Computerworld recently reported that Karsten Nohl, a security researcher, believes that many USB devices can be reprogrammed to infect computers with malware. The full story, which is linked here, claims that a USB device could be reprogrammed to act like another device, and act in ways that can compromise the security of a computer, including running malware that infects other devices, as well as acting as a network card.
Nohl believes there are some fixes that could be put into place to try and address some of these issues, but some potential concerns remain. As a result, this issue is something that should be assessed, where appropriate, as part of an overall security approach by companies. According to Darin Andersen, CEO & Founder of CyberUnited, LLC, these type of emerging threats are something companies need to watch out for. “One of the keys to managing cyber risk is to be alert to new, emerging, technology challenges such as these. It also highlights the need for start-up companies in the cyber arena, which is something that we as a cyber community need to support.”
Still, even in the absence of emerging threats, removable media has led to near disastrous consequences over the years — including within heightened security environments. For example, “The US Department of Defense has suffered significantly from thumb drive use, both from outside hackers and from the insider threat” noted Steven Chabinsky, former Deputy of the FBI’s Cyber Division. “In 2008, a foreign intelligence agency managed to gain access to the U.S. military’s Secret network by using malware pre-programmed to hop first onto thumb drives and then onto new networks when the thumb drive was transferred. When DoD began to move data from Internet-connected computers onto the Secret network, on a number of occasions they also unwittingly allowed malware to jump their carefully crafted air gap.” Chabinsky, now General Counsel and Chief Risk Officer of CrowdStrike, added “On the insider threat side, Snowden’s use of one or more thumb drives to steal reams of Top Secret information accomplished what impossibly would have required a freight company.” According to James Koenig, a Principal at Booz Allen Hamilton, “While this vulnerability has been known for a while, it has not gotten much attention. Everyone thinks that the main threats from USB drives are from malware introduced into a computer or from data theft, but the underlying protocol has a number of vulnerabilities itself. Microsoft patched a big one last year (would let a properly programmed USB drive unlock a locked PC), but there continuing concerns with the way they are designed.”