Is your USB stick the enemy?

August 12, 2014 by Andrew Smith, The Conversation
Slurping up your data like it’s an all-you-can eat krill buffet. Credit: Scott Beale, CC BY-NC-SA

Computer users everywhere are looking at the USB stick sat next to their computer this week with trepidation. Many are now wondering if this trusted friend has turned against them now that cybersecurity experts say they've found a massive flaw in the very make up of these devices. It seems the humble USB drive can easily be used to compromise basic security principles in your machine.

The issue is considered so serious that a statement has been issued by the USB working party, the body that regulates this technology standard.

The group admits that there are security flaws in USBs but says that manufacturers should build in existing standards to protect consumers. This would mean that your average USB stick would be more expensive but more secure. In the meantime, you might want to take a second look at the stick on your desk.

Sticky problem

USB storage devices are still a staple tool for many of us. They are great for keeping a copy of your data, especially if you have to take it from home to work and if an online data transfer would take a long time.

The problem is that many files can be hidden on a USB without the user knowing they are there at first glance. And when your computer detects that you have inserted a USB storage device, it may well try to automatically run any code it finds on the stick. This process is a feature of many computers and dates back to the days of the CD-ROM, when you could load a disk and your computer would start running it without the need for you to click on any icons.

This is indeed a scary prospect and it gets even scarier when you learn that one of the most famous computer attacks of all time was started from a USB stick. We still don't know for sure who released the Stuxnet computer worm that disrupted Iran's entire nuclear programme but we do know that it came out of a USB stick.

In fact, this is still considered to be one of the most common methods of social engineering. Some cyber-criminals target companies simply by dropping USB sticks next to car doors in the car park. Curiosity gets the better of a passing employee and they insert the USB stick into their office computer. Before they know it, their machine has been compromised.

Hackers can easily write code that essentially turns the USB stick into a mouse or keyboard. They can then control your machine remotely, accessing your files and personal information. The code deposited on a computer can send screenshots of everything you do via the internet and these days, speeds are so good that you might not even notice them taking up the bandwidth on your home network as they do it.

Stick or twist?

This is definitely a very worrying problem but it is actually something that has been known about for some time in the industry. Corporate IT professionals try their best to mitigate the problems posed by rogue USB sticks. In fact many employers ban insecure USB devices on their systems.

As an ordinary user, you are at risk but avoiding the problem is very easy. All you need is good practice. Many of us scan our personal computers regularly using anti-malware software. This should be extended to any external storage devices, including USB sticks. In addition, make sure that your anti-malware software of choice automatically scans any new USB device. This should overcome the problem of an infected USB stick auto running.

If you are more technologically minded, you can disable your operating system's inclination to automatically install drivers and other software when a new USB stick is connected. The process differs between operating systems, but most have an option to do it. Microsoft Windows is relatively straightforward in this respect and there are many different approaches for Linux users. Mac users can feel extra smug here as OSX doesn't support autorun in the first place.

While we trust our friends, we should not trust their USB sticks, no matter how nice a person they may be. Be prepared to check their devices before they are ever attached to your machine.

This probably may never be resolved but it might not matter. Many of us enjoy good bandwidth and can transfer large amounts of data with ease. And cloud storage is fast becoming the best option anyway. If you use Dropbox, OneDrive or Google Drive, you might find yourself forgetting what a USB stick is in the the next few years, anyway.

Explore further: SR Labs research to expose BadUSB next week in Vegas

Related Stories

SR Labs research to expose BadUSB next week in Vegas

July 31, 2014

A Berlin-based security research and consulting company will reveal how USB devices can do damage that can conduct two-way malice, from computer to USB or from USB to computer, and can survive traditional "cleaning" protective ...

USB sticks may beat Internet hurdles globally

December 6, 2013

( —One may think that free software would be of enormous benefit to people in the towns and villages of the globe where the price of proprietary software is restrictively high. Such is not the case, as noted by ...

Help! How to avoid fast-moving computer worm

January 28, 2009

Since early January, a worm that has been referred to by several names, including "Downadup," "Kido" and "Conficker," has been infecting millions of computers around the world. The worm exploits a previously discovered vulnerability ...

Team at Raspberry Pi advance with Model B+

July 14, 2014

Nice, rounded corners. MicroSD card slot with far less jutting out. Two more USB 2.0 ports. These are just some of the changes—Raspberry Pi CEO Eben Upton would be quick to replace the word "changes" with "enhancements"—that ...

Recommended for you

What do you get when you cross an airplane with a submarine?

February 15, 2018

Researchers from North Carolina State University have developed the first unmanned, fixed-wing aircraft that is capable of traveling both through the air and under the water – transitioning repeatedly between sky and sea. ...


Adjust slider to filter visible comments by rank

Display comments: newest first

Lex Talonis
1 / 5 (2) Aug 12, 2014
Hmmm it's always pissed me off that people and manufacturers, were and still are, too stupid to build in MECHANICAL read and write locks on USB drives.

As far as Microsoft and their idiot "insert it and run it" operating system codes that actively fired up programs on USB drives and CD drives, - well the people in Microsoft were always fucking stupid.

They only wound back on that setting a few years back - unless you hacked it yourself and stopped MS's idiot install and run program subsets.
5 / 5 (2) Aug 12, 2014
A mechanical read/write lock doesn't help. The memory chips in USB drives are basically all the same size. The factories that churn them out operate at such low profitability that they can't throw anything away. That's why you get a e.g. 64GB chip that has lots of errors being sold as an 8GB USB drive.
The microcontroller in a USB drive makes sure none of the 'bad' sectors are used. However you can still write to these (e.g. the microcontroller could be configured to write copies of anything you save to these sectors. Which would amount to a permanent record even if you delete the original files. A pretty nasty scenario for people who occasionally have crucial data on a USB drive)

An no: no anti-malware suites will be able to detect this (or any malicious code hiding out in these sectors) as from the POV of the computer they don't exist

Lex Talonis
1 / 5 (1) Aug 13, 2014
MMmmmmmm a touch vague on this.

IF one has a clean USB drive, and it has a MECHANICAL write lock, and not a software write lock, it's impregnable against malware getting onto it.



Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.