As an information and cybersecurity expert, Adam Shostack focuses on providing clients with expert security solutions that improve security outcomes for their organizations. Shostack was instrumental in fixing the Windows Autorun malware problem that plagued Windows machines since the deployment of Windows 95, and now warns users against the security risks associated with USB devices.
Most individuals know they should never insert an unknown USB device into their computer because the flash drive may contain malicious software. However, an even more insidious problem exists because these devices may have malicious firmware.
USB is a universal type of port that allows users to connect a variety of devices (e.g., flash drives, external hard drives, game controllers, network adapters, etc.) to their computers. These devices, along with your computer, run a type of software known as firmware. When a user connects a device to his or her computer, the device’s firmware is what makes the device function. This is certainly convenient; however, there is no secure way to verify whether the firmware on the USB device is safe.
For example, a USB flash drive may appear to function normally, but the firmware associated with it could modify files in the background and infect a computer. Further, using a connected device with malicious firmware as a USB Ethernet adapter could potentially route internet traffic over servers that contain malware. While a user’s USB flash drive may function as such, it could also contain firmware that allows it to run as a keyboard and Ethernet network adapter. Additionally, computers have the potential to infect a USB device’s firmware.
To make matters worse, Adam Shostack warns there are no known defenses from USB attacks. Malware scanners are typically unable to access the firmware running on a USB device and behavioral detection is almost impossible because the behavior of an infected device may look as though a user has simply plugged in a new USB device. While it is possible to block or allow specific classes of USB devices, these lists are easy to bypass.
Adam Shostack emphasizes that users exercise caution when dealing with suspicious USB devices. Never connect an unknown device to your computer. With the Windows Autorun feature now disabled by default, it is easy to become complacent but the fundamental design flaw in these types of devices demonstrates a potential but serious danger to a user’s computer.