USB devices seem like harmless flash drives that make it convenient to pass information between two computers. Users think nothing about inserting a USB flash drive into a laptop or desktop to read its information or store files. What they don’t know is that inserting a USB drive into a computer is a security risk alone.
Users don’t even need to copy files or run executables from a USB drive to infect a workstation. Hackers can change the firmware on the device to run their own code and infect a machine. This firmware is the communication between the USB drive and its connection with a laptop or desktop. The firmware runs automatically when the user plugs in the drive.
It’s not even difficult to modify USB firmware. Even someone with no knowledge about firmware programming can download tools from the Internet that promise to create a USB drive that can be used to steal credentials from the victim. The USB is left in plain sight at the business premises and a naïve user finds it and plugs it into a laptop or work machine. The user’s credentials are stolen and sent to the hacker, and the attack is a success.
A recent experiment conducted by CompTIA showed what happens when 200 USB devices were dropped in public areas across major cities. They found that many users plugged the device into their laptop and even performed more risky behavior such as opening files and sending messages to a list of email addresses.
The survey also collected data on employee security awareness. It found that 94% of employees connect their laptops to public Wi-FI. This would give a malicious USB device the ability to transmit data immediately to a hacker. They also found that 37% of employees change their password only annually, which makes any credentials stolen by the hacker available for several months before any security procedures are put in place.
One of the more obvious answers to this problem is common sense. IT administrators should train users to identify common threats and know the red flags. Rogue USB devices placed in public places should not be inserted into any laptop with sensitive data, especially a work machine.
Administrators can also encrypt data on local drives. Laptops with encrypted hard drives are protected from some attacks.
Another common way to prevent USB attacks is to set corporate network policies to block USB connections. This can also be done in the user’s BIOS settings with a password set on the BIOS. Windows has global policies that block USB devices as well.
Whatever you use on your network, you should help users understand the risks involved with USB devices. This can be in the form of a user security policy or standard security awareness training. User awareness training is shown to significantly reduce risk factors within the organization. Finally, anti-malware systems should be in place to block attacks from a USB device should any malware access the corporate network.
Leave a Comment