The wolf in USB clothing
These days, people share data via DropBox, email and Facebook, as well as USB sticks. The risk with a USB stick is that most of the time we don't know where it has been. The previous owner could have wittingly or unwittingly left malicious software on it, thus infecting your computer.
Here, you can find information about the risks involving the use of USB devices and how you can protect yourself.
USB functionality
I'm a USB mouse
Since a variety of devices are connected via USB today, the USB device indicates what type of device it is after it is plugged in. A USB stick should indicate that it's a USB stick. A USB mouse should indicate that it's a USB mouse.
I'm a USB mouse and a USB mass storage device
Some USB-connected devices have more than one function, however. A smartphone connected via a USB cable is initially identified as a mass storage device (like a USB stick) so that data can be easily copied from the computer to the smartphone, and vice versa.
A smartphone can also be connected as a network device. This is done via so-called tethering, which means activating the hotspot feature on the smartphone, so that you can surf the Internet with a laptop or tablet via the mobile phone network.
I claim to be a USB mouse
Now, manipulated devices connected via USB can claim to be a lot of things. An ostensible USB stick can act like a keyboard and run commands on the computer, for instance.
A USB mouse could identify itself as a mouse, but be furnished with a memory chip containing malware that can be run on the computer, since the USB device can also be detected as mass storage.
Meanwhile, scenarios have even been developed in which all of the data stored on a USB stick is sent to a specific server, thus allowing someone to steal confidential information without the user realizing it.
(For more information, refer to "USB-Devices Phoning Home," a presentation by Roland Schilling and Frieder Steinmetz from TU Hamburg-Harburg. The slides are available on the website of the DFN-Cert 23rd Annual Security Workshop)
No technical solution
None of the current operating systems offer protection against malicious USB devices. While Apple has implemented several approaches, they are easily circumvented.
Preventive measures
Avoid unknown storage media
Never plug in a USB device that you found lying around, because it might contain malicious software. Hackers are happy when someone reacts to USB sticks that have been "scattered around."
Utilize file storage
Avoid swapping USB sticks with friends and fellow students. Rely instead on shared file storage. TUM recommends services such as Gigamove, the TUM NAS or Sync&Share (refer to the File Storage section).
Always look a gift horse in the mouth
A healthy dose of suspicion is advised even when it comes to USB devices handed out at trade fairs and similar events. Ask yourself whether the person giving you the USB device potentially gains from harming your computer or stealing your data or communication. Researchers can be targets in particular. Research espionage is more common than you think.
Information about file storage recommendations
The aforementioned file storage options are designed for different requirements.
While the <link en storage-archiving internal-link>NAS is well-suited for simple data storage for defined groups within TUM, <link en communication-collaboration internal-link>Gigamove is designed for people who only need one-off or occasional file sharing with people outside of TUM. <link en communication-collaboration internal-link>Sync&Share is the TUM alternative to DropBox. You can use it to synchronize files across multiple devices and share folders with people outside of TUM.