Maybe you know not to plug strange USB drives into your computer, but trends indicate that most people think nothing of it.
This is not a new risk. A decade ago, a group of penetration testers—hackers who are paid to break into companies, a la Sneakers—dropped 20 USB sticks around the parking lot of a credit union. Fifteen of them were found by employees, and each of those was eventually plugged into a computer, unwittingly running a program that communicated with a “bad” server.
In a recent and more rigorous experiment, a group of researchers from the University of Illinois Urbana-Champaign, University of Michigan and Google, dropped nearly 300 USB thumb drives around six campus locations and found that at least 45 percent of them were plugged into a computer and perused by the person who found them. While some of the people made an attempt to check the drive for malware—scanning it with antivirus software, for example—very few seemingly understood the risk of using an untrusted USB drive.
While modern Windows and Mac systems no longer run programs on a USB stick by default, other attacks, such as BadUSB, can make a USB drive appear to be something else, such as keyboard, and then use that access to take malicious actions.
Would you open an email attachment from someone you did not know, or one that seemed suspicious? Opening files on an untrusted USB drive is similar, said Michael Bailey, an associate professor of electrical and computer engineering at the University of Illinois Urbana-Champaign and one of the co-authors of the research paper.
USB drives: Untrusted and ubiquitous
“In the current world, there is no advice…except to know the provenance of the USB drive,” Bailey said. “Do not trust, don’t plug or insert untrusted media into your computer.”
For anyone tempted by the relative ubiquity of USB drives, this is hard advice to take. Security services provider Verizon, which publishes the annual data breach report, recommends that companies attempt to keep track of whenever USB drives are used. When the company finds untrusted USB drives, it can test them, said Chris Novak, a director with the firm’s RISK team, a computer investigations group.
“We have a lab environment, and we have isolated sandboxed systems,” Novak continued. “We often do executive protection, where, when executives go overseas or to a big conference, we give them temporary equipment, and if something happens, we get it back. We review it to see if there are any threats that took place.”
Yet, USB threats are often brought back home. In one case, which the company documented in its Data Breach Digest report, a Hollywood executive received a package seemingly from a well-known production company with a branded USB drive. Playing the movie trailer on the drive installed malware on the victim’s computer, enabling the attacker to steal an unreleased movie.
The fact that users plug such storage devices into corporate computers is a nightmare for IT security professionals, to the degree that they sometimes—and somewhat controversially—block USB ports on highly sensitive computers by gluing them closed with epoxy.
For consumers, doing without USB is not a solution. Yet, there seems to be very few ways to safely plug in a potentially malicious USB drive.
Run your own sandboxed environment? That could prevent damage from a file infector, but even a virtual system does not rule out a low-level hardware attack.
Erase the USB drive? This protects against file-based attacks, but firmware attacks, such as BadUSB, would not be prevented.
The best that consumers can do is buy their own USB drives. While that does not necessarily protect against all threats—flash memory has been known to be infected by a virus at the manufacturer—it does protect against the most common types of dangers.
Encrypted USB drives offer additional safety
When buying a drive, picking one with hardware encryption is also a good step. More advanced drives do not solve the basic problem of being a vector for malware, but they can protect the data on the drive and prevent firmware-based attacks such as BadUSB, according to Andrew Ewing, Flash Business Unit manager at storage-maker Kingston.
“The firmware is digitally signed, so it cannot be altered,” Ewing explained. “If we [Kingston] needed to alter the firmware, we would have to have the customer send back the drive to Kingston, so we could reprogram the firmware using the production tool.”
So, next time someone gives you a free USB drive, return it. If you find one on the ground, turn it in to lost-and-found. Plugging it into your computer is the worst digital hygiene, said Verizon’s Novak. “Think of USB sticks like toothbrushes and then you will not be so quick to pick it up and share it,” he says. (Ew.)