There's a page in many corporate IT handbooks that contains a warning about using USB devices like thumb drives on work computers. These devices could contain malware and should be quarantined.
While it's tough to imagine something the size of a stick of gum taking down your enterprise, the BBC reports that security researchers have built malware specifically designed for USB devices. The so-called “BadUSB” malware can potentially compromise a computer's security simply by being plugged into a port.
The story behind this new malware has some interesting twists. The theory for BadUSB was first presented at Black Hat, a computer security conference. Two months later, a different set of security researches wrote the code and actually posted it on GitHub. (You can’t make this stuff up, folks.)
The researchers hope that by making this extremely dangerous code publicly available, USB manufacturers will be forced to increase their security.
USB security isn't something that your clients probably spend a lot of time thinking about. So let's examine…
- Statistics for USB breaches and threats.
- Examples of USB attacks.
- Why BadUSB is particularly dangerous.
Data Breach Statistics for USB Attacks
In 2011, the Ponemon Institute conducted a survey of IT professionals, asking them about their organization's strategies for USB safety. The findings reveal that too many IT departments simply overlook USB security:
- Only 48 percent of organizations had a policy that described how employees should use USB drives.
- 58 percent of companies admitted their policy was not enforced, even though they had a policy.
- Only 25 percent of USB devices drives used on company networks were safe and secure.
- 47 percent of IT consultants were certain their company lost sensitive or confidential data via thumb drives over the last two years.
The Ponemon Institute's research suggests that while IT personnel see USB devices as a source of vulnerability, many companies simply don't take steps to prevent break-ins via their ports. That may be because it's impractical to watch over every user and make sure he doesn't plug in a thumb drive. But it's also likely that the average user simply doesn't recognize that their USB drive could be dangerous.
A Brief History of USB Data Breaches
Business Insider reports that USB devices actually have a history of data security issues. In fact, long before Ed Snowden used a USB drive to steal files from the NSA, security researchers from the Department of Homeland Security scattered USB devices around various government parking lots. The theory was that someone would see the thumb drive and bring it into the office concerned that one of their co-workers lost something.
That's exactly what happened. When the employee plugged it into their computer, they accidentally opened the door for hackers. Of course, this was just a security test conducted by the DHS, but they found that 60 percent of people who found these thumb drives plugged them into their machines.
This extreme example does have a practical takeaway: users simply don't think twice about USB security.
Why BadUSB is Bad to the Bone
Think about all the devices that connect to your clients' computers through a USB port.
USB has been so successful because of this versatility. A variety of devices can use it. This is precisely why it's also so dangerous.
The BadUSB malware has a workaround. It changes the USB's firmware so it appears to be a harmless keyboard-like device, which then allows it to infect the computer. Many researchers fear that this vulnerability is simply inherent in the USB system. If risky devices can morph to look like safe devices, any open USB port is vulnerable.
Infected USB devices can even appear to be a network card, and reroute the computer's data wherever a hacker wants.
Right now, there's no fix for this malware, and given the fact that it was just released for public consumption on GitHub, now is a good time for computer consultants to make sure their clients are actually implementing USB security protocol.