10

The general consensus I hear among security professionals is that USB drives are dangerous. In most organizations (that I have worked at), USB drives are either forbidden or employees are required to get official corporate drives that only work on corporate devices. I don't hear these same concerns over, say, SD cards or CD/DVD-RW.

Are USB drives inherently more dangerous? Do they open up attack vectors that are not possible with other forms of removable media? What are the technical reasons for this?

Mark E. Haase
  • 1,902
  • 2
  • 15
  • 24
  • 2
    As a data point, every organisation I have ever worked in also prohibits all other forms of removable media - sometimes allowing read only, sometimes not allowing anything. – Rory Alsop Jan 10 '14 at 08:23

3 Answers3

11

There is at least one specific risk of USB drives which doesn't apply to SD cards, CDs and the like. An SD card, a CD, etc. are unmistakably storage devices. In order to cause harm, the user has to not only insert the storage device into the computer but also open a file on it in a vulnerable way (run an executable, open a document in a vulnerable application).

In constrast, what looks externally like a USB drive could be any USB peripheral. It could be a wifi dongle, a keyboard/keylogger, a USB-to-Firewire converter (which may allow arbitrary device-initiated direct memory access, … Even if the device appears to be a storage device, it could contain a hub connecting both a legitimate storage device and a malicious device.

So if an employee picks up a USB drive somewhere (in the parking lot, or even in a store) and plugs it in, there is immediate risk. If an employee picks up a CD somewhere and inserts it in, there is another line of defense (if imperfect).

Community
  • 1
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
  • 1
    Some SD cards could actually be SDIO devices, or possibly have other hardware built in (e.g. the "Eye-Fi" http://www.eye.fi/). I doubt a "hidden" SDIO device would do anything on a Windows or standard PC platform but on some phone platforms it may be different. – LawrenceC Jan 03 '14 at 15:18
  • @JohnDeters An SD card *reader* is almost always a USB device. Not an SD card inserted in an already-connected reader. Preview features on an up-to-date system (which is of course a basic requirement for security) are by definition only subject to zero-day attacks, which is a concern but very much less so than connecting an arbitary USB device. – Gilles 'SO- stop being evil' Jan 03 '14 at 16:07
6

If the system is properly configured, it shouldn't open up any more than using a memory card, however if USB functionality isn't locked down, a malicious USB drive might be able to connect as something other than just a mass storage device and cause other issues. An SD card or CD is only a storage device and the interface can't be used for anything other than a storage device. CD's and DVDs are also not generally easily writable, so it is much less likely that a virus has snuck on to one from sticking it in an unknown device.

USB sticks on the other hand are frequently inserted in to many different systems, any of which could get the stick infected and then cause issues on further systems down the line. So, yes, properly configured, there isn't much of a difference in terms of what could be done, but in terms of likelihood of an issue, USB sticks are far more likely do to how they are used and abused.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

The reason USB drives are considered more dangerous by security professionals, in my opinion, is that they are ubiquitous.

Even the least non technical of users can easily insert a thumb drive into the USB slot of any foreign machine and begin copying/downloading data.

This means that the likelihood of said USB drive becoming infected is also much higher than say a read only media like a CD/DVD.

Add to the fact that USB drives have dropped in price dramatically and make the capacity of standard CDs/DVDs seem small by comparison.

Also, USB drives are typically synonymous with Data Leakage. (yes, you can leak data with other devices, but again, even the least non technical of users can operate a USB drive)

k1DBLITZ
  • 3,933
  • 14
  • 20
  • Nothing you're saying is incorrect, but it also applies to DVDs: DVDs are ubiquitous, not super-technical, are very cheap, and could easily be used for exfiltration. (Easy to hide in a pocket or briefcase, and unlikely to set off any metal detector.) – Mark E. Haase Jan 10 '14 at 18:11