USB thumb drives, such as those pictured below from www.promotionalpro.com, are very popular marketing item, but oftentimes people are not aware of the digital risks these devices can present.
In recent years many USB devices have been sold or given way only to be found to be pre-infected from the factory. At a recent security conference in Australia IBM handed out USB drives that were infected. Electronics stores have sold infected digital photo frames, and even TomTom shipped an infected GPS system.
There needs to be a fundamental shift in the manufacturing process to prevent many of these devices from shipping with malware, however, for a company purchasing USB devices for promotional uses, there are steps that can be taken to ensure a successful marketing campaign instead of a PR nightmare.
If you decide to use promotional devices then adhering to a few processes can ensure you only share what you plan to share. To begin with, know how many files are supposed to be on the drive and what their content is supposed to be. You should have a list of the size of each file, how many files are in each directory, and a CRC or hash of each file. CRCs or hashes are mathematical calculations of files than make it very easy to be sure the file you are checking is identical to the file you know it should be.
When you provide your marketing materials to be put on the drive at the company you are buying the devices from, have a list of the files and hashes. When you receive the drives then take a sampling of them. Be sure that you are using a computer that has Autorun turned off. Use a high quality antivirus product and scan at least one of the new drives. I would recommend scanning several random drives. I also recommend using more than one antivirus product for this application.
The next step is to make sure that there are exactly the same number of files on the thumb drive as you know should be there, and that the CRC or has for each file is identical to what it should be.
If these guidelines were followed by the IBM marketing department in Australia they would never have handed out infected drives. It isn’t only malicious software that can be a problem. If a wrong file is purposely or accidentally copied on to the thumb drives you could be distributing hateful, hurtful, or indecent messages on your promotional items.
USB drives can be excellent promotions, as long as you know what it is that you are handing out. Checking the product thoroughly before you hand it out can keep your business looking good!
Director of Technical Education
Author ESET Research, We Live Security