Blog: USB

I received several new Cisco 2960x switches to configure and one of them would not boot up stating that the image failed digital signature verification.  These switches have USB interfaces on the front and can be used for file transfer, however more modern USB flashdrives would not work for me.  I had a few older USB flashdrives that worked, so hold on to your flashdrives!

From a working switch, copy the boot image to the USB flashdrive.  
"copy flash:/c2960..../c2960...bin usbflash1:" (or usbflash0: depending on which port it was connected to).

I booted up the switch that wouldn't verify and tried to copy the image onto the switch from usbflash1:  but it told me the copy command was unknown.  Luckily, you can boot off the USB flashdrive image.

I typed "boot usbflash1:/c2960....bin" and it booted the switch where I was able to copy the working image to flash: "copy usbflash1:/c2960....bin flash:/c2960..../c2960....bin"  

​​After overwriting the corrupt image, I rebooted the switch and it passed the verification on the image.

I had two customers that needed to exempt a couple of systems from a group policy that disables USB/CD-ROM access, but I ran into the same issue both times when trying to do so.

I added the user to the appropriate group to block the GPO, but when I logged into the user’s PC, the drives still said access denied. I figured the group policy had not applied, so I forced it to apply and then I had the user both log off and back on and also restart with no success on the policy applying.

I did some digging and discovered that there is a bug in Windows that affects the Portable Device Enumerator Service. I tried several things with that service (restarting, looking at other depenedent services, etc) but nothing worked. Microsoft had a Hotfix available, so I tried that and still got nothing. Finally, after some additional research, I ran across a KB article that recommended going into Disk Management, uninstalling the driver for the CD-Rom and then rescanning the disks to let it re-install. As soon as I did that, everything started working properly. 

Here is the KB article with the Hotfix, in case it happens to work for someone else down the road: https://support.microsoft.com/en-us/help/2738898/users-cannot-access-removable-devices-after-you-enable-and-then-disabl

There are three primary connectors for USB3, shown below:

Standard-A

Standard-B

Micro-B

Most everyone knows a USB3 Standard-A cable will work in a USB3 port because they are the same size. But many people may not realize this is also true for the other connectors.

Because the extra pins for USB3 are in a separate part of the connector, you can use a Standard-B USB2 cable in a Standard-B USB3 port, and likewise for the Micro-B cable and port. You won’t get USB3 speeds, but this might be helpful if all you have on hand is a USB2 cable.

I had two 8 GB USB flash drives that suddenly started showing up as only one GB (983 MB).  A little research showed that through creating various live CD images for antivirus, freeNAS, Ubuntu, part image, etc., the drives had been partitioned and Windows was only recognizing the first partition.  Windows disk manager won't change the partitions on the flash drive, either. [more]

A solution is to use command-line diskpart.

Diskpart

- LIST DISK

- SELECT DISK X (Make sure you get the right disk!)

- DETAIL DISK

- CLEAN

- CREATE PARTITION PRIMARY

- EXIT

Then format the drive.

An information security audit customer was using Group Policy to disable USB mass storage devices by setting the appropriate registry key from a value of 3 to 4.  They verified the registry values were what they expected and moved on to other things.

After I arrived onsite and spot checked the USB restrictions on some of these workstations none of them prevented the use of my flash drive.  They scratched their heads and checked the registry key and it had been changed back to a 3.  If they forced a GPO update, the key was changed back to a 4 and USB mass storage devices were restricted from then on.

What was happening was these systems had never had a USB mass storage device attached.  The first time one is connected, the system performs the initial installation steps, one of which sets this key to a 3 even if it was set to a 4.  After reapplying the GPO, the restriction finally took effect for good.

I was utilizing a new USB headphone/microphone set instead of my normal devices which plug into the jacks on the side of the computer.  Everything worked great when the computer detected the new USB audio device and installed the driver.  Unfortunately, when I was done with the USB device and attempted to connect the old set of headphones, the computer would not detect them.

Upon further investigation, the computer told me there was no audio jack installed on the computer at all!  Evidently the USB device driver had disabled the audio jack completely to where it could not even be detected.  To regain sound, I had to uninstall the USB audio device driver.  This allowed me to access my audio jack settings again.

Beware of what certain device drivers can do!

Just as IT departments are finally locking down the use of removable media, a new threat may make existing technical controls irrelevant.  The “Teensy” is a USB microcontroller that plugs into a PC in the same manner as a USB thumbdrive.  But, the technical controls that are able to neutralize the use of thumbdrives and other USB storage have no effect on the Teensy.  That is because the Teensy emulates a human interface device, such as a keyboard.  Since USB keyboards are restricted by very few, if any companies, the Teensy is able to connect undetected.  The tiny microcontroller can be programmed with virtually any code- including code useful in an exploit.

Teensy devices are available online for relatively low cost- under $10 US.  It looks like IT administrators have another thing to keep them awake at night.