Oh, the magic of the USB flash drive! Those tiny devices can store as much as 2TB of data, making it extremely easy to move data from computer to computer, from office to home and back, and from user to user.
With this ease of data transportability provided by a USB flash drive comes the ease with which a data breach can occur. Whether it’s accidentally lost, carelessly left on a desk, maliciously programmed, or infected with malware, someone is sure to find it and plug it in – human nature tells us so.
Curiosity Killed the Cat – and a Few Data Networks, Too
In 2011, the U.S. Department of Homeland Security – in a controlled experiment – randomly dropped USB and optical drives in government and private contractor parking lots. More than half of those who picked one up readily plugged it into their work computer. Bloomberg News reported that 60% of those workers and contractors who picked up the drives plugged them into office computers. The report also said that 90% of found drives stamped with official government logos were plugged in.
Need more evidence?
In August 2016, researchers at the University of Illinois discovered that people’s “curiosity” was their cyber undoing nearly half the time. To test their hypothesis, the researchers spread 297 USB flash drives across campus to see what would happen. Almost half of the devices (48%) ended up in the USB port of someone else’s computer. While most of them later claimed they plugged in the flash drive to find its rightful owner (we suggest that this is not much different than opening an unmarked package emitting a ticking noise to identify who the package belongs to), 18% admitted they simply plugged in the flash drive for no other reason that curiosity
The most alarming discovery, however, was not the number of people who plugged the flash drive into a USB port, but rather the number who did so without taking the proper precautions; only 10 people analyzed the USB stick using antivirus software.
Okay, But What is the Worst That Can Happen?
If you doubt that the ubiquitous USB port is a cybersecurity threat, then consider that the Iran nuclear program was derailed several years ago because its computers were not protected with simple USB port locks that cost less than $2 each.
According to U.S. intelligence sources, an Iranian double agent working for Israel used a standard thumb drive to infect Iran’s Natanz nuclear facility with the highly destructive Stuxnet computer worm.
All it took for the virus to be triggered was a user clicking on the Windows icon. Once that happened, Stuxnet quickly propagated throughout Natanz – knocking that facility offline and at least temporarily crippling Iran’s nuclear program – all because Natanz didn’t foresee the need to protect its USB ports with USB port blockers.
More recently, in the fall of 2017, an unencrypted USB flash drive was found in West London containing sensitive and secret information regarding Heathrow Airport. According to Cyber Defense magazine, “the 76-folder/174-document drive detailed measures employed at Heathrow to protect the Queen, a timetable of security patrols, maps pinpointing CCTV cameras, the types of ID needed to access restricted areas, documentation of the ultrasound system used by Heathrow security to check perimeter fences and runways for breaches; and, a discussion regarding the type of threat the airport could face.”
If you’re still not convinced of the cybersecurity threat posed by USB flash drives, then consider this: In 2019, Canadian banking group Desjardins suffered a data breach that affected some 2.7 million people and around 173,000 companies. The stolen information included names, addresses, dates of birth, social insurance numbers, email addresses, and information on customers’ transaction habits. The source of the breach? An employee with “ill-intention,” according to Desjardin.
Lessons Learned
In this new work-from-home era created by a global pandemic, the cybersecurity dangers associated with USB flash drives are growing exponentially, as the very properties that make USB flash drives portable and enable them to connect to various networks also make them vulnerable to network security breaches. All it takes is one unencrypted USB flash drive to launch a massive cyber assault on a company’s data network.
The lesson here is that intentional attacks are far from the only way that sinister viruses and malware come into data ports. In fact, intentional attacks are most likely the minority.
The broader threat is unintentional. A thumb drive that gets used at home and then at work brings with it anything the home computer might have picked up along the way in the form of bugs and bleeps from the vast Petri dish of the Internet. All the more reason to secure your USB and network ports so that portable media devices – USB flash drives in particular – cannot be connected.