Technology columnist MJ Shoer says the Mass Storage function of USB devices poses a significant security risk.
The following was originally published on May 1, 2016 on Seacoastline.com.
We all love our USB ports and devices. USB stands for Universal Serial Bus and this compact connector has replaced several legacy ports that used to be commonplace on all computers. Such includes PS/2 keyboard and mouse connectors, serial ports, parallel ports (mostly used with printers), even audio ports and more. The utility and small form factor of USB has revolutionized computers, specifically all the various peripherals that we plug in to these ports.
USB has also given rise to all manner of external devices, including web cams, security keys and in the case of my focus for this article, hard drives. What is known as the USB Mass Storage service allows us to plug in hard drives and USB flash memory to easily transfer data to and from our computers.
From a security perspective USB Mass Storage is a significant security risk. The plethora of USB drives, sometimes called flash drives, thumb drives, USB sticks, etc., make these handy devices an excellent Trojan horse for hackers to exploit.
Over the last year, exploits have been discovered and in some cases fixed, that allow hackers to hide malicious software code on a USB drive so that when it is plugged in to a computer, the code activates and installs itself on the computer with no awareness of the person plugging it in to their computer. The malware then spreads across connected computers and allows the hackers to access your data or use your computers to help them attack their ultimate target.
Recent studies by the University of Illinois and CompTIA, the Computing Technology Industry Association, confirm the clear and present danger that USB sticks pose to businesses and individual computer users. In both studies, researchers left 200 to 300 USB sticks around the University of Illinois campus in Urbana-Champaign as well as in major cities around the country. More than half of the USB sticks found were plugged in to computers. Some on secure corporate networks. The sticks were setup with fake malware that would “phone home” to let the researchers know the stick had been found and connected. The “infection” took hold almost immediately after the stick was plugged in. In as little as six minutes, the infected stick contacted the researcher’s server to confirm it was online. The percentages rise when the USB sticks have a well-known logo on them.
Beyond just plugging in the USB stick, the real worry was that most people who plugged them in also opened files on the sticks. Just as unsuspecting people open email attachments that infect their computers, people will also open files on found USB sticks. It’s critical to protect yourself against falling victim to these threats.
In the case of e-mail attachments, education is the best defense. The same is true with USB sticks, but you may also want to consider using technology to help protect your computer. Start with education. The CompTIA study points out that 45 percent of corporate computer users report they receive no form of education relating to cybersecurity. There are numerous excellent resources available to train your staff to be safe cyber citizens.
For the threat posed by USB sticks, at least in a business environment, give serious consideration to disabling the Mass Storage service on the USB ports. This will not impact other uses of the USB ports, but will prevent USB drives of any kind from functioning. When a user plugs a USB drive into the USB port, no data will flow to or from it. However, keyboard, mice, webcams, printers and more will all function normally.
This is a security best practice and something you should seriously consider implementing on your corporate computer network. With the proper tools, you will be able to easily enable and disable USB functionality on a user-by-user basis, so when there is a legitimate requirement to plug in and work with a USB drive, you will be able to do so. If you work with an IT partner, they will be able to help you put this in place. It’s a smart thing to do, especially considering the risk that has been validated by multiple studies.