TOWR TECH & SECURITY
The One Thing You Should Never Do With a USB Stick
8 August 2016
If you’re like most people, you probably have an assortment of USB sticks, also known as flash drives. They’re fairly cheap, super convenient, and have come a long way from their meager beginnings (remember that 64MB stick you were so excited to get?) In fact, there’s probably at least one USB stick in your collection where you can’t quite remember how you got it. Did you buy it? Get it from a friend? Pick it up somewhere after someone left it there? That last scenario is one of the easiest ways to exploit someone, and it is used every day by people from government actors to run of the mill criminals.
“Wait,” you’re saying. “How well does that even work?” Surprisingly well, actually.
…we dropped nearly 300 USB sticks on the University of Illinois Urbana-Champaign campus and measured who plugged in the drives. And Oh boy how effective that was! Of the drives we dropped, 98% were picked up and for 45% of the drives, someone not only plugged in the drive but also clicked on files.
In case you’re trying to do the math, that means over 290 people picked up USB sticks laying on the ground, and almost half of those actually plugged the stick into their computer and clicked on random files to see what was on it.
Okay, so people are curious. So what? Now imagine that instead of a “harmless” tracker embedded in some HTML on the stick (like there was in the above study), it was a criminal leaving these little gifts around the campus, and on them was a virus, a keylogger, or other nefarious software? What if it was a government agent who wanted to know what was on your computer? Whatever scenario you can come up with, there’s a good chance someone’s already tried it.
This exploit plays on humans’ natural sense of curiosity.
Trust me, whatever is on that USB stick you picked up isn’t worth it.
What could be on one of these supposedly harmless sticks you see left in libraries, hotel rooms, or even on the ground in a parking lot?
The most basic – and simplest to conduct – attack would have seen malicious code placed in the HTML file that would have been automatically activated upon viewing, perhaps downloading further malware from the internet. Alternatively, users could have been taken to a phishing site, and tricked into handing over login credentials through social engineering.
In addition, there is also always the danger that an attacker might have planted executable malware directly onto the USB stick, and hoped that an unsuspecting user would allow it to run on their computer.
Believe it or not, that’s not the worst of it.
A more sophisticated attack, however, would see the use of a device using HID (Human Interface Device) spoofing to trick a computer into believing that it was in reality a keyboard. As soon as the “USB stick” is plugged in it would inject keystrokes – building a set of commands that could open a reverse shell that could give a hacker remote access to the victim’s computer.
In a blog post, Bursztein explains in depth how he was able to camouflage a keyboard-spoofing device so that it looked near-identical to a genuine USB stick.
Putting a label on the USB stick that hints at private or privileged content makes it even more attractive to the person picking it up. Who doesn’t want to see what’s on a USB stick labeled “Private” with no owner information?
There are right and wrong ways to use USB sticks. Obviously, by now you’ve figured out the biggest Don’t:
Do not ever put a USB stick in your computer unless you are absolutely positive where it came from and what’s on it.
As in, you purchased it, factory sealed.
In fact, that statement could even be parsed down further, for those of you who are engaged in the types of activities that certain governments want to suppress, like maybe free speech or resistance:
- If someone gives you a USB stick and they are not one of the people who are willing to go to jail/take a bullet for you, don’t put it into your computer. That includes people who claim to be giving you information, or offering you software they’ve ‘fixed’ or altered, or photos you need to see, or anything else. What’s more, no one who truly understands the threat landscape and wants you to stay safe will put you in that position to begin with. In fact, we now tell our students to bring their own USB drives to classes because we refuse to put them in a position where they can be exploited.
- If you absolutely must see what’s on a stick given to you, AND it was given to you by a trustworthy person, use a virtual machine in a live operating system (TAILS, Qubes, etc.), on a public computer not near your home or work. If those terms don’t make sense to you, you need to do two things: 1) Attend the Basic Privacy and Anonymity webinar we’re offering this month, and 2) until then, go back to the previous point. Keep in mind that even your most trusted friend may have already been exploited and is unknowingly passing on the damage to you.
- If you see a USB stick just laying around somewhere, throw it away. Don’t try to find the owner, don’t think you could just take it home and format it. USB sticks are cheap. There is a case to be made for actually destroying it, since you may be stopping someone else from getting exploited (or simply saving some flighty soul from the embarrassing pics they so carelessly left on the desk at the library). Use common sense. Bob Covello advises turning it over to the nearest lost and found if your conscience is pushing you to try and get it back to the owner. What you choose to do with it is not really that important, as long as you don’t put it into any computer you own or control.
My personal motto is “If I didn’t buy it, it doesn’t get plugged in.”
A bit paranoid, perhaps…but so far it’s worth it.
Like it or not, we live in a world where people often have nefarious motives, and you are a prime target. If you’re still thinking that it can’t be that easy to do, thing about this: At hacker conventions like DEFCON and Black Hat, the attendees are some of the most advanced computer minds in the world….and yet:
Every year, we have people dropping random USB drives around the conference floor,” Wyler wrote, referring to portable flash drives. “At Black Hat 2015 someone was literally throwing USB drives into open classroom doors. It’s not just a story, it happens. So if you see a drive on the ground, pick it up and put it in the nearest trash can.”
Learn how to protect yourself against malicious attacks and snoopy government types. Start by guarding your USB drives—and never let anyone else’s near your computer.