Korea has just come after us. They might share 368 00:34:37,440 --> 00:34:45,840 that knowledge within you know there they're classified within their their their circle of you 369 00:34:45,880 --> 00:34:49,559 know, people that they inform confidentially about these attacks to say, you know, 370 00:34:49,599 --> 00:34:53,760 here's what's happening. Protect yourself. But you know, if the man 371 00:34:53,760 --> 00:34:58,679 on the street is not at risk of you know, a nation state coming 372 00:34:58,719 --> 00:35:02,719 after them, you know, maybe they figure they don't need to know, 373 00:35:04,000 --> 00:35:07,440 and the people who do need to know. You know, our allies have 374 00:35:07,559 --> 00:35:10,159 been informed through classified channels. I don't know. I don't have a security 375 00:35:10,159 --> 00:35:13,639 clearance. I never see any of this, So this is all speculation on 376 00:35:13,719 --> 00:35:19,360 my part, but it seems plausible. So on the industrial side, let 377 00:35:19,480 --> 00:35:22,519 let's take a step back. On the industrial side, the USB attack everybody 378 00:35:22,599 --> 00:35:28,679 talks about is stocks net a very sophisticated attack, you know Nation state grade? 379 00:35:29,199 --> 00:35:34,360 How confident should we be of the USB solution? Could can you detect? 380 00:35:35,159 --> 00:35:39,960 You know that grade of sophisticated attack. We are confident on our solution 381 00:35:42,239 --> 00:35:49,320 because of we check the behavior, but the confident that the client needs to 382 00:35:50,199 --> 00:36:00,960 contact us is We are thirtified by our Spanies Cryptological Center. Also we are 383 00:36:01,239 --> 00:36:08,960 approved and also certified as two two options here certified or approved, we are 384 00:36:09,079 --> 00:36:19,280 both. We are certified and approved to work with the our Spanish National Cybersecurity 385 00:36:19,400 --> 00:36:31,920 Scheam and also we are certified to work with NATO NATO countries. We we 386 00:36:32,159 --> 00:36:44,079 get through a reverse engineer program in order to certified, and we are one 387 00:36:44,159 --> 00:36:50,960 hundred percent made in Spain. We don't use electrical components from the from outside 388 00:36:51,440 --> 00:37:06,320 outside of the European Union. So that's the confidence we send to the to 389 00:37:06,400 --> 00:37:09,760 the our clients. So that's good. You guys have been, you know, 390 00:37:09,800 --> 00:37:15,599 doing this for a while. Can you give us any view in the 391 00:37:15,639 --> 00:37:17,880 future. I mean, where's this going? What are you guys doing next? 392 00:37:19,920 --> 00:37:24,519 The version we have today is the third version we start this company. 393 00:37:24,760 --> 00:37:37,199 We started this company in twenty eighteen, twenty eighteen, twenty and eighteen, 394 00:37:37,679 --> 00:37:44,079 and this is the third version that we are working on. The new versions 395 00:37:44,159 --> 00:37:52,360 with more ports. The model today have two ports through two person three of 396 00:37:52,400 --> 00:38:00,880 the USB protocol. And we are working on the different kinds of devices everything 397 00:38:02,079 --> 00:38:08,440 to to the attack used to be attacked, but different kinds of the devices 398 00:38:08,480 --> 00:38:16,719 with maybe a screen or with more connectors type CE version to to to support 399 00:38:16,719 --> 00:38:24,079 the US with type C or we are we are working on more than more 400 00:38:24,119 --> 00:38:29,119 than one device, more than one model. Well, this has been great, 401 00:38:29,159 --> 00:38:30,719 Mario, thank you for joining us. Before we let you go, 402 00:38:31,239 --> 00:38:35,000 you know, can you tell our listeners what what should they be? What 403 00:38:35,039 --> 00:38:37,480 should they be taking away? What should they be watching? In this USB 404 00:38:37,599 --> 00:38:42,559 space? The first thing is never trust. Used to be the vices. 405 00:38:42,840 --> 00:38:47,679 It can look like thun drive, like your your friends thund drive, but 406 00:38:50,960 --> 00:38:57,039 in reality it can be anything. It can be a keyboard, it can 407 00:38:57,119 --> 00:39:06,880 be Bluetooth is gonna action or Wi Fi connection, So bigware of bigware of 408 00:39:07,519 --> 00:39:15,239 thun drives because it is the first thing the cyber criminal tries to do, 409 00:39:15,400 --> 00:39:21,119 because it's cheap and it is uh is the first is the fastest way to 410 00:39:21,280 --> 00:39:31,400 get inside your system. So the second thing you need to know is we're 411 00:39:31,800 --> 00:39:40,679 goods from the how to use be is the we We are focused on those 412 00:39:40,800 --> 00:39:47,039 environments where they need to use us BE devices every day for every action, 413 00:39:47,960 --> 00:39:54,639 and we are checking the behavior. We are the only ones that check the 414 00:39:54,719 --> 00:40:02,440 behavior of the us BE devices. Other looks on the black list or white 415 00:40:02,480 --> 00:40:08,079 list. We we just checked the behavior of whatever is connected. And we 416 00:40:08,360 --> 00:40:15,519 also report everything in real time, so the admin of your company can can 417 00:40:15,599 --> 00:40:22,599 see everything in in real time. So if you want to know more about 418 00:40:22,960 --> 00:40:30,000 our solutions, you can just contact us with Our website is out USB dot 419 00:40:30,079 --> 00:40:38,800 net and from there you can contact and know more about our solutions. All 420 00:40:38,880 --> 00:40:43,559 right, that seems to have concluded your interview with Mario Andrew. Do you 421 00:40:43,599 --> 00:40:46,079 have a final thought that you can take us out with. Yeah, I 422 00:40:46,079 --> 00:40:52,800 mean something Mario said in sort of his sum up reminded me. You know, 423 00:40:54,000 --> 00:41:00,239 we've talked about sort of in a sense, the mundane, the normal, 424 00:41:00,480 --> 00:41:05,480 the kinds of attacks to expect in you know, he reminded me that 425 00:41:05,559 --> 00:41:10,360 these kinds of attacks can become much more sophisticated. Imagine something that I mean, 426 00:41:10,519 --> 00:41:15,480 these USB drives, they've got CPUs inside. They can be arbitrarily complicated, 427 00:41:15,519 --> 00:41:21,559 they can be arbitrarily powerful because they're little computers. Imagine a USB drive 428 00:41:21,559 --> 00:41:25,599 that has a CPU inside. Yes, and I don't know cellular hardware, 429 00:41:25,719 --> 00:41:30,639 so it can reach out to the cellular network and say here I am What 430 00:41:30,719 --> 00:41:34,119 would you do with that? Well, it would you know, it could 431 00:41:34,199 --> 00:41:37,119 say to the computer, hey, I'm a drive. Great, I'm also 432 00:41:37,119 --> 00:41:42,360 a keyboard, I'm also a mouse, I'm also a screen. And you 433 00:41:42,400 --> 00:41:45,440 know what's the default behavior on most Windows computers when when it says hey, 434 00:41:45,880 --> 00:41:52,239 I'm another screen, it mirrors the first screen to the second screen. And 435 00:41:52,320 --> 00:41:54,760 now you've got you're seeing a copy of the screen. You can move the 436 00:41:54,800 --> 00:41:58,679 mouse, you can type in the keyboard. This is nasty, but you 437 00:41:58,679 --> 00:42:01,440 know, all over the internet, all by remote control. You know. 438 00:42:01,719 --> 00:42:10,480 The bottom line here is that, you know, we need to be deeply 439 00:42:10,559 --> 00:42:15,920 suspicious of any USB drive that comes into our industrial network from the outside world. 440 00:42:15,960 --> 00:42:20,719 We need to scan it nine ways to Sunday, you know, on 441 00:42:21,400 --> 00:42:24,679 the way into the network, ideally pulling the you know, the contents off 442 00:42:24,679 --> 00:42:30,159 of it, not allowing the physical device into the network at all. So 443 00:42:30,400 --> 00:42:34,559 yeah, it's it's a modern threat. It's you know, thank you to 444 00:42:34,599 --> 00:42:39,000 Mario for reminding us of this nasty attack pathway. Yes. Thank you to 445 00:42:39,159 --> 00:42:44,039 Mario Sandlist for speaking with you. Andrew, and Andrew, thank you as 446 00:42:44,039 --> 00:42:46,480 always for speaking with me. It's always a pleasure. Thank you, Nan. 447 00:42:46,960 --> 00:42:52,920 This has been the Industrial Security podcast from Waterfall. Thanks to everyone out 448 00:42:52,960 --> 00:43:00,239 there listening. It's something the