Whether you call it a USB, thumb drive, zip drive, memory stick, or flash drive, you probably own at least one. While they're not as popular as they used to be, due to programs like Drop Box and Google Drive, they're still widely used and likely will be for at least several more years.

If you think thumb drives aren’t a real threat, a study done in 2015 found that nearly 50% of people who pick up a random thumb drive will plug it in to their computer. If that doesn't convince you that thumb drives are a valid threat, one of the worst military breaches in U.S. history was caused by an infected thumb drive.

Surely, you’re thinking, “How does this happen? People should know better.” In the 2015 study mentioned above, many of the random thumb drives that people picked up were found in parking lots and benches. If people are willing to pick up random thumb drives from parking lots and plug them into their computers, then imagine how many people would fall for the scenarios below.

Scenario 1: You find a thumb drive sitting by the copier or in the break room. Surely it belongs to one of your coworkers and you want to help return it. So, you plug it into your computer in hopes of finding identifying information.  You see a file called “Resume_2019.” That seems promising, right?  Wrong. Don’t do it!

Scenario 2: When you check the mail, you find a flash drive with a well-known company’s logo on it. It’s in a nice package and has a logo on it, so you figure it must contain something cool, right? Wrong. Don’t do it! In a 2016 incident, criminals in Australia dropped infected USB drives in people’s mailboxes.

USB Attacks

You're probably wondering what the big deal is. You have anti-virus on your computer. Unfortunately, anti-virus can't protect you from most USB attacks. Without getting into the boring tech stuff behind it, anti-virus isn't effective against most USB attacks due to the very design of USB's.

According to researchers in 2018, there are 29 ways in which attackers can use a thumb drive to compromise your computer.

The Rubber Ducky is probably the easiest and most effective USB attack. It tricks the computer into thinking a keyboard is attached. Once the device is plugged in, a hacker can access your network information, user information, shared drive information, disable the firewall, add an administrative user, remove windows updates, download and execute files, encrypt files, and essentially wreak havoc. What makes it even scarier is that the device is easily obtainable. Anyone can buy it online for under $50 and it’s simple to use. There are many tutorials, instructions, and videos readily available online. A 13-year-old kid could figure it out (and they often do).

Electrical attacks will permanently destroy your device by triggering an electrical surcharge once you insert the thumb drive. This type of attack seems like something out of a spy movie but it is very real. The most common electrical attack is the USB Killer. Alarmingly, the USB Killer is readily available online for under $90 dollars. It comes with adapters, so it can be used on all devices including iPhones and MacBooks. It will instantly and permanently destroy any device it’s plugged into.

Other USB attacks allow hackers to infect a computer before it boots up, break out of virtual machine environments, control the mouse, change file contents, log and decrypt keystrokes, bypass password protected flash drives, extract data, capture video through the webcam, inject keyboard strokes, and perform other malicious acts.

Hackers have realized that people are becoming increasingly cautious of thumb drives and are now building malicious USB charging cables. It’s genius. No one thinks about malware when sharing a phone or laptop charger. USBHarpoon (or O.MG Cable) can infect any device that powers through USB. USBHarpoon continues charging the device as to not raise any suspicion. However, the victim can see Run prompt or terminal on the screen during the attack. Hackers currently have to execute the attack when the victim is not around the machine, but they are working on a way to make the attack stealthy. USBHarpoon shows that attacks are always evolving. Luckily, the people working on USBHarpoon are ethical hackers and researchers, but if the “good guys” have access to the technology, then so do the “bad guys.”


Now that you're freaked out, what can you do to protect yourself?

  • The best preventative measure you can take is to NEVER insert a random thumb drive into your computer.
  • Always use your own thumb drives.
  • Scan all thumb drives, keyboards, mice and other peripherals for malware.
  • Use an antivirus program.
  • Use a firewall.
  • Keep all software up-to-date.
  • Use strong passwords.