It wasn’t too long ago in 2019 that Yujing Zhang, an alleged Chinese spy, was arrested when she tried to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, Florida. Among Zhang’s possessions were nine USB flash drives.
When a Secret Service agent plugged one of those USB drives into his personal computer, it immediately began to install files designed to corrupt his computer.
In case you’re wondering why in the world would a Secret Service agent plug a foreign USB drive into his computer, you’re probably not alone. However, as studies have shown, even the most disciplined military and security personnel are not immune to plugging in rogue USB flash drives.
A few years ago, The U.S. Department of Homeland Security conducted an experiment in which it dropped USB flash drives in the parking lots of government buildings and private contractors. Sixty percent of the people who picked them up plugged the devices into office computers. If the flash drive had an official government logo on it, then the plugin rate skyrocketed to 90%.
In a less dramatic study, a U.S. university research project found that more than half of thumb drives that were left in parking lots were picked up and plugged into PCs within hours of being found. The controlled experiment at the University of Illinois concluded that a flash drive attack is not only effective, with an estimated 45% to 98% of dropped drives connected, but also expeditious, with the first drive connected in under six minutes.
While these reports are alarming, cybersecurity experts say USB things can hide deeper and even more dangerous attacks.
The Dangers of USB Devices
At the 2019 RSA Conference, speaker Eric Knapp of Honeywell Industrial Cyber Security wanted to show just how easy it was for a USB device to take control of a computer. Using an e-cigarette charger that he programmed in his hotel room just 20 minutes prior to his presentation, who proved how simple it was to wreak havoc.
To demonstrate, Knapp plugged the e-cigarette charger – which he dubbed the Vape-inator – into his laptop’s USB port, and it immediately took over his presentation, deleting words on the screen and replacing them with its own: “Who is this guy? You shouldn’t vape in public. Smoking is bad for your computer.”
While this was a lighthearted demonstration that generated laughter from the audience, the potential impact of such an attack is anything but funny. To be certain, any USB device can be modified or manipulated with relative ease to act like a keyboard, which allows any bad actor to do almost anything. In fact, researchers from Ben-Gurion University have identified 29 types of USB attacks, which extend to your smartphone.
Real-World Examples of USB Risks
The stories of attacks that began with a USB flash drive are everywhere, including these three:
- In 2019, a former student at The College of Saint Rose in Albany, New York, pled guilty to destroying more than 50 computers with a plug-in USB device called the USB Killer.
- Security company Kaspersky say crooks secretly planted USB devices on computers at big European banks in 2017 and 2018, causing millions of dollars in damages.
- Attackers famously used a USB drive to do damage at Iran’s Natanz nuclear plant and beyond with the Stuxnet attack, first identified in 2010.
It’s Not Just Thumb Drives, Either
While you might think you’re too smart to stick a found USB thumb drive into your computer, be aware that reports are now circulate about malicious USB mini-fridges, cup warmers, and mini-fans, among other devices.
With so many devices USB-enabled, the risks are everywhere. Use your USB drive to charge your fitness tracker or smart watch – or that e-cigarette, as demonstrated by Knapp – and you just might begin a series of events that takes down your company’s computer network.
But we have policies against plugging third-party devices into our work computers, you might say.
Sure you do but be aware that the studies referenced above show that human nature will push aside even the best intended policies.
So, what should you do?
Experts will tell you that you need to disable your USB ports. This can be easily done by securing your ports with USB port locks, HDMI port locks, and network port locks. These are inexpensive but effective devices that will keep your network safe from harm – whether intentional or unintentional.
Failure to lock your USB ports could easily turn them into RIP ports.