Written by Ruth Promislow and Ethan Schiff
In as little as 13 seconds, all of a company's data can be stolen by simply plugging in a USB drive.1
Intelligence agencies famously used this approach when uploading the Stuxnet worm at an Iranian nuclear facility,2 but even amateur hackers can succeed with a similar approach. The devices can transmit data to a hacker, even when plugged into an air-gapped computer (a computer that has never been connected to the internet).3 Even safes are susceptible to attacks through the use of USB devices.4
A company's strategy for protecting its data must include a protocol for dealing with USB devices.
Devices that access a computer via USB (including keyboards, smartphones, external drives etc.) may appear innocuous, but simply plugging them in can introduce viruses, malware and other unwanted programs. A USB device may contain harmful material both in its memory storage and in its firmware.5 Detecting harmful material in the firmware can be extremely difficult, even for a seasoned IT security team.
Businesses are typically cautious about connecting a USB device from untrustworthy sources; but, even where a USB device comes from a trusted source, it is difficult to establish that its contents are benign. Absence of malicious intent from a party providing a USB device does not ensure absence of malicious intent from an underlying third party who may previously have accessed the device. Many devices are manufactured with software to provide access to cyber criminals6 and users may inadvertently transfer an infection from a computer to a USB key and vice versa without detection.7
Even seemingly trusted sources do not always prove trustworthy. A recent lawsuit in Arkansas involves allegations that the defendant (a local police department) provided the plaintiffs’ counsel with a USB device which was to contain documents being produced in the course of the litigation. Plaintiffs’ counsel took the precaution of sending the USB device to a cybersecurity expert who detected three distinct trojans on the device which were designed to steal data and passwords from the system to which the USB device was connected.8 While the cybersecurity experts were able to detect the harmful software, more sophisticated malware may not be so easily detected.
Some companies have determined that banning USB devices is preferable until security technology improves.9 Indeed, even IT security may be fooled into thinking that a harmful device is clean if they do not carefully check the firmware.10 If a company decides to forego using USB devices altogether, IT professionals can disable USB ports on computers. Some devices with software and hardware encryption are available, but the provider’s trustworthiness is critical and should never be assumed. It only takes one disgruntled client or scam artist to entirely compromise a company's system.
While the best practice may be to ban USB devices altogether, their use is standard in some areas of business. In such circumstances, it may be preferable to train IT security to properly analyze the devices and impose a system for properly handling any device before it can gain access to the system. Do not use USB devices you receive at conferences.
Finally, companies must vigilantly prevent hackers from gaining physical access to their computers. Never leave an unattended computer logged in where someone with harmful intentions may have access. A cyber thief can use a USB device to hack a computer even if it is locked, so long as the user remains logged in.11 Even without access to a logged in user, anyone can quickly install a keylogger (a device that connects between a keyboard’s USB outlet and the computer’s port to record keystrokes which costs a mere $4012) and see everything you type. Eliminating the USB port on computers can protect against this risk.
Businesses which use USB devices or which use computers to which a USB device can be connected run the risk of having their data compromised and the corresponding liability exposure. In this world of increasing cybersecurity threats, the risks associated with USB devices should not be ignored.
1 Matthew Rosenquist, “PoisonTap USB Device Can Hack a Locked PC in a Minute”, DarkReading (6 December 2016), [DarkReading].
2 Daniel Terdiman, “Stuxnet Delivered to Iranian Nuclear Plant on Thumb Drive”, CNET (12 April 2012).
3 Dan Goodin, “Meet USBee, the Malware that Uses USB Drives to Covertly Jump Airgaps”, arsTechnica (29 August 2016).
4 Yoni Heisler, “Brinks Safe Hacked with USB Stick and 100 Lines of Code”, BGR (28 July 2015).
5 Andy Greenberg, “Why the Security of USB is Fundamentally Broken”, Wired (31 July 2014), [Wired].
6 Teresa Meek, “6 Cyber Threats Keeping CIOs Up At Night”, Forbes Magazine (8 December 2016), [Forbes].
7 Wired, supra note 5.
8 Dan Goodin, “Lawyer Representing Whistle Blowers Finds Malware on Drive Supplied by Cops”, arsTechnica (14 April 2015).
9 Forbes, supra note 6.
10 Wired, supra note 5.
11 DarkReading, supra note 1.
12 See example