USB flash drives are a lifesaver. They allow us to transfer large amounts of information from one device to another. They can be used as backups for our important data and provide a convenient way to keep data with us. But USB drives have a dark side that can absolutely cripple the security of most networks. In this HIPAA training session, we will cover why USB drives are one of the biggest threats to data security.

To get this started, we will go with the most basic form of attack. Many forms of malware are designed to not only infect the computers they are on but to also infect any USB drives that are plugged into those computers. This is one method the malware uses to spread to other devices. For example, let’s say a user’s home computer was infected with malware and they plugged in a flash drive to copy off some personal photos. The malware would copy itself to the flash drive also and when the user plugged that same flash drive into their work computer, the malware would automatically begin to infect it as well. By using this method, malware can get into networks it might not normally be able to get into. One of the reasons this happens without users being aware is the autorun feature of Windows. Whenever a USB drive is plugged into a computer, Windows will open it up and run programs that are on the drive. In the case of malware, this can be hidden from the user entirely and they will be none the wiser.

The second reason USB drives are so dangerous is more technical. However, it is important to know about this capability because it can be crippling. This class of devices is collectively known as BadUSB. There are many types of devices with different capabilities in this grouping. However, the one thing that they share is that when plugged into a computer, they don’t act as a flash drive. Instead, they tell the computer that they are a USB keyboard. Windows doesn’t protect the computer from USB keyboards like it might a USB flash drive. Once the device is in and Windows sees it as a keyboard, it will launch its payload. It can type at over 9000 words per minute, far faster than any human. It can click on pop-up boxes instantly and install malicious programs in the blink of an eye. If you notice in the picture below, on the right side, you will see the device has a micro SD card, just like the ones used in some mobile phones and cameras. This is where the payload is stored. On the outside, this looks like any normal USB flash drive, but on the inside, it is a weaponized device that could completely compromise a computer in less than 5 seconds.

Here is a scenario to help better explain this in action. An attacker leaves several of these scattered throughout the parking lot of a practice he wants to gain access to. He may have labeled some of the drives – HR Documents, or Payroll, etc. This will likely pique the curiosity of some that when they discover the drives, they will plug them in. Once plugged in, the bad USB will:

• disable the computer’s antivirus
• copy all of the documents from the user’s folder
• copy all bookmarks and saved browser passwords
• add a new user account to the computer that is an admin user
• open a connection from the computer to the hacker’s computer on the internet
• send all of the data it copied above to the hacker’s computer

It will do all of this in the background without the user even being aware of it.

Here is a video of the type of things these devices can do.

Summary

Never plug USB devices into your computer that you aren’t familiar with. If you find one on the floor, in a parking lot, etc., don’t use it. It isn’t worth the risk. At a recent cybersecurity convention, researchers found that of 100 test USB drives they left in parking lots, 56 were plugged into the computers of people who found them within 1 hour. For an attacker, those are pretty good odds that theirs will get plugged in and used.