USB Safety

by Kassandra Clauser

You have heard of the basic cybersecurity practices: keep long and complicated passwords which are unique to each site, do not click untrusted email attachments, and only enter sensitive information into trusted websites that are https (or http secured). But, there are other hazards which are easy to miss.

Ordinarily, the USB – both the thumb drive or “flash drive”, and the cable charger – is a handy device. Students use the first to store documents they need to transfer from a home desktop to the library computer lab. Almost every individual uses the latter to charge their phones. However, USB can also be a dangerous vector for malware, even more so to the victims who are both unaware and unprepared. USB chargers can be used to charge your phone, but they can also sap your data as fast as a vampire draining your blood; and USB drives can store files, but they can also store viruses that can hijack and ransom your data. For example in Jack Morse’s Mashable post titled “Yes, officials plugged in the malware-laden USB seized at Mar-a-Lago”, during the recent Mar-a-Lago incident, in which the Secret Service confiscated and inserted a USB thumb drive from an intruding Chinese woman, the club’s computer was corrupted with data-gathering files – all because somebody decided to plug in the mysterious USB. Granted, Morse points out at the end of the article that this somebody was a computer analyst (Morse). That said, there was likely a “method to the madness”, as the saying goes. However, this is an action that can cause serious damage to anyone unfamiliar with cybersecurity hygiene. That said, in this post, we will discuss the four big rules of USB safety.

1.     “Rogue” Means “Regret”: Thumb drives and cables dropped on the ground could be genuinely lost by their owners. The first might not have anything on them besides vacation photos, and there is always a chance that a cable might have truly fallen out of someone’s backpack. But, this is a best case scenario. Chargers have also been observed to transfer malware from one device to another. The 2019 Verizon DBIR reports that out of all the past year’s data breaches, 28% involved malware being installed on devices (Verizon). While not every USB is guaranteed to be malware-infested and ready to kill your computer, it is still safer to leave random thumb drives and cables/chargers alone.

2.     Just Because It is being Resold, Does Not Mean It is Safe: Flash drives and cables are some of those items you can find at garage sales (or “lost-and-found” sales, which are hosted at universities when lost items have not been claimed after a certain amount of time). Usually, each only costs about a dollar, fifty cents if you are “lucky”. The trouble is, when you buy a USB thumb drive or cable at a yard sale or flea market, you are most likely buying it from a stranger whose intents and motives are completely unknown to you. In some cases, you might be purchasing a virus directly from the developer, while in others, you might be purchasing from another neglectful user who may or may not be aware of the malware being passed to you over the counter. In either case, these viruses can do anything from crashing your computer to phishing personal information like passwords and credit card numbers. Consider a resold USB like a resold, used water bottle: Has it been cleaned? Probably. Can you be absolutely sure? Definitely not.

3.     Handouts are NOT Always Free: Technology conferences are held all over the world; and, unfortunately, not all companies – inside or outside of the United States – are honest. Verizon reports that of all the breaches in the past year, 69% were caused by outsiders, and that 23% of all breaches were caused by those of other states or nations. The report also points out that the top two targets of security breaches were small business employees (43%) and members of the Public sector (16%) (Verizon). Wherever there is business, there is always a chance of outsider espionage. Most of these companies wish to obtain information that you would not willingly give them. What better way for them to earn your trust and get what they want through the seemingly friendly handout of USB devices? On the same lines as Rule #2, you as the receiver do not have any way of knowing whether or not the device is safe to use. More importantly, you have no way of knowing if there is malware on the device until you have already plugged it in. This applies to more than the standard USB drive and charger. When President Donald Trump visited North Korea in 2018, guests were provided portable fans, easily plugged into a smart phone via a USB connection, in order to keep cool (Gibson). While the gesture seemed cordial on the outside, there was no way to tell whether or not these drives contained viruses made to phish the guests’ personal – and/or political – information. In the technology world, handouts are not just suspicious – they are potentially dangerous.

4.     Charging CAN be Hazardous: If you are using your own charger to charge your own device in a trusted and delegated charging area, you should be safe (as long as the cord is clean and virus-free, obtained from an authorized and trusted seller). However, on occasion, you may need to charge your phone whilst in a public place, like the airport. While you might be glad to get the extra juice so you can catch that Level 10 Pikachu while waiting for your flight, you might not be so glad to have your data drained from your phone to a malicious source. According to Wikipedia, charging a device in an unprotected and/or public space can lead to the phishing of personal information, a process known as “juice jacking” (as coined by journalist Brian Krebs), with you being none the wiser as to who is on the other side (Wikipedia). Basically, the only way to be sure that your phone is safely charging without losing data is to literally resort to using your own devices, including your own secure power source.

While not every USB thumb drive and charging cable is a source of Doomsday waiting to cause cyber-Armageddon on your virtual systems, taking chances on optimistic possibilities is not worth the risk. This is why taking preventative measures is important. Protect yourself by remembering the rules above. As an extra measure, consider purchasing technological accessories such as the SyncStop, a USB cable meant to charge your phone whilst preventing the drainage of data, to keep your information safe from criminal grasps.

Works Cited

Gibson, S. (Producer). (2018, July 10) STARTTLS Everywhere. [Security Now]. Retrieved from https://www.grc.com/sn/sn-671.pdf.

Juice Jacking. (2019, April 7). In Wikipedia. Retrieved May 29, 2019 from https://en.wikipedia.org/wiki/Juice_jacking.

Morse, J. (Contributor). (2019, April 8) “Yes, officials plugged in the malware-laden USB seized at Mar-a-Lago”. Retrieved from https://mashable.com/article/malware-usb-mar-a-lago-plugged-in/.

Summary of Findings. (2019, n.d.) In Verizon. Retrieved May 30, 2019 fromhttps://enterprise.verizon.com/resources/reports/dbir/2019/summary-of-findings/.