A hacker’s best friend is that little USB stick you plug into your computer.
The small flash memory drives are often used to easily share files from computer to computer. But as Tech Insider saw firsthand while following white hat hackers from RedTeam Security during a penetration test on a power company, the drives are among the easiest ways to install malicious software and gain access to a computer.
There are two ways to pull this off.
RedTeam demonstrated both methods for us, which start with dropping the sticks in heavily-trafficked locations around their target. In some cases, they drop the devices in the parking lot, hoping for a curious person to pick it up.
Hackers might use a regular off-the-shelf USB stick or a device that looks like one that’s called a “rubber ducky.” But either way, the result — if you pick it up and plug it into your computer — will be the same.
All the people need to do is take the stick inside, plug it in, and click on the file, which RedTeam named as salaries2016.doc, likely sparking an employee’s interest. Once opened, the file will prompt the user to “enable macros.” After this, the document will be able to run malicious software that can do anything from activating the webcam to keeping a running log of keystrokes.
This USB trick is basically the exact same thing as an email phishing attack, and it’s surprisingly effective. A recent University of Illinois study found that nearly 50% of people will pick up a random USB stick and run through all the steps required to have their computer compromised.
Then there’s the “rubber ducky,” which doesn’t require the user to do anything more than plug it in.
The $40 device looks like a USB drive but it’s actually a mini computer that tricks a machine into thinking it’s a keyboard. Just as a computer will recognise a new keyboard once it’s plugged in and automatically install its software, this thing “quacks like a keyboard and types like a keyboard” and thus, fools the computer into running whatever commands a hacker has given.
“It’s easy to laugh at these attacks, but the scary thing is that they work — and that’s something that needs to be addressed,” researcher Matt Tischer told Motherboard.
It’s also worth noting that antivirus software wouldn’t be effective in stopping these types of attacks.
Fortunately, RedTeam’s demonstration was only a test of a company’s security. But the threat posed by USB sticks in the workplace — and even the US military — is very real.
And there’s not really an easy solution. As cybersecurity expert Bruce Schneier has written: “The problem isn’t that people are idiots. … The problem is that it isn’t safe to plug a USB stick into a computer.”
“The best advice is don’t trust anything if you don’t know where it came from,” said Kurt Muhl, security consultant with RedTeam Security. “If you find a USB laying on the ground at work report it to a lost and found, or send out an email to coworkers that you found it.”