Flashback: Never Pick Up A Dirty Flash Drive! You Never Know Where It's Been!

illustrated infected USB Drive

The Story

USB flash drives (also called: thumb drives, pen drives, jump drives, and so on) are a cost effective method for storing data that you need to transport, keep unnecessary files off a computer’s memory, or access without requiring the Internet. They’re handy for students, businesses, and the average Joe.

However, the United States government decided some time ago that USB drives had no place in their government. This was after a noteworthy kerfuffle back in 2008 that probably leaves today’s cybersecurity experts rolling their eyes at what seems so obvious today: never plug in a strange USB drive!

In November 2008, a stray USB drive was found in a US Middle Eastern military installation parking lot. It was plugged into a Department of Defense computer network which was promptly infected with a virus called “agent.btz,” which quickly reached the DoD’s SIPRNet (Secret Internet Protocol Router Network) which held both classified and unclassified data. Basically, it included everything: both top intel and mundane logistics.  This virus is a variant of the SillyFDC worm, which can scan for data, open backdoors, and send messages through those backdoors to remote commands and servers. Confidential and top secret information of all sorts was now at risk for exposure. To make matters worse, the infection was not immediately obvious, and experts have no idea what the flash drive might have sent and to whom.

The malware began to emit a signal (a beacon, if you will) once it was in place. This signal, which was intended to let its creators know it was in place and ready for future orders, was the only hint there was something wrong. It was this beacon that alerted the Advanced Networks Operations team from the NSA of an infection. Deep in the middle of the War on Terror, the most powerful country’s defense network was compromised.

The point of entry was rapidly determined. Thousands of drives were confiscated from officers and other personnel and found to also be infected. It was well into the year 2009 before infections were able to be stopped. Operation “Buckshot Yankee” was the effort the DoD created to combat the infection which took 14 months. USB flash drives were summarily banned and the Windows autorun feature was disabled. It did result in the creation of the US Cyber Command (the 11th unified military command) so perhaps there is a silver lining: a lesson to be learned and an outfit devoted to preventing such attacks again.

Although ultimately deemed to be “relatively benign” in effect, this virus could quite easily have caused uncountable damage to the DoD. No one has stepped forward and taken credit for the attack. However, many experts believe that Russian hackers had something to do with it as they have been known to use the same code that comprised agent.btz before. The relative low impact the virus had has led others to believe it would not likely have been Russian hackers, presumably because their interests would have been more malignant.

Person holding a corrupt USB Drive

Are USB Drives Safe to Use?

With time comes experience. Cybersecurity has come a long way in the past decade and what seems common sense to even laymen going about their every day computing tasks was not even a thought years ago.  Digital and viral threats still abound even in our modern cyber-conscious minds, though, so it’s not fair to place the blame entirely on peripherals like USB drives. Any digital medium can become a vehicle for malware, like emails and attachments, software downloads, websites, social media, and online ads.

USB drives are as safe to use as you make them. Just remember these easy to follow, common sense tips:

  • Don’t plug in strange USB drives into your computer, even to see what it contains!
  • Don’t plug your USB drive into strange computers; you don’t know what malware may be installed
  • Do your research before buying your USB drive; not all drives are equal—some drives come with added security features!
  • Don’t keep everyone on one USB drive; make copies. Also, keep your business and personal files separated.
  • Disable Autorun. This will prevent malicious bugs from automatically downloading onto your drive.
  • Take advantage of both hardware and software security features like password protection and encryption. You can often enable these yourself without purchasing a drive with it already pre-installed. 

Most people understand and follow these rules already, thanks to horror stories from the past decade of spyware and other malicious bugs sent through innocuous means. But consumers feel they should be able to trust drives sent from legitimate businesses. This is why Spotify's recent flub with their promotional USB drives was in such poor taste. A few weeks ago, Spotify sent a number of promotional USB drives to several journalists with notes that said, "Play me" which luckily turned out to only contain a single audio file. This sort of stunt only reinforces negative behavior like plugging in strange devices and a former NSA hacker said that the stunt was "amazingly tone deaf" considering our cybersecurity conscious society. However, instances of USB hacking still unfortunately occur and justifiably retain headline news for a long time. Consider earlier this year's John Deere ruckus where their promotional drives hacked keyboards, automatically driving users to their website. Naturally, consumers were unhappy with the loss of control. As a consumer, remember that you are in control of what you access on your computer and what you introduce (i.e. plug in). Practice good judgement and when in doubt, don't plug in a strange device or click on anything suspicious.