Don’t Plug In That USB! – How Rogue USB Devices Harm Endpoint Security

Rogue USB Devices Harm Endpoint Security

Universal Serial Buses (USBs) are incredibly common connectors used in electronic devices such as flash drives, keyboards, external hard drives, desktop fans, and plenty of other devices. 

The ability of USBs to transmit both data and electricity makes them incredibly useful for connecting devices to computers – it also makes them an endpoint security nightmare. 

Organizations can suffer detrimental data breaches after their systems become infected with malware following one of their users plugging a rogue USB device into an endpoint device such as their workstation. By better understanding the potential threat that rogue USB devices can have on endpoint devices and data security, organizations can better defend against this threat.

Why Are USB Devices Dangerous?

USB devices can be used to transmit malware or even cause physical damage to hardware. Devices such as the USB Killer, a niche USB device designed to look like a flash drive, rapidly damage sensitive electrical components with rapid charge/discharge cycles when inserted into a USB port.

Malicious actors (aka “black hat” hackers) can use USB devices to stealthily infect computers with malware by executing a “payload” when the USB device is connected. The payload is malicious software that is designed to perform a set of malicious functions such as leaking sensitive data, installing spyware to stealthily monitor user activity, deleting/corrupting files, or execute a command to install other malware onto the now-compromised system.

Any USB Device Can Be Dangerous

Any unknown USB device should be treated as a vector for an attack from malicious attackers. 

While the typical culprits are USB flash drives and external hard drives, niche product developments such as the O.MG cable and USBHarpoon have shown that even seemingly innocent devices such as USB cables can be specially-designed with the hardware required to execute a payload when it is connected to a computer. 

Any USB device – including USB-powered fans or lights –  can be modified to include data transmission and storage capabilities, leaving unsuspecting users to be none-the-wiser that they have become a negligent insider threat thanks to their trust in an unknown USB device.

How Do Attackers Get Access to the Computers?

You may have noticed a critical component of USB attacks – they require that the USB devices are given direct access to the USB ports in order to execute the payload. 

While the USB devices do need to be directly connected to a USB port to initiate the attack, the attacker themselves do not need to be the ones plugging in the USB. The attacker can pre-load a USB device with a payload that can execute automatically once the USB device is plugged in by a third party.

Social Engineering

Social engineering – the use of flaws in human psychology to manipulate individuals into inadvertently cooperating with the attacker – is scarily effective in transmitting payloads through unknown USB devices. 

Attackers can use social engineering to exploit the curiosity of employees with poor cybersecurity practices by leaving infected USB flash drives in spaces used by the organizations they intend to target. In an experiment conducted by the University of Illinois and the University of Michigan, USB flash drives were scattered across a large university campus resulting in a staggering 45-98% of the USBs being inserted into machines. 

The majority of those duped by the social engineering study did so in an honest attempt to discover the owner of the flash drive, though some acted out curiosity or out of the intention to keep the flash drives for future use.

Insider Threats

An organization relies on teams of trusted people to function. Unfortunately, trusted employees, contractors, or visitors can become malicious insider threats under certain circumstances. An unknown person walking throughout the office is certain to be suspicious, but employees working for an organization that allows USB devices can easily sneak past security personnel to deploy a payload.

How to Protect Against USB Device Attacks

USB devices can be dangerous if mismanaged, but there are ways to protect endpoint devices against the threat of malicious USB attacks.

An organization’s data loss prevention (DLP) strategy can be greatly improved by strengthening its defenses against USB attacks with the appropriate combination of physical security, DLP software with USB access control features, and regular cybersecurity training for users.

Physical Security

While the chances that an unknown individual will directly enter an organization to deliver their malware payload, physical security measures are still a significant factor for endpoint security. Physical security such as locked doors, security personnel, and video surveillance all contribute to preventing attackers from directly accessing the organization’s hardware.

Cybersecurity Training

An organization that takes its data loss prevention seriously must invest in providing its users with frequent cybersecurity training that addresses their cybersecurity responsibilities as well as the forms of attacks that can be executed against the organization.

When users are properly trained they will better understand how to use the organization’s computers and network in a safe and responsible manner, reducing the chances that they will fall victim to social engineering attacks that rely on phishing and unknown USB devices to be executed.

Use USB Access Control Software to Block USB Ports

Organizations that want to improve their data loss prevention capabilities by protecting their network and endpoints against unknown USBs should proactively invest in endpoint security software with integrated USB access control features. 

The USB access control features provided in endpoint security software allow organizations to have greater control over the USB devices that are permitted to be used within their network, reducing the opportunity for unknown USB devices to execute their payloads. 

When investing in endpoint security software, here are key features to look out for:

  • Device Permissions: Whitelists (allowed list) and blacklists (restricted list) to granularly configure USB device permissions.
  • Device Access Alerts: Alert administrators when endpoint devices are being accessed by the end-users.
  • File Operations Detection: Monitor endpoints to detect when files are copied to USB flash drives and external hard drives.
  • Block File Transfers: Prevent data leaks by blocking unauthorized file transfers from computers to external devices.
  • Solution Flexibility: The ideal endpoint security software must have flexible customization options to allow administrators to configure the software solution to best fit the needs of the organization.

Block USB Ports with AccessPatrol Endpoint Security Software

With a full-featured 14-day FREE trial of AccessPatrol, organizations have the opportunity to test an endpoint security software solution designed to protect their data and secure their endpoints.

AccessPatrol is an endpoint security software that is available as a stand-alone product or as part of the CurrentWare suite. CurrentWare customers use AccessPatrol to strengthen their data loss prevention capabilities by blocking USB ports, disabling unauthorized external devices,  and configuring custom device permissions for their users.

All CurrentWare products are available for a one-time fee with a permanent license and no monthly subscription costs. CurrentWare customers enjoy included support and product upgrades for 1 year after their purchase, with optional maintenance packages available.

If your organization is ready to enhance its data loss prevention strategy, click the button below to request your 14-day free trial of AccessPatrol and an expert from the CurrentWare team will provide you with everything you need to get started.

Download AccessPatrol Trial

Dale Strickland
Dale Strickland
Dale Strickland is a Marketing Coordinator for CurrentWare, a global provider of endpoint security and employee monitoring software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.