Share This:

MSPs have a pile of challenges when it comes to defending clients from cyber threats, but sometimes little can be done when physical and human elements are involved. One of the oldest “tricks” in the hackers’ arsenal is the “USB drop attack,” or “BadUSB,” which preys on human curiosity.

“USB attacks are an old hack, but it still works and has undergone some refreshing over the past couple of years to make it more effective,” explains Joe Carmona, a cybersecurity expert in Toronto.

In short, USB drop attacks are a type of cyberattack that involves leaving a seemingly harmless USB drive in a public place, such as a coffee shop or airport. “When someone plugs the drive into their computer, it can install malware or steal data,” Carmona warns.

Some recent cases have even involved targeting these dropped USB drives towards specific industries such as healthcare, defense, or education.

“A USB drive could be left in a defense contractor or healthcare facility’s common area, like the cafeteria or parking lot. Healthcare facilities are the ‘holy grail’ for hackers because PHI is so valuable,” Carmona points out.

FBI warns against attacks

The FBI sent out a warning last year about BadUSB attacks. According to a security alert issued by the Bureau:

“Since August 2021, the FBI has received reports of several packages containing these USB devices, sent to US businesses in the transportation, insurance, and defense industries.”

The bulletin explained that if recipients plugged the USB thumb drives into their computers, the devices would register itself as a keyboard and send a series of preconfigured automated keystrokes to the user’s PC.

Earlier this year, CPO Magazine called the BadUSB attacks “a growing threat.” CPO describes the simplicity of the hack:

All it takes to start working is for one employee to find a “lost” drive by the company entrance or near their home and plug it in to see “if it works.” At that point, it is often too late to stop the system’s compromise.

Businesses should be on the lookout for deceptive packaging

Over the past year or so, USB drives have been sent to companies in packaging that looks like it is from Amazon, Microsoft, or the Department of Health and Human Services. The packaging is convincing, and the materials are enticing enough to make people plug in.

“And once the USB device is plugged in, it is like inviting a bank robber into an unlocked vault. The hacker can go almost anywhere.” Carmona says.

Trying to determine how common this type of attack is difficult. Still, researchers from the University of Michigan, the University of Illinois Urbana-Champaign, and Google spread around 297 USB flash drives on a university campus. Their subsequent study reported that 45 percent of USB drives were picked up and opened. These results suggest that USB drop attacks are a relatively common threat. Further, the study found that 68 percent of users said they took no precautions when connecting the drive.

Carmona goes on to explain that a determined hacker can get through using this method based on those statistics alone. “While these attacks aren’t common, the threat appears to be growing, and USB drives are cheap. If a hacker scatters 50 of these around a hospital campus or the parking lot of an aerospace firm or defense contractor, chances are at least some will get through,” Carmona warns.

Carmona advises that some solutions, like locking down all USB ports, can do as much harm as good. Instead, an MSP’s best defense is educating staff. “Don’t connect an unknown USB; it’s that simple. Unfortunately, it is not that simple when human curiosity is involved,” he says.

Taking key steps can protect a business

Several things can be done to protect a business from USB drop attacks and it is important to emphasize these during user training and as part of the MSP’s security workflow. They include:

  • Do not plug in USB drives that you find in public places. Even if the drive looks legitimate, it could be infected with malware.
  • Use a security solution to scan USB drives for malware before plugging them in.
  • Keep operating systems and software up to date with the latest security patches.
  • Back up data regularly.

By following these tips, you can help to protect yourself from USB drop attacks. But the best advice: If in doubt, leave it out (of the port).

Photo: BlurryMe / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *