Technology is an invaluable component in our daily lives, and we’d all like to believe that we are safe and secure working from our favorite devices. But this isn’t always the case.
Let’s say you walk into your office on Monday morning to find a thumb drive sitting on your desk. You don’t believe it’s yours, but you can’t be sure. Did your boss or one of your coworkers leave you an important file over the weekend? You plug the flash drive into your USB to see what’s on it. “Hmm, doesn’t seem like anything important,” you tell yourself as you eject the component. You don’t even realize it, but your computer – heck, your whole business network – is infected!
USB flash drives and accessories are extremely prevalent and useful devices for transferring data or plugging in physical components like mice, keyboards, external hard drives or webcams. These devices run a type of software known as ‘firmware,’ which allows the device to have a two-way conversation with your computer. And it is this sending and receiving that makes USB so vulnerable (more on this in a moment).
Obviously, the most common way for cybercriminals to attack your network is to upload malicious code to a USB flash drive, leave it somewhere and hope that you plug it into your laptop. But this isn’t the only way to wreak havoc.
Hackers have been known to steal or lease USB accessories (like webcams) and install a Remote Access Tool, or RAT, so they can control the infected device at will. This is when things get scary: hackers can track your keystrokes, steal your credit cards numbers and passwords, pilfer your corporate secrets, intercept your work emails or even spy on your during your most private moments.
This is bad news for any organization because it means that one careless plugin could compromise everything your company holds dear, including financial information, customer data and even the privacy of your conference room.
To test the exploitability of USB firmware, security researchers Karsten Nohl and Jakob Lell designed the ‘BadUSB’ malware which can control any computer function that a keyboard could – so basically everything.
“These problems can’t be patched,” says Nohl. “We’re exploiting the very way that USB is designed… You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s ‘clean’ but the cleaning process doesn’t even touch the files we’re talking about.”
Or, as Forbes sums up, “the exploit isn’t stored inside the USB device like a Trojan horse, it has reprogrammed the device itself. Since USB devices all share similar firmware the trick can be repeated on anything designed to be plugged into a USB port.”
Thankfully, there are data security solutions to protect your network from incursion, but it all starts with a healthy suspicion. If you see a random USB, think about the risk before inserting it into your laptop.
Some companies deploy malware scanning kiosks so employees can thoroughly scan a USB thumb drive for malware before giving it access to their computer. Similarly, IT departments can scan the USB for harmful programs, pull necessary files to a corporate portal and allow workers to access this data all without a direct USB plugin.
It is important to remember, however, that there is no such thing as a foolproof data security solution. With this in mind, it might be helpful to limit the types of files employees can access based on their roles within your company. For example, an entry-level employee probably doesn’t need access to long-term account information; by limiting access, a malware-infected USB can only cause so much damage before its caught.
In the case of BadUSB, there is really nothing that can be done to stop it beyond avoiding plugging anything into your computer until USB security is improved. Luckily, BadUSB is only in the theoretical stages and hasn’t yet become part of the typical hacker arsenal.
Nevertheless, it is important to keep abreast of the latest cyber security news and data security solutions to insulate your company against digital incursion.