In a recent study, researchers from Google and the universities of Illinois and Michigan dropped nearly 300 USB sticks off at the University of Illinois Urbana-Champaign campus and measured how many of these were plugged into student machines.
The findings were alarming, and indicative of just how dangerous USBs can be. “We found that users picked up, plugged in, and clicked on files in 48% of the drives we dropped,” the authors of the report commented. “They did so quickly: the first drive was connected in less than six minutes.”
A small number, just 32%, took precautions to protect themselves from possible threats. For those respondents who considered protective measures, 16% scanned the drive with their antivirus software while 8% believed that their operating system or security software would protect them.
More surprisingly perhaps, another 8% ‘sacrificed’ a personal computer or used university resources to protect their personal equipment.
“These individuals are not technically incompetent, but are rather typical community members who appear to take more recreational risks than their peers,” the report’s authors explained.
“We conclude with lessons learned and discussion on how social engineering attacks – while less technical – continue to be an effective attack vector that our community has yet to successfully address.”
USB stick security is flawed
This is the sign that people continue to let their intrigue get the better of them, plugging in USB sticks with little thought or concern for the possible after-effects.
And there have been some notorious examples where USBs have already caused significant damage – the infamous Stuxnet malware spread across Iranian centrifuges via an infected USB flash drive, while last month it was emerged that 18 malware-ridden USB thumb drives were found at a nuclear site in Germany.
The issue here is that USB malware is growing in potency and popularity in the underground market. Cybercriminals recognize that it’s an easy way of compromising an individual or business.
A common tactic of cybercriminals is to hide malicious code on a USB drive so that when it is plugged in, the code executes and installs itself on the computer without the user’s knowledge. The malware then spreads across connected computers and allows criminals to access the user’s data or use their computers to help them attack their ultimate target.
Some USB malware is worse than others. For example, the BadUSB malware can enable a cybercriminal to take control of a computer, invisibly alter files or even direct the user’s internet traffic – a useful way of delivering an additional payload.
A newer version, dubbed USB Killer and developed by researcher Dark Purple, could apparently “fry” a computer’s motherboard seconds after the dongle had been inserted in the USB port.
Some have gone on to argue that USBs are insecure by design; Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs, has previously said that the majority of USB thumb drives do not protect their firmware, the software that runs on the microcontroller inside them.
This means that a malware program could replace the firmware and suggests its own commands to USB devices, like a keyboard for example.
Missing USBs not a new problem
The issue is not only that this drop-attack is a common technique employed by varying levels of cybercriminals, but also that USB sticks continue to be lost or stolen. They can end up in all places – although often governments and police departments are the worst offenders.
A study ESET carried out at the start of the year revealed that over 22,000 USB memory sticks end up in dry cleaners alone, with 45% of these never getting returned to their owners.
They also end up on public transport, in particular trains. Many of these remain lost forever, but a few end up in the hands of criminals and opportunistic individuals.
Education required
The problem that continues to engulf USB devices is that people are still largely unaware of the dangers involved. This is also, perhaps more surprisingly, even the case in business.
In 2011, a study conducted by the Ponemon Institute showed that an alarming number of companies do not consider protection of information on a USB drive to be high priority. Meanwhile, less than one-third of organizations believed they had adequate policies to prevent USB misuse.
In contrast, nearly half of large organizations have lost sensitive or confidential information on USB drives in just the past two years, and the rate is climbing significantly. Statistically, an average of 12,000 customer records are lost per organization due to missing USB drives.
Security experts say that end users must be educated on the dangers, as well as informed about good practice. The latter can usually be done through security awareness campaigns.
Other firms take a more aggressive approach, banning USB drives from their environment, even gluing up USB ports or preventing untrusted memory sticks from connecting to external devices.
People could encrypt information on flash drives, in the event of losing them, although this still doesn’t guard against the risk of an external attack.
USBs will, sadly, continue to be a security risk; people are prone to losing such devices, whilst the success of social engineering USB attacks (like leaving random keys in car parking lots as above) means that cybercriminals will continue to see this as an easy way into organizations.
However, with more security training, more secure USB drives and an increasing awareness around cybercrime tactics, you can make sure you don’t fall victim to this surprising common cyberattack.
