USB Sticks Can Spread Malware
Probably the most common threat posed by a USB drive is malware. Infection via this method can be both intentional and unintentional, depending on the malware in question.
Perhaps the most famous example of malware disseminated by USB is the Stuxnet worm, which was first discovered in 2010. This malware targeted four zero-day exploits in Windows 2000 through to Windows 7 (and Server 2008) and wreaked havoc on around 20% of Iran’s nuclear centrifuges. Since these facilities were not accessible via the internet, Stuxnet is believed to have been introduced directly using a USB device.
A worm is just one example of a self-replicating piece of malware that may be spread in this manner. USB drives can also disseminate other types of security threats like remote access trojans (RATs) which give a potential attacker direct control of the target, keyloggers which monitor keystrokes to steal credentials, and ransomware which demands money in exchange for access to your operating system or data.
In this particular attack, the USB drives presented themselves to the target computer as keyboards, sending keystrokes that executed PowerShell commands. In addition to the installation of ransomware like BlackMatter and REvil, the FBI reported that the group was able to obtain administrative access on target machines.
The nature of this attack demonstrates the highly exploitable nature of USB devices. Most of us expect devices connected via USB to “just work” whether they’re removable drives, gamepads, or keyboards. Even if you’ve set your computer to scan all incoming drives, if a device disguises itself as a keyboard then you’re still open to attack.
In addition to USB drives being used to deliver a payload, drives can just as easily become infected by being placed into compromised computers. These newly infected USB devices are then used as vectors to infect more machines, like your own. This is how it’s possible to pick up malware from public machines, like those you might find in a public library.
“USB Killers” Can Fry Your Computer
While malicious software delivered by USB poses a very real threat to your computer and data, there is a potentially even greater threat out there in the form of “USB killers” which can physically damage your computer. These devices created quite the splash in the mid-2010s, with the most famous being the USBKill which is (at the time of writing) on its fourth iteration.
This device (and others like it) discharges power into whatever it is plugged into, causing permanent damage. Unlike a software attack, a “USB killer” is designed purely to damage the target device at a hardware level. Data recovery from drives may be possible, but components like the USB controller and motherboard will probably not survive the attack. USBKill claims that 95% of devices are vulnerable to such an attack.
These devices don’t only affect your computer via USB drives but can also be used to deliver a powerful shock to other ports including smartphones that use proprietary ports (like Apple’s Lightning connector), smart TVs and monitors (even over DisplayPort), and network devices. While early versions of the USBKill “pentesting device” repurposed the power supplied by the target computer, newer versions contain internal batteries that can be used even against devices that aren’t powered on.
The USBKill V4 is a branded security tool used by private companies, defense firms, and law enforcement around the world. We found similar unbranded devices for less than $9 on AliExpress, which look like standard flash drives. These are the thumb drives you are far more likely to encounter in the wild, with no real tell-tale signs of the damage they can cause.
How to Deal With Potentially Dangerous USB Devices
The simplest way of keeping your devices safe from harm is to scrutinize every device you connect. If you don’t know where a drive came from, don’t touch it. Stick to brand-new drives that you own and purchased yourself, and keep them exclusive to devices that you trust. This means not using them with public computers that could be compromised.
You can purchase USB sticks that allow you to restrict write access, which you can lock before you connect (to prevent malware from being written to your drive). Some drives come with passcodes or physical keys which hide the USB connector so that it can’t be used by anyone other than you (though these aren’t necessarily uncrackable).
While USB killers could cost you hundreds or thousands of dollars in hardware damage, you’re probably not likely to encounter one unless someone is specifically targeting you.
Malware can ruin your whole day or week, and some ransomware will take your money and then destroy your data and operating system anyway. Some malware is designed to encrypt your data in a manner that makes it unrecoverable, and the best defense against any type of data loss is to always have a solid backup solution. Ideally, you should have at least one local and one remote backup.
When it comes to transferring files between computers or individuals, cloud storage services like Dropbox, Google Drive, and iCloud Drive are more convenient and safer than USB devices. Large files may still pose a problem, but there are dedicated cloud storage services for sending and receiving large files you could turn to instead.
In circumstances where sharing drives is unavoidable, make sure other parties are aware of the dangers and are taking steps to protect themselves (and you by extension). Running some sort of anti-malware software is a good start, particularly if you’re using Windows.
Linux users can install USBGuard and use a simple whitelist and blacklist to allow and block access on a case-by-case basis. With Linux malware becoming more prevalent, USBGuard is a simple and free tool you can use to add further protection against malware.
Take Care
For most people, malware delivered by USB poses little threat due to the way cloud storage has replaced physical devices. “USB killers” are scary-sounding devices, but you probably won’t encounter one. By taking simple precautions like not putting random USB drives into your computer, however, you can eliminate almost all risk.
It would be naive, though, to assume that attacks of this nature do occur. Sometimes they target individuals by name, delivered in the post. Other times they’re state-sanctioned cyberattacks that damage infrastructure on a massive scale. Stick to a few general security rules to and safe both online and offline.
RELATED: 9 Cybersecurity Tips to Stay Protected in 2023