My girlfriend had a USB stick in her kebab

Now, thumb drives are almost everywhere. Whether it’s a generic metal memory stick, a freebie at an event, or a cleverly disguised Yoda or other pop culture icon, everyone agrees that these devices are a simple way to move data. Bad guys love them, and they can use them to attack your computer.

In a USB drop attack, hackers leave USB devices on the ground for people to find and plug into their computers. A good Samaritan who wants to return a “found” drive or a thrifty person who wants to get a new device for free plugs it into a computer’s USB port. Then things start going wrong.

Most attacks fall into three main categories:

Malicious code—In the most basic USB drop attacks, the victim clicks on one of the files on the drive. When it is viewed, it releases a dangerous code that starts working right away and can download more viruses from the Internet. Social engineering happens when the file sends the user of the thumb drive to a phishing website, where they are tricked into giving their login information.

HID spoofing: In a more advanced attack, a device that looks like a USB stick will make the computer think that a keyboard is connected. When plugged in, it sends keystrokes to a computer, telling it to let a hacker access the victim’s computer remotely. (In our Red Team Training, we teach students in a similar way!) The most advanced USB attack takes advantage of a software bug that the vendor doesn’t know about until the attack is found. The attack is called a “Zero Day attack” because the hacker took advantage of the weakness before the developer could fix it. These cutting-edge cyber attacks can damage a network without anyone knowing about it.

Problems with USB security

Even though USB attacks might seem like they would only affect personal devices, they could have far-reaching effects.

A well-known example of a USB drop attack is the computer worm Stuxnet, which infected software at industrial sites in Iran, such as a uranium enrichment plant. It all started when a virus got onto a USB stick. The virus then went after Siemens industrial control systems and hacked their logic controllers, spied on the targeted systems, and sent false feedback to make it even harder to find.

Don’t let yourself be hurt. Active prevention is the best way to make sure your business is safe. Set up a call with us, and we’ll help you come up with a plan that fits your needs.

Even the United States government has been attacked with flash drives. In 2008, a foreign intelligence agency got a “digital beachhead” from a virus on a flash drive that was put into a laptop used by US military personnel in the Middle East. Because the bad code on the drive could spread unnoticed on both classified and unclassified computers, data was sent to servers controlled by other countries.

Trustwave put five USB drives with logos of the target company near the headquarters of the company to show how well a USB scam works. Two of the five “lost and found” drives were opened. Researchers were also able to see some of the software used to handle the physical security of the company through one of the holes.