How To Manage The Risk Of USB Sticks

Computer users everywhere are looking at the USB stick sat next to their computer this week with trepidation. Many are now wondering if this trusted friend has turned against them now that cybersecurity experts say they've found a massive flaw in the very make up of these devices. It seems the humble USB drive can easily be used to compromise basic security principles in your machine.

USB picture from Shutterstock

The issue is considered so serious that a statement has been issued by the USB working party, the body that regulates this technology standard.

The group admits that there are security flaws in USBs but says that manufacturers should build in existing standards to protect consumers. This would mean that your average USB stick would be more expensive but more secure. In the meantime, you might want to take a second look at the stick on your desk.

Sticky problem

USB storage devices are still a staple tool for many of us. They are great for keeping a copy of your data, especially if you have to take it from home to work and if an online data transfer would take a long time.

The problem is that many files can be hidden on a USB without the user knowing they are there at first glance. And when your computer detects that you have inserted a USB storage device, it may well try to automatically run any code it finds on the stick. This process is a feature of many computers and dates back to the days of the CD-ROM, when you could load a disk and your computer would start running it without the need for you to click on any icons.

This is indeed a scary prospect and it gets even scarier when you learn that one of the most famous computer attacks of all time was started from a USB stick. We still don't know for sure who released the Stuxnet computer worm that disrupted Iran's entire nuclear programme but we do know that it came out of a USB stick.

In fact, this is still considered to be one of the most common methods of social engineering. Some cyber-criminals target companies simply by dropping USB sticks next to car doors in the car park. Curiosity gets the better of a passing employee and they insert the USB stick into their office computer. Before they know it, their machine has been compromised.

Hackers can easily write code that essentially turns the USB stick into a mouse or keyboard. They can then control your machine remotely, accessing your files and personal information. The code deposited on a computer can send screenshots of everything you do via the internet and these days, speeds are so good that you might not even notice them taking up the bandwidth on your home network as they do it.

Stick or twist?

This is definitely a very worrying problem but it is actually something that has been known about for some time in the industry. Corporate IT professionals try their best to mitigate the problems posed by rogue USB sticks. In fact many employers ban insecure USB devices on their systems.

As an ordinary user, you are at risk but avoiding the problem is very easy. All you need is good practice. Many of us scan our personal computers regularly using anti-malware software. This should be extended to any external storage devices, including USB sticks. In addition, make sure that your anti-malware software of choice automatically scans any new USB device. This should overcome the problem of an infected USB stick auto running.

If you are more technologically minded, you can disable your operating system's inclination to automatically install drivers and other software when a new USB stick is connected. The process differs between operating systems, but most have an option to do it. Microsoft Windows is relatively straightforward in this respect and there are many different approaches for Linux users. Mac users can feel extra smug here as OSX doesn't support autorun in the first place.

While we trust our friends, we should not trust their USB sticks, no matter how nice a person they may be. Be prepared to check their devices before they are ever attached to your machine.

This probably may never be resolved but it might not matter. Many of us enjoy good bandwidth and can transfer large amounts of data with ease. And cloud storage is fast becoming the best option anyway. If you use Dropbox, OneDrive or Google Drive, you might find yourself forgetting what a USB stick is in the next few years, anyway.The Conversation

Andrew Smith is Lecturer in Networking at The Open University. He does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.

This article was originally published on The Conversation. Read the original article.


Comments

    I don't understand what's new here that warranted the article.

      Basically not only are USB devices sources for malware in files on the devices, but the USB device firmware itself is now considered a source for malware that infects the target system merely by being connected (regardless of filesystem used or Autorun settings, etc). Being firmware-based the malware would be invisible to detect and run without executing a new process. In other words, very hard to detect. It's also possible for *any* kind of USB device, not just storage devices. So, think keyboards, mice, cameras, smartphones, tablets, USB headphones, gamepads.

      This all assumes there is a vulnerability to be exploited in the target system. That'll be the next step - finding some 0-day vulnerabilities in Windows/Linux/OSX that can be exploited by malware running in the USB device firmware. The likely source devices will be things everyone uses like USB storage sticks. Attacks against other devices like keyboards and mice will be less common and more targeted (but also more likely to work, since they'll be targeted by someone with knowledge of the victim's hardware/operating system and 0-days that will work).

    OK this guy is completely missing the point here. Please disregard 90% of this article.

    This newly discovered vulnerability has nothing to do with the 'autoplay' functionality at all. The is vulnerability is a weakness in the firmware on all USB devices. Before your computers OS even has a chance to open the file system and run those virus laden files, it talks to the firmware on the stick to interrogate it. It passes over details on what sort of device it is and can also pass over driver details to the OS to be able to talk with the device. This all happens at the hardware handshake level and is not scanned by malware detection software. Current (and foreseeable future) AV and malware detection software cannot help you if you plug a compromised device into your PC. The OS will run the code provided by the USB firmware at system level privileges (the highest level of access). It can then do whatever it wants with your PC and their is nothing you can do about it.

    The real insidiousness is that your PC then becomes a vector to spread that code to the next device you plug in. And it doesn't need to be a storage device. All USB devices are vulnerable. It could be a mouse, keyboard, phone, HDD, programmable remote control, headphones, ...

    The only good news is that it doesn't seem to have been exploited, yet.

    Have a good time super-gluing your USB ports up. ;-)

      Indeed, the article completely miscatagorises the problem. Scanning with an anti-virus won't help because the firmware of the device is not visible to that process. Basically this article is dangerously misleading.

    "Computer users everywhere are looking at the USB stick SAT next to their computer this week with trepidation"... OMG i hate that Pommy term. Correct English should be SITTING next to their computer.

    Last edited 12/08/14 8:38 pm

      I was confused as hell by that sentence too.

    SD will also be vulnerable to this firmware malware. BTW, having a hardware based encrypted USB, are they safe? For what i know they should be since the encryption is keyed to a chip that cannot be passed to USB or system bus.

Join the discussion!