• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 
Blog

Cybersecurity Threats Everywhere–Beware of USB Keys

December 20, 2016

Written by Ruth Promislow and Ethan Schiff

In as little as 13 seconds, all of a company's data can be stolen by simply plugging in a USB drive.1

Intelligence agencies famously used this approach when uploading the Stuxnet worm at an Iranian nuclear facility,2 but even amateur hackers can succeed with a similar approach. The devices can transmit data to a hacker, even when plugged into an air-gapped computer (a computer that has never been connected to the internet).3 Even safes are susceptible to attacks through the use of USB devices.4

A company's strategy for protecting its data must include a protocol for dealing with USB devices.

The Problem

Devices that access a computer via USB (including keyboards, smartphones, external drives etc.) may appear innocuous, but simply plugging them in can introduce viruses, malware and other unwanted programs. A USB device may contain harmful material both in its memory storage and in its firmware.5 Detecting harmful material in the firmware can be extremely difficult, even for a seasoned IT security team.

Businesses are typically cautious about connecting a USB device from untrustworthy sources; but, even where a USB device comes from a trusted source, it is difficult to establish that its contents are benign. Absence of malicious intent from a party providing a USB device does not ensure absence of malicious intent from an underlying third party who may previously have accessed the device. Many devices are manufactured with software to provide access to cyber criminals6 and users may inadvertently transfer an infection from a computer to a USB key and vice versa without detection.7

Even seemingly trusted sources do not always prove trustworthy. A recent lawsuit in Arkansas involves allegations that the defendant (a local police department) provided the plaintiffs’ counsel with a USB device which was to contain documents being produced in the course of the litigation. Plaintiffs’ counsel took the precaution of sending the USB device to a cybersecurity expert who detected three distinct trojans on the device which were designed to steal data and passwords from the system to which the USB device was connected.8 While the cybersecurity experts were able to detect the harmful software, more sophisticated malware may not be so easily detected.

Best Practices

Some companies have determined that banning USB devices is preferable until security technology improves.9 Indeed, even IT security may be fooled into thinking that a harmful device is clean if they do not carefully check the firmware.10 If a company decides to forego using USB devices altogether, IT professionals can disable USB ports on computers. Some devices with software and hardware encryption are available, but the provider’s trustworthiness is critical and should never be assumed. It only takes one disgruntled client or scam artist to entirely compromise a company's system.

While the best practice may be to ban USB devices altogether, their use is standard in some areas of business. In such circumstances, it may be preferable to train IT security to properly analyze the devices and impose a system for properly handling any device before it can gain access to the system.  Do not use USB devices you receive at conferences.

Finally, companies must vigilantly prevent hackers from gaining physical access to their computers. Never leave an unattended computer logged in where someone with harmful intentions may have access. A cyber thief can use a USB device to hack a computer even if it is locked, so long as the user remains logged in.11 Even without access to a logged in user, anyone can quickly install a keylogger (a device that connects between a keyboard’s USB outlet and the computer’s port to record keystrokes which costs a mere $4012) and see everything you type.  Eliminating the USB port on computers can protect against this risk.

Conclusion

Businesses which use USB devices or which use computers to which a USB device can be connected run the risk of having their data compromised and the corresponding liability exposure.  In this world of increasing cybersecurity threats, the risks associated with USB devices should not be ignored.

 

Notes:

1 Matthew Rosenquist, “PoisonTap USB Device Can Hack a Locked PC in a Minute”, DarkReading (6 December 2016), [DarkReading].

2 Daniel Terdiman, “Stuxnet Delivered to Iranian Nuclear Plant on Thumb Drive”, CNET (12 April 2012).

3 Dan Goodin, “Meet USBee, the Malware that Uses USB Drives to Covertly Jump Airgaps”, arsTechnica (29 August 2016).

4 Yoni Heisler, “Brinks Safe Hacked with USB Stick and 100 Lines of Code”, BGR (28 July 2015).

5 Andy Greenberg, “Why the Security of USB is Fundamentally Broken”, Wired (31 July 2014), [Wired].

6 Teresa Meek, “6 Cyber Threats Keeping CIOs Up At Night”, Forbes Magazine (8 December 2016), [Forbes].

7 Wired, supra note 5.

8 Dan Goodin, “Lawyer Representing Whistle Blowers Finds Malware on Drive Supplied by Cops”, arsTechnica (14 April 2015).

9 Forbes, supra note 6.

10 Wired, supra note 5.

11 DarkReading, supra note 1.

12 See example

Authors

  • Ruth E. Promislow Ruth E. Promislow, Partner
  • Ethan Z. Schiff Ethan Z. Schiff, Associate

Read the New Energy Economy Series

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Evidence of Harm Required To Advance Class Action Following Data Breach

February 24, 2021
       

Blog

Site Rehabilitation Program Periods 5 and 6 Further Expand Program Scope

February 22, 2021
       

Blog

Supreme Court of Canada Declines to Hear the Cameco [...]

February 18, 2021
       

Blog

Competition Act and Investment Canada Act Review Thresholds [...]

February 16, 2021
       

Blog

Land Leases for Renewable Energy Projects in Alberta

February 16, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021. All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones