The wolf in USB clothing

USB sticks have meanwhile replaced CDs (and, of course, the long outdated diskette) as the media of choice for sharing data. Just like inserting a CD, plugging in an unknown USB stick harbors the risk that the prior owner has wittingly or unwittingly left malware on it and infected the computer.

Because of the way a USB stick functions, it offers significantly more opportunities for hacking attacks than CDs and diskettes.

The following information will help you understand where the risks lie and what measures you can take to ward them off.

USB functionality

I'm a USB mouse

Since a variety of devices are connected via USB today, the USB device indicates what type of device it is after it is plugged in. A USB stick should indicate that it's a USB stick. A USB mouse should indicate that it's a USB mouse.

I'm a USB mouse and a USB mass storage device

Some USB-connected devices have more than one function, however. A smartphone connected via a USB cable is initially identified as a mass storage device (like a USB stick) so that data can be easily copied from the computer to the smartphone, and vice versa. A smartphone can also be connected as a network device. This occurs via so-called tethering, which allows USB-connected devices like laptops and tablets to use the mobile phone network to surf the Internet – practical when you are underway without WiFi access.

I claim to be a USB mouse

Now, manipulated devices connected via USB can claim to be a lot of things. An ostensible USB stick can act like a keyboard and run commands on the computer, for instance.

A USB mouse could identify itself as a mouse, but be furnished with a memory chip containing malware that can be run on the computer, since the USB device can also be detected as mass storage.

Meanwhile, scenarios have even been developed in which all of the data stored on a USB stick is sent to a specific server, thus allowing someone to steal confidential information without the user realizing it.

(For more information, refer to "USB-Devices Phoning Home," a presentation by Roland Schilling and Frieder Steinmetz from TU Hamburg-Harburg.  The slides are available on the website of the DFN-Cert 23rd Annual Security Workshop)

No technical solution

None of the current operating systems offer protection against malicious USB devices. While Apple has implemented several approaches, they are easily circumvented.

Preventive measures

Avoid unknown storage media

Never plug in a USB device that you found lying around somewhere. It may contain malware.

Utilize file storage

Instead of swapping USB sticks with friends and fellow students, use shared file storage. For your work files, we recommend Gigamove, the NAS storage system or Sync&Share (refer to the File Storage section for more information). If it involves confidential information, don't forget encryption (for more information refer to the Data Encryption section - the simple method).

You should also periodically think about deleting data no longer in use.

Always look a gift horse in the mouth

A healthy dose of suspicion is advised even when it comes to USB devices handed out at trade fairs and similar events. Ask yourself whether the person giving you the USB device potentially gains from harming your computer or stealing your data or communication. Researchers can be targets in particular. Research espionage is more common than you think.

Information about file storage recommendations

The aforementioned file storage options are designed for different requirements.

While the NAS is well-suited for simple data storage for defined groups within TUM, Gigamove is designed for people who only need one-off or occasional file sharing with people outside of TUM. Sync&Share is the TUM alternative to DropBox. You can use it to synchronize files across multiple devices and share folders with people outside of TUM.

Interested in more details?

Take at look at the presentation USBösewichte on YouTube.