Protect the USB ports of your endpoints without restricting access

Seclab Secure Xchange USB aims to provide insulation between host and a USB-based mass storage.

The prime use of Secure Xchange USB is the safe connectivity of a laptop/system to the USB port of a machine (Programmable Logic Control, Kiosk, Embedded system) for diagnostic or program update.

Secure Xchange USB has been designed to relieve operations from having to analyze any USB Mass storage prior to connecting to a machine.

Connecting any device to the USB port of a machine may introduce threats of varying impact. Secure Xchange USB aims to remove those threats and avoid any potentially unwanted control of the machine by any malware hidden in the USB device. The USB protocol enables anyone to use an off-the-shelf product to find a way to reprogram firmware, update firmware, a legitimate process.

The reality is simple: as users, we tend to trust peripherals, i.e., you trust your flash drive, you trust your keyboard, but you trust it because you’re not aware.

A recent survey by Honeywell (Nov 2018) reported on USB-Borne Malware: While the volume of malware discovered in this research was small relative to the total sample size volume, the malware potency was significant. Of those threats analyzed, 1 in 4 (26%) had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control, and 16% were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.

Secure Xchange USB has been designed to relieve operations from having to analyze any USB Mass storage prior to connecting to a machine.

Fundamental benefits 

A machine insulated by Seclab:

  • Neutralizes any threat at USB layer;
  • Can decide if file transfer can be allowed through USB in either direction;
  • Enables file filtering thanks to certificates checking. 

Enables content filtering in “service chained” mode with 3rd-party malware detection 

In short, this is robust Hardware-Based-Security.

Uniqueness of this approach

Unlike other products on the Market providing deep analysis of a USB Mass storage device prior to connection to a target machine, Secure Xchange USB enables the immediate protection of a machine as soon as the USB device is attached! 

Cyber-Security best practices should then include the use of Secure Xchange USB by default.

Protect your machines from attacks on their USB ports

A USB device can be used to attack systems directly, using the USB interface as a powerful attack vector. Ever since the Stuxnet attack used a USB flash drive to obliterate any semblance of an air gap in an Iranian nuclear facility, the industry has been well aware of the vulnerability that USB devices can introduce to their operations. 

Many of the operating systems, controls and equipment used to power industrial facilities have legacy components which were never designed for over-the-air (OTA) updates or cybersecurity at all and due to memory, size, and hardware limitations may not be suitable for direct protection. 

A way to mitigate these risks is to enforce a strong policy on USB ports usage. Seclab Sec-XU product could be the de-factor interface to any USB port from any machine for any employee or contractor having to upload firmware/software or downloading data.

Protect your USB Mass Storages from infected systems

A desktop, laptop or even an Industrial machine (“host”) can be infected, and connecting a USB Mass Storage can be a vector of communication for this infection. Thanks to the Secure Xchange USB, one can restrict the capacity to format, wipe or resize the USB Mass Storage but also restrict visibility on the file system from the host.

General features

  • Destroy the USB layer and recreate a trusted USB layer;
  • Shows Sec-XU’s mass storage only to the PC.

Security features

Prevent from :

  • any attack at USB levels layer (HID, badUSB, ..);
  • undesired files;
  • USB key modifications (wipe, forensics, modify/add/delete partitions , ..).

Functional features

  • Provide direction control;
  • Actionable signature based file filter.

Specifications

The product is provided as a single box (125x80x23mm) with 1 standard USB 2.0 port and a mini-USB port for initial configuration by an administrator. 

A configuration template can be prepared off-line and then uploaded in multiple products. 

The supported file systems are: FAT, Ext 2/3/4, NTFS, and ISO9660. 

Secure Xchange USB has been designed to be used on the shop floor, a robust device delivering a robust service.