In the age of email-based cyberattacks, it’s easy to forget that hackers can also worm their way into systems big and small with physical components, particularly USB devices.
According to a report by Honeywell Forge, 79% of USB cyberattacks are capable of disrupting operational technology, like the day-to-day functions of an industrial plant. Fifty-one percent of them can give an attacker remote access. But it isn’t just big industry that should guard against these threats; individuals should be wary of them, too. Here we’ll explain what a USB attack is, and how you can avoid falling victim to one.
What Is a USB Attack?
A USB attack pretty much does what it says on the tin: it uses a USB-connected device, like a thumb drive or hard drive, to get malicious software into a computer or other USB-connected device, such as a smartphone. Bad USB devices can also be used to damage or destroy a computer by delivering an electrical charge.
One of the most concerning aspects of USB attacks is their ability to give hackers remote control of a system. The Stuxnet attack discovered in 2010, for example, famously infected Iranian nuclear development sites. The same kinds of breaches could be used to infiltrate facilities connected to the power grid, oil production, and other Internet of Things networks.
There are dozens of ways a cyberattacker could use a USB drive to install an exploit on your computer. The two most common are via thumb drive devices and public USB charging ports, a practice known as juice jacking.
USB device attacks fall into three major categories, depending on what they do once they’re connected to your device. Devices with reprogrammed internal microcontrollers will look like regular thumb drives, but once plugged in, they’ll execute another function, e.g. acting like a keyboard and typing certain keystrokes. Examples include the Rubber Ducky attack.
USB devices with reprogrammed internal firmware are changed so that their firmware automatically executes a certain function once they’re connected, like installing malware or stealing data. One example of this is the iSeeYou attack, which reprogrammed a particular class of Apple webcams so the attacker could record video without a person’s knowledge.
USB attacks can also exploit existing flaws in the way computers and USB devices interact. A common example of this attack is the Device Firmware Upgrade (DFU) attack, which uses a USB device to reprogram legitimate firmware into something more malicious.
There are even attacks like USB killer, in which a connected USB device stores power from a computer’s USB power lines until it reaches a certain level, then aggressively discharges it and fries the connected computer.
How to Avoid USB Attacks
While these attacks sound scary, there are ways to prevent them.
Don’t Plug In Unknown Drives
A good deal of USB threats come down to social engineering, or psychological tricks and tactics to get people to connect a bad device. This is present in just about every type of cyberattack and scam, and it’s important not to fall for it.
If you see a USB drive you don’t recognize dropped somewhere—such as a parking lot—do not connect it to your computer. Bad actors rely on human curiosity to help them get your device infected. They’ll drop it in a public location, like at a hospital, and wait for someone to plug it in. This is called a drop attack.
Another common tactic is sending USB drives to people in the mail and making them look like promo offers from big box tech stores like Best Buy. Bottom line: be wary of any USB drives you find or receive unsolicited for free, whether it’s from a company you know or don’t recognize.
If you use a USB drive for work, keep it separate from anything personal to avoid transferring malicious software from your home computer to your professional network. You can also regularly scan your USB devices with an antivirus and/or anti-malware program, while encryption software may keep attackers from accessing your data in the event of a breach. If you think you might’ve plugged a compromised device into your computer, disconnect from the internet right away and restart your computer.
Disabling autorun features on your devices will help keep malicious code from automatically executing when you plug in a drive. On Windows, open Control Panel and find the AutoPlay setting. Uncheck Use AutoPlay for all media and devices to prevent unknown devices from launching without alerting you or asking for permission.
Get Off the Grid
If you absolutely need to find out what’s on an unfamiliar flash drive, you could try using a computer that’s “air gapped,” meaning it’s not connected to the internet or other networks.
Air-gapped computers don’t mean airtight security. The Iranian nuclear development facility that was compromised in the Stuxnet attack used an air-gapped network, and was compromised with a bad USB. Once the drive was connected, the malicious software was unleashed. So if you test a suspicious drive on an air-gapped computer, that’s the only thing you should use that computer for, and the suspect USB drive should not be connected to any other computers in your network.
If you’re more tech savvy, try downloading virtualization software, such as Oracle’s free VirtualBox. It lets you create a virtual environment on your computer that runs a simulated instance of your computer inside your computer. You can plug in the drive and open it in the virtual environment without it affecting your files or network. Windows Sandbox is also a built-in option for Windows users.
Don’t Ignore Updates
Keep your systems updated, especially if you’re running Windows. Many attackers take advantage of the fact that people often delay updating their systems, even if they include patches for serious bugs.
Keep Your Guard Up
No cybersecurity method is foolproof, and that includes steps taken to prevent USB attacks. The methods described here are, however, a whole lot better than plugging in a weird USB drive you found and hoping for the best.
Remember never to trust unfamiliar drives, scan the ones you do use regularly, and take advantage of security options like passwords, PIN keys, and data encryption. Hopefully, awareness of the tactics that cyberattackers use coupled with solid hardware and software security will help you stay free of any nasty digital infections.