USB-Sticks are an extremely helpful data storage option. Everyone knows how to use them and many people use them on a regular basis. However, only few people realize that USB-Sticks are one of the easiest ways to attack an IT system and represent a major security flaw (Greenberg, 2014; Poitevin, 2019).
Most people use USB-Sticks quite carelessly. They are easily lost and rarely encrypted. Especially when used with private or commercial information this represents a huge security flaw: The friendly act of sharing your analysis with a colleague on a USB-Drive can backfire as soon as the wrong person gets access to this drive (Ponemon Institute, 2011). Also, the seemingly uncontrolled flow of information is a thorn in every IT department’s side. As a reaction, IBM started to ban USB drives from work and deactivated the USB ports of their computers (Ducklin, 2018). Increasingly, more companies are doing the same (Jacobson, 2019).
What seems to be a radical step is an effective strategy. A major way to prevent sharing information with people who are not supposed to read it is to encrypt this information. However, USB Sticks are rarely encrypted. To make USB-Drives an unattractive option to store data, they had to block them entirely. Besides, this also significantly reduces the risk for other attacks through compromised USB-cables (Ilascu, 2018).
However, there is a second, much bigger risk: Gifted or found USB-Sticks. A study by Tischer et al. (2016) found that 50 percent of people plug in USB drives that they find in public places like parking lots. It is outrageously easy to infect PCs with malware in this way. In 2012, parts of the Iranian nuclear weapons program were severely damaged by malware hiding on a USB stick. Stuxnet was introduced via an infected USB stick into the otherwise sealed-off system. Here, it ultimately caused the physical degradation of over 1000 machines (Hansel, 2011).
Accordingly, there are good reasons to stop using USB-Sticks. The best alternative for companies and individuals alike is to share files through a secure cloud system. What the case of USB-Sticks shows, however, is that we rarely understand the risks associated with the use of the gadgets we use every day. Luckily, technological advancements like secure cloud storage provide attractive alternatives.
Sources:
Ducklin, P. (2018, May 14). IBM bans USB drives – but will it work? Sophos. https://nakedsecurity.sophos.com/2018/05/11/ibm-bans-usb-drives-but-will-it-work/
Greenberg, A. (2014, July 31). Why the Security of USB Is Fundamentally Broken. Wired. https://www.wired.com/2014/07/usb-security/
Hansel, M. (2011). Stuxnet und die Sabotage des iranischen Atomprogramms: Ein neuer Kriegsschauplatz im Cyberspace? VS Verlag für Sozialwissenschaften. https://doi.org/10.1007/978-3-531-93299-6_47
Ilascu, I. (2018, August 21). USBHarpoon Is a BadUSB Attack with A Twist. BleepingComputer. https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/
Jacobson, A. (2019, April 22). Should Companies Ban USBs? | Risk Management Monitor. Risk Management Monitor. https://www.riskmanagementmonitor.com/should-companies-ban-usbs/
Poitevin, V. (2019, August 21). Should companies ban USB devices? Stormshield. https://www.stormshield.com/news/a-future-without-usb-sticks/
Ponemon Institute. (2011, November). The State of USB Drive Security in Europe. https://media.kingston.com/pdfs/Ponemon/Ponemon_research_EMEA_summary_UK_1111.pdf
Tischer, M., Durumeric, Z., Foster, S., Duan, S., Mori, A., Bursztein, E., & Bailey, M. (2016). Users Really Do Plug in USB Drives They Find. 2016 IEEE Symposium on Security and Privacy. https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7546509