Security for USB Ports: Why Do Computer Manufacturers Disable Them?

Photo: Like other system hardware, USB ports need a bit of tender, loving protection.

Table of Contents

• Why do companies disable the USB ports on their computers?
• How do hackers target USB ports?
• How can I protect my USB ports?

There are a lot of security measures you can take to protect your high-performance computer (HPC), from implementing FIPS self-encrypting drives (SEDs) to installing comprehensive security suites and so on.

But cyberattackers are beginning to focus more on attacks, whether in-person or originating from supply chain infiltration, that target a system's hardware. One of these attack methods involves USB ports, which some security-conscious computer manufacturers, like Trenton Systems, disable to protect their customers.

In this blog post, we'll explain why disabling USB ports makes sense, how cyberattackers target USB ports, and what you can do to protect them.

Why do companies disable the USB ports on their computers?

Computer manufacturers sometimes disable Universal Serial Bus (USB) ports as boot sources to protect end customers from a USB cyberattack.

Disabling USB ports at boot time is achieved when firmware designers set USB disablement parameters within a system's Basic Input Output System (BIOS). 

The keywords here are "at boot time," meaning that once a user accesses a computer's operating system (OS), the USB ports should become fully functional again. In other words, the disablement is not permanent; the USB ports are only disabled at boot time.

If a computer manufacturer disables a system's USB ports, it's usually because the customer has requested this temporary disablement as an added security feature, although a manufacturer may also recommend this option to highly security-conscious customers, anyway.

But how does disabling USB ports benefit security?

Not allowing USB ports to become functional at boot time keeps computers from running infected operating systems and Unified Extensible Firmware Interface (UEFI) BIOS executables written to contaminated USB flash drives.

That's a longwinded way of saying that your USB ports would be unable to read potentially infected flash drive files. But we bet you're wondering how an infected flash drive could ever make its way into your secure computer.

Photo: Cyberattackers can successfully hack your system using its USB ports in a few different ways.

How do hackers target USB ports?

Cyberattackers use two common methods to attack USB ports: the Direct Insertion Method and the Human Curiosity Method. There's also a less common method, which involves manipulating the baseboard management controller (BMC).

We'll let Chris Sheppard, software engineer at Trenton Systems, explain.

The Direct Insertion Method

Many HPCs give boot priority to USB drives, not hard disk drives (HDDs) and solid-state drives (SSDs). So, if a hacker wanted to, say, engage in a bit of corporate or government espionage, they could just insert a contaminated USB stick into a valuable system housing lots of private data, reboot or wait for a user to reboot, and watch Rome fall.

If you're a hacker, you can take advantage of USB boot priority, and you can stick a flash drive in, maybe install something that, when a user reboots the computer again, even after the hacker removes the USB stick, the OS that's in there looks like it's running normally, but it's actually contaminated, and your data is being stolen, altered, deleted, or what have you.

        Chris Sheppard, Software Engineer, Trenton Systems

The Human Curiosity Method

But even once USB ports become functional after the boot process, hackers can still use them to infect your system. The scariest part is that they can get you to infect it for them.

So, there's the hacker who could sneak in and insert a USB drive into your computer, sure, but what's even more common is a hacker that leaves a bunch of USBs in a parking lot of the place they're attacking. This tactic leverages human curiosity because employees want to know what's on the drives, so they pick them up, stick them in their computers, and they're toast because Windows and other operating systems will scan the drive contents automatically. It sounds ridiculous, but this is a prevalent and successful way of attacking banks and such.

The Baseboard Management Controller (BMC) Method

A less common way that cyberattackers target USB ports is by manipulating a computer's baseboard management controller (BMC).

If you have a BMC, you typically run it really tight and make sure that it can't speak to the internet, but imagine if you made a mistake and that someone was able to get ahold of your BMC. Well, a really well-designed BMC can virtually mount a USB stick.

So, if you're at your desk, and you have a USB flash drive in a USB port, but you tell the computer to mount the flash drive to another computer virtually, the BMC would do it, and this is one way that you could perform a USB booting attack without physical access. That would be very clever and harder to pull off because IT is very protective of the BMC.

Photo: If you like it, then you should have put a lock on it.

How can I protect my USB ports?

One of the best ways to safeguard your USB ports is to work with a manufacturer on disabling all or certain USB ports upon boot. Companies who customize the BIOS, like Trenton Systems, can do this for you if you ask.

Some customers want all USB ports disabled at boot, and others only want specific ports disabled. For example, the USB ports located at the rear of a system might remain enabled because it would take hackers more time and effort to hack these without getting caught. Or a customer might keep a random, difficult-to-see-and-access USB port active in case they ever need to boot a recovery drive.

Another great way to protect your USB ports is to install literal doors and locks on them. That way, you remain in full control of how, when, and what drives go in and out of your ports. Now, if a hacker can break these physical barriers without getting caught, they can still hack your system using the boot method if your ports aren't disabled. So, we highly recommend implementing the boot disablement option as well.

At Trenton Systems, because we work with BIOS source code and thus have the ability to customize it, we can add BIOS security features that fit your unique needs. These features include setting all of certain USB ports as disabled at boot. Not all of our systems have this feature now, but we can add it if you request it. We will also be offering Intel Platform Firmware Resilience (PFR) on our upcoming servers and workstations.

If you're interested in USB port disablement and a custom BIOS for your secure, high-performance computing solution, don't hesitate to ask. We'll work with you every step of the way.