CES Risk: Free USB Flash Drives - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Business & Finance
02:54 PM
Connect Directly

CES Risk: Free USB Flash Drives

Security researchers warn that flash media given away at trade shows -- or even bought off the shelf -- may contain malware.

Visitors to the Consumer Electronics Show in Las Vegas this week might want to forgo freebie flash drives, or at least use them with caution. The SANS Internet Storm Center has published several anecdotal reports indicating that computer peripherals like USB flash drives and consumer electronics products like digital picture frames have been found infested with malware.

While a few reports of infectious devices hardly constitute an epidemic, the issue is being taken seriously by security researchers. "USB flash drives are everywhere these days," observed former Microsoft security researcher and author Jesper M. Johansson in an article in the January edition of Microsoft TechNet magazine. "At almost every conference, some vendor is giving them away like candy. Those drives may not have a lot of capacity, but you don't need a lot of storage space to take over an entire network... The technical details of the attack are actually quite simple. It all starts with an infected USB flash drive being inserted into a single computer. What happens then depends on the payload on that drive and, of course, how gullible the user is. "

Given the ongoing success of cyber attacks that rely on social engineering, it appears that gullibility is everywhere these days, too.

In mid-December, Kaspersky Lab senior virus analyst Aleks Gostev penned a blog post describing his experience with an infectious Compact Flash card for his digital camera. "We've already written more than once about viruses and worms which spread via removable storage media by launching automatically from autorun.inf," he said. "A number of users have also come across this type of malicious program. There are also a number of cases where hard disks, flash drives, MP3 players, and other devices were already infected with malware when shipped by the manufacturers."

In a report on the evolution of malware last year, Kaspersky Lab noted that in the first half of 2007, "so-called classic viruses demonstrated the most growth among all malware (+237%)," an increase attributed to the "highly widespread method of using flash drives to spread viruses." An example of this is a Skype worm spotted in September 2007 called Worm.Win32.Skipi.a that attempts to spread through Skype and through copying itself to attached flash drives.

Some of the anecdotal reports published by SANS speculate that the malware infections were made possible by poor manufacturer quality controls. Others suggest the malware might have been installed in retail outlets as a result of poor inventory oversight. And some suggest that malicious software may be installed post-sale, as purchased products that get returned to store shelves as a prank or malicious attack.

"We have heard of USB drives being used," said Kevin Haley, director of Symantec Security Response, in an e-mail. "They have been used for targeted attacks. And they have been used for 'commercials' for the spyware/trackware software the purchaser then attaches to the PC they want to spy on. They are not practical for mass attacks (you have to buy, prep, and distribute the drives). We don't believe it's a significant trend. It's not cost effective."

The bigger fear, said Haley, would be that a manufacturer might unwittingly put malware on a device of some sort.

That appears to be just what happened to the maker of the Victory LT-200 MP3 player, according to a blog post published on Friday by Kaspersky Lab researcher Roel Schouwenberg. The manufacturer "told us they were aware that a few months ago there was a partially infected batch of these MP3 players, and that they'd taken steps to fix the problem," he said.

"Whether it's a picture frame, a digital camera, or any USB, CF, SD, etc. memory card, the portable nature of these devices dredges up of memories of all the floppy boot viruses we used to have to deal with," said David Goldsmith of the SANS Internet Storm Center in a recent blog post. "Care should be taken when attaching storage devices to your computer to ensure you scan them for possible malware and handle them in as secure a fashion as is possible."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll