If they weren’t ubiquitous prior to the pandemic, then USB flash drives certainly are now, as the work-from-home movement has created a heightened need for portable media. Also known as USB thumb drives, these devices are universally embraced as an easy way to transfer data.
Unfortunately, they’re also a favorite of cyber criminals, who can use flash drives to attack your computer and you network. In what is known as a Universal Serial Bus (USB) drop attack, cyber criminals leave USB flash drives for people to find and plug into their computers. Out of curiosity, studies have shown that most people who find a thumb drive will plug it into their computer. That’s when the trouble begins, as one of four types of attacks is launched against the PC – and possibly the network.
- Malicious Code Attack: This is the most common USB drop attack, launched when the user clicks on one of the files on the flash drive, which activates malicious code and often downloads additional malware from the Internet. Malicious code can penetrate not only the user’s PC, but also compromise databases, networks, and entire clusters of servers – quickly or over a long period of time. These attacks may be launched through various means, including viruses, worms, script attacks, backdoors, active content, and Trojan horses.
- Social Engineering Attack: This attack is slightly more sophisticated, and the most common type of social engineering attack is the phishing attack, which is designed to accomplish three things: 1) Obtain personal information, such as names, addresses and social security numbers, 2) Use shortened or misleading links that redirect users to suspicious websites that host phishing landing pages, and 3) Incorporate threats, fear and a sense of urgency in an attempt to manipulate the user into responding quickly.
- HID (Human Interface Device) Spoofing: A more sophisticated USB drop attack is HID spoofing, in which the USB flash drive will trick the computer into thinking a keyboard is attached. This fake keyboard injects keystrokes as soon as the device is plugged into the computer. The keystrokes are a set of commands that compromise the victim’s computer and gives a hacker remote access.
- Zero Day: The most advanced attack used the USB flash drive to exploit a hole in computer software that the software vendor doesn’t know about until the attack is discovered. It’s known as a Zero Day attack because the hacker has acted before the developer has a chance to act to fix the vulnerability. These advanced cyberattacks can compromise a network without anyone being aware.
USB Flash Drive Security Breaches
The stories of attacks that began with a USB flash drive are everywhere, including these four:
- In 2019, a former student at The College of Saint Rose in Albany, New York, pled guilty to destroying more than 50 computers with a plug-in USB device called the USB Killer.
- Security company Kaspersky say crooks secretly planted USB devices on computers at big European banks in 2017 and 2018, causing millions of dollars in damages.
- Attackers famously used a USB drive to do damage at Iran’s Natanz nuclear plant and beyond with the Stuxnet attack, first identified in 2010.
- In 2008 an infected flash drive was plugged into a US military laptop in the Middle East and established “a digital beachhead” for a foreign intelligence agency. The malicious code on the drive spread undetected on both classified and unclassified systems enabling data to be transferred to servers under foreign control.
If you think these types of attacks are difficult to pull off, think again. A Hong Kong company is marketing a $56 “USB flash drive” called USBKill that absorbs power from the USB port until it reaches about 240 volts and then discharges that energy back into the data lines in devastating power surges. It even has a remote trigger and a smartphone app that allows the cyber attacker to control the surges from as far as 100 yards away. USBKill can even stay dormant for up to 200 days and still maintain the ability to be activated.
Just How Vulnerable are We?
Numerous studies have demonstrated how easy it is to use basic human nature to launch an attack via a USB flash drive. Not long ago, Trustwave planted five USB flash drives adorned with the targeted company’s logos near the organization’s building. Two of the flash drives were opened at the organization, enabling researchers to have access to the software being used to control the organization’s physical security.
In 2020, Trustwave also reported that a U.S. hospitality provider was the target of a USB flash drive attack, which occurred after the company received a fake Best Buy gift card in the mail, along with a USB flash drive. The accompanying letter instructed the company that a list of items the gift card could be used for could be accessed on the thumb drive.
In 2011, the U.S. Department of Homeland Security – in a controlled experiment – randomly dropped USB and optical drives in government and private contractor parking lots. More than half of those who picked one up readily plugged it into their work computer. Bloomberg News reported that 60% of those workers and contractors who picked up the drives plugged them into office computers. The report also said that 90% of found drives stamped with official government logos were plugged in.
Need more evidence?
In August 2016, researchers at the University of Illinois discovered that people’s “curiosity” was their cyber undoing nearly half the time. To test their hypothesis, the researchers spread 297 USB flash drives across campus to see what would happen. Almost half of the devices (48%) ended up in the USB port of someone else’s computer. While most of them later claimed they plugged in the flash drive to find its rightful owner (we suggest that this is not much different than opening an unmarked package emitting a ticking noise to identify who the package belongs to), 18% admitted they simply plugged in the flash drive for no other reason that curiosity.
How Do We Protect Our Computer and Networks?
Thumb-sized USB flash drives are so prevalent today that most of us don’t give them a second thought – which is part of the problem. We borrow them from colleagues, receive them from vendors, and likely have a collection of them in our desk drawers. These devices are small, cheap, and can store as much as 128 gigabytes of data.
They are the perfect weapon for cyber attacks and the weapon of choice of many cyber attackers. So, to defend yourself against USB drop attacks, heed the following:
- Physically block computer USB ports to avoid attack.
- Institute policies about what can and cannot be plugged into company computers and educate staff accordingly.
- Restrict the type of USB device authorized on a computer using Windows or a USB kill code to defend against unauthorized access.
- Keep your security policies and patches up to date.