Maybe you know not to plug strange USB drives into your computer, but trends indicate that most people think nothing of it.
This is not a new risk. A decade ago, a group of penetration testers dropped 20 USB sticks around the parking lot of a credit union. Fifteen of them were found by employees, and each of those was eventually plugged into a computer, unwittingly running a program that communicated with a “bad” server.
Would you open an email attachment from someone you did not know, or one that seemed suspicious? Opening files on an untrusted USB drive is similar.
But there’s reason for some caution. USB drives can fry your computer. The USB Rubber Ducky tool could perform a scripted attack on your computer. And running random files on that sketchy jump drive you picked up in the parking lot could lead to doom, especially if you’re working at an industry commonly targeted for corporate espionage, or are targeted for another reason.
But what about the rest of us? Plugging random USB drives handed to you by nice people at conferences is probably safe, right? “Any untrusted media should be approached with caution. However, malicious thumb drives are generally uncommon and typically used in targeted attacks,” said Zachary Julian, Senior Security Analyst at global security consulting firm Bishop Fox. “The most common attack vector via thumb drive will be a malicious program on the disk that tricks the user into executing it. When browsing untrusted media, any program or document on the drive should be treated carefully, as it may contain malicious code,” he adds.
Though he’s quick to point out that this threat is extremely unlikely for most people, “a targeted attacker could conceivably craft an exploit that would allow them to execute code without the victim opening any file, such as an exploit affecting the thumbnail-rendering library in Windows or Linux,” he says. In contrast, attackers may rely on a less technical approach, such as obfuscating a file name using a right-to-left ASCII control character. “It is invisible to the user, but indicates to the operating system that the text following it should be displayed right-to-left. This can be used to trick a user into opening a malicious program. For instance, imagine a malicious file called gpj.malware.exe. If we insert the right-to-left ASCII control character at the beginning of this filename it becomes exe.erawlam.jpg, which could trick a user into thinking it is a .jpg image. It will actually run as an .exe file on the victim’s machine.”
Is this likely, or isn’t it? Well, it all depends on your threat model and whether someone would realistically invest a lot of time and/or money to try to compromise your machine. So you’ve got a potentially suspect USB drive, but really want to see what’s on it. What steps should you take? The best defense, says Julian, “is to avoid inserting untrusted media into your computer altogether.” Surely you can buy your own USB drive instead of using the one you found or got for free, right?