Did you ever get a free USB flash drive? USB fan, LED light, Wifi adapter, mouse, keyboard, dongle, or a USB god-knows-what for free as a gift? Each and every such device could be prepared to strategically plant exploits in your network and steal data or simply damage your system and files.
This happening isn’t funny on a private level, but it’s disastrous on corporate and enterprise levels. You got a free USB memory storage device worth $1 with the risk of infecting systems with exploits and whatnot. Are these freebies really worth this kind of InfoSec risk? Data corruption, leakage, network infiltration or worse?
My recommendation around these little USB giveaways would be not to trust all of them without calculating the risk. Corporations should ensure that they implement the right IT security policies on all IT assets around allowing or blocking USB devices. And you personally, you always need to do a little bit of risk management. Whether you’re using your own, someone else’s or an organization’s computer, do you fully trust this device?
Blackhats are always smart
The scripts that run on the device could be smart enough to run without you seeing it. They could also host light and sound sensors to make sure the office is dark and empty before the exploitation kicks in. That way nobody could see what’s going on, even if a remote access session was established.
Even if all staff is InfoSec trained and aware of the risks of using third-party freebies at work, there might be intruders who just happen to walk about. Those social engineers could subtly plant a $5 Raspberry Pi PoisonTap device, which does damage and creates backdoors in five minutes, even when the workstation is locked.
Could it get any worse?
You think that’s it? Far from it. There is basically no limit to who might be using such tactics and what for. Remember Stuxnet, which was believed by many experts, to be an American-Israeli cyberweapon? This program caused significant damage to Iran’s nuclear program. Regardless of that being a good thing or bad thing, it happened. It likely found its way inside the facilities in the form of a USB device.
Your takeaways
Don’t easily trust any kind of USB device. Don’t use freebies and if you’re with marketing, don’t give others USB devices as giveaways. Give them a t-shirt instead. The era of USB flash drives is long over anyway. Don’t be part of this legacy. Don’t be part of the chain to pass on potentially dangerous devices. Have fun and be safe!
Photo credit: Surian Soosay / Chris Harrison
Source: Nate Anderson (Ars Technica) / Dan Goodin (Ars Technica)