The Cyber Implications of USB Devices

What are the security implications of USB Devices, especially handouts at Trade shows?

Because they are so readily available, cheap and convenient, memory sticks have become one of the most popular forms of data storage. At Events and conferences, Free USB’s are a very effective way of providing useful brand representation to prospective buyers. More recently they provide a paperless way of communication your companies messages. However, where USB Devices were once the future of data storage, they are now a thumb-sized threat to the security of your company and your customers. Here’s why:

There are four main types of USB attack:

  • Malicious code — In the most basic of USB drop attacks, a USB is planted in wait for a user to click on one of the files on the drive. This unleashes a malicious code that automatically activates upon viewing and can download further malware from the Internet.
  • Social engineering — These files take the USB device user to a phishing site, which tricks them into handing over their login credentials.
  • HID (Human Interface Device) spoofing — In a more sophisticated attack, the device looks like a USB stick but in fact will trick the computer into thinking a keyboard is attached. When plugged into a computer, it injects keystrokes to command the computer to give a hacker remote access to the victim’s computer. 
  • Zero Day Attacks – The most advanced attack by USB, it exploits a hole in computer software the vendor doesn’t know about until the attack is discovered.

USB attacks might sound like they’d be limited to personal devices, but the implications can in fact be much bigger. The threats can stretch business or even country wide.

A particularly well-known example of a USB drop attack is Stuxnet, a computer worm that infected software at industrial sites in Iran, including a uranium-enrichment plant. The virus targeted industrial control systems made by Siemens, compromised the system’s logic controllers, spied on the targeted systems, and provided false feedback to make detection even more difficult, and it all began with a USB stick infection.

Furthermore, A company in Hong Kong has even developed a USB that can kill a computer. Collecting power from the USB line, it absorbs power until it reaches about 240 volts and then discharges that energy back into the data lines in devastating power surges.

So, what’s to be done?

  • Ensure that employees don’t store sensitive information on USB devices.
  • If important data must be stored on a USB device, make sure it’s protected with encryption or another safety feature such as fingerprint authentication.
  • Encourage employees to separate flash drives used at home from those used in the office.
  • Institute policies for employees, and educate them accordingly, about what can and cannot be plugged into the company network.
  • If employees are lax about securing their computer USB ports, you might even consider physically blocking the USB ports on sensitive computers to avoid attack.
  • Further, it’s possible to restrict the type of USB authorized on a computer — using Windows or a USB kill code — to thwart unauthorized access.
  • And of course, show caution accepting free USB’s at Trade shows – especially when using them in a workplace.


For more information visit our Cybersecurity page, or visit the governments National Cyber Security Centre.



Sign up to our security newsletter

* indicates required