Thumb drives are used pretty much everywhere nowadays. Whether a generic metallic memory stick, a branded giveaway at an event, or cleverly disguised as Yoda or some other pop culture icon, these devices are universally embraced as an easy way to transfer data.
Unfortunately, they’re also loved by cyber criminals, who can use thumb drives to attack your computer.
In a Universal Serial Bus (USB) drop attack, cyber criminals leave USB devices for people to find and plug into their computers. A Good Samaritan hoping to return the drive or a penny pincher hoping to pocket a new device for free inserts the “found” drive into his or her computer’s USB port. Then the trouble begins.
There are three main types of attack:
The most advanced attack by USB exploits a hole in computer software the vendor doesn’t know about until the attack is discovered. It’s known as a Zero Day attack because the hacker has acted before the developer has a chance to act to fix the vulnerability. These advanced cyber attacks can compromise a network in secret and provide an element of surprise.
USB attacks might sound like they’d be limited to personal devices, but the implications can in fact be much bigger.
A particularly well-known example of a USB drop attack is Stuxnet, a computer worm that infected software at industrial sites in Iran, including a uranium-enrichment plant. The virus targeted industrial control systems made by Siemens, compromised the system’s logic controllers, spied on the targeted systems, and provided false feedback to make detection even more difficult, and it all began with a USB stick infection.
The United States government, too, has fallen victim to flash drive attacks. In 2008 an infected flash drive was plugged into a US military laptop in the Middle East and established “a digital beachhead” for a foreign intelligence agency. The malicious code on the drive spread undetected on both classified and unclassified systems enabling data to be transferred to servers under foreign control.
In one test of how well a USB scam can work, Trustwave planted five USB drives decorated with the targeted company’s logos in the vicinity of the organization’s building. Two of the five “lost & found” drives were opened at the organization. One of the openings even enabled the researchers to glimpse software employed to control the organization’s physical security.
A company in Hong Kong has even developed a USB that could kill a computer. Collecting power from the USB line, it absorbs power until it reaches about 240 volts and then discharges that energy back into the data lines in devastating power surges. Oh, and the USB Kill drive is available for just $56 — in case you think this is only something someone could accomplish if they’re tech savvy and have deep pockets.
USB Baiting has even been seen in popular culture, with what’s known as a “Rubber Ducky” tool appearing in the show Mr. Robot in 2016. The USB key only needed a few seconds to get to work using HID spoofing to gather FBI passwords.
And if you’re a hacker, why not? Two of the best tools a malicious party can leverage are the human desire to help others and our blind trust. It’s not that hard to imagine what you might do if you came across a USB key left by the copy machine or the water cooler. You’d probably think someone in your office simply misplaced it, and the simple solution would be plugging it into your own computer to see if you could you can find identifying information.
Imagine, then, a file is on there labeled “Joe_Resume.pdf.” Wouldn’t that seem like a safe and useful file to open to help you return the device to its rightful owner? Except, as you now know, that same file could be set up to deliver malicious code to your machine.
Most average users are unaware of how to safely determine the ownership of a USB stick, so educate workers about the risk of found USB drives and urge them to hand in any found devices to IT.
Think about the effort expended on telling children not to take candy from strangers. It’s the same idea with encouraging employees not to put found USB devices into their computers. One 2016 study dropped 297 USBs on a university campus. Of the 98% of found devices that were picked up, 45% were plugged into computers.
The thumb-sized USB drive has become increasingly commonplace, and that’s part of the problem. Today you might get one at a convention with a company’s logo and promises of promotional materials to download later. These “memory sticks” are small, cheap, and can store as much as 20 gigabytes of data.
“The more ubiquitous they’ve become, the greater the chances they’ll get lost or stolen or be used to spread malicious programs.” — Norton
These convenient drives are also easy to lose. In fact, one 2008 study found an estimated 9,000 memory sticks were found in people’s pant pockets at the dry cleaners. If the information on these left-behind drives is not encrypted and can be accessed by the wrong parties. This in and of itself represents a security risk.
So what’s to be done?
It’s important to educate your workforce while also understanding the limits of your physical and network security protocols. Ready to find out what those are? Let RedTeam Security Consulting test your facility’s security today.