Beware of Thumbdrives—Even the Really Cool New Star Wars Ones


Not all cybersecurity threats come from online hackers. Physical devices used for media storage, such as innocent looking Universal Serial Bus (USB) drives, can still threaten computer networks with malware.

In the age of ubiquitous internet connectivity, there are privacy and cybersecurity threats around every corner. A recent series of ransomware attacks—the WannaCry ransomware attack in May and the Petya ransomware attack in June—highlighted the importance of practicing digital hygiene, such as not clicking on unknown links and maintaining software updates. But even if a company and its employees are alert to those threats, they may not understand the danger of inserting a USB thumbdrive into their laptop or company desktop computer.

A recent Tweet showed a picture of a sign at a United Parcel Service Inc. store saying that due to the DEF CON Hacking Convention, it wouldn’t accept USB drives for print jobs. Malware planted on thumbdrives could compromise the UPS network. With thousands of hackers of all stripes attending DEF CON in Las Vegas, the UPS store may have just not been willing to take the risk. Whether supported by justified concern or unreasonable fear, the store’s sign serves as a consciousness-raising reminder that not everything is streaming.

In April, International Business Machines Corp. issued a warning that some USB drives shipped with some of its products were infected with malicious code. “When the initialization tool is launched from the USB flash drive, the tool copies itself to a temporary folder on the hard drive of the desktop or laptop during normal operation,” IBM said. The company recommended that consumers verify that their antivirus software had removed the infected file or manually removed the file. It also recommended destroying the USB drive so it couldn’t be reused.

Although dirty USB drives can pose serious cybersecurity threats, many consumers are willing to pick up a USB drive that they found on the streets, according to security researcher Elie Bursztein, who leads the anti-abuse team at Alphabet Inc.’s Google. Bursztein last year dropped 297 USB drives around the University of Illinois and the results were surprising. Ninety-eight percent of the drives were picked up and 45 percent were plugged into a computer.

As long as companies keep producing cute, irresistible, pop culture thumbdrives and not all laptop makers get rid of USB ports on their products, the threat of the dirty thumbdrives lives.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.