USB Cybersecurity Risks: What to Know

While it doesn’t necessarily get as much attention as software risks, hardware risks remain prevalent in terms of cybersecurity. One such area of concern comes from removable devices like USBs.

USBs stand for universal serial bus. They allow a computer to communicate with other devices. USB-connected devices are broad. They include flash drives, keyboards, and more.

A USB can also be used as a way to send power to other devices, like powering smartphones or charging batteries of devices.

Hardware attacks that involve things like USBs are growing in prevalence, and attackers can bypass authentication and endpoint security systems. These attacks are challenging to trace, and essentially attackers can leverage weakness in how an operating system manages hardware.

Honeywell Cybersecurity Research issued a warning about removable media threats in June 2021. Honeywell reported 79% of cyber threats stemming from removable media were critical to Operational Technology in heavy manufacturing. Honeywell went on to say the amount of malware engineered specifically for use with removable media as the attack vector has doubled year-over-year.

The following are key things to know right now about USB cybersecurity risks.

Types of Attacks

There are various ways to use a USB as an attack vector.

For example, malicious code is the most basic of these. In a malicious code attack, a user will click a file on a drive, and then the code can automatically activate when it’s viewed. From there, more malware is downloaded online.

The second type of attack is known as social engineering, where a file takes a user of a thumb drive to a phishing site. Once at that phishing site, someone could be duped into giving login credentials.

A more significant type of attack using removable devices is called Human Interface Device or HID spoofing. In this scenario, a device looks like a USB stick, but it tricks a computer into thinking it’s an attached keyboard. Then, the hacker has remote access to a computer.

A situation called a Zero Day attack occurs when the USB exploits a hole in computer software. The hacker acts before the vulnerability can be patched.

In the general sense, one of the most common uses for USB that’s weaponized is the delivery of malware.

How Do You Protect Against These Attacks?

One of the most effective things you can do to safeguard against USB and hardware-related attacks is the training of employees.

When you teach employees about the risks of removable media and not to plug devices into their computers when they don’t know what they are, it can decrease the threat your organization faces drastically.

Some other ways to safeguard against these attacks include:

  • Consider disabling autorun on all devices. If the ability to have programs run automatically when a USB is inserted is enabled, it’s straightforward to turn a USB into a weapon. You should make it a policy to disable autorun for all removable media. You can also further train employees on how to run programs on trusted removable media manually.
  • Encrypt any sensitive data you want to load onto a flash drive so that if that’s ever stolen, then at least the information it contains is protected.
  • You should ensure that your employees know never to store personal information on a work device and vice versa. Your policy should clearly outline requirements for keeping them separate.
  • If your employees have to use USBs for anything, you should only allow them to use flash drives with added security features. For example, they might have built-in encryption along with a biometric scanner and a PIN code.

Another option is not to allow the use of removable media at all. Then, of course, there’s no way for an attacker to weaponize the USB. Whether or not this is the right move for your organization is based on many independent variables.

Something else that can be generally helpful in terms of dealing with a myriad of hardware-related threats is a Zero Trust architecture. As a device, a USB wouldn’t be inherently trusted in a Zero Trust model. Instead, the device would have to be verified, as does every user and machine.

Even if a bad actor could gain access via a USB, their lateral movement would be impeded with Zero Trust frameworks.

It’s important in 2022 with your cybersecurity planning that you don’t overlook the role of hardware threats and take steps to protect against them as you do other risks you might face.

Tags :

About the Author


Josh Morgan

Josh Morgan is CouponAnnie's senior editor. He lives life on the cheap, but that doesn't mean a boring existence. Josh loves helping people focus on frugality without giving up the things they enjoy. When he's not getting deals, he's probably drawing or writing something amazing.