The dangers of USB drives.

Innovation, the Internet, gadgets, and more.
Oct. 5 2010 5:20 PM

Don't Stick It In

The dangers of USB drives.

(Continued from Page 1)

Chester Wisniewski, a researcher at the security firm Sophos, says Stuxnet's authors might have exploited this naiveté when designing the worm. JMicron and RealTek, the two companies that own the digital certificates that were stolen for Stuxnet, are located in the same office park in Taiwan. Wisniewski offers the following theory: "What if the attackers dropped a couple USB drives in the parking lot between JMicron and RealTek, and then employees picked them up and stuck them into their computers?" Voila, instant infection.

For Stuxnet, sticking it in is all it takes. Sean Sullivan, a researcher at the security firm F-Secure, points out that most USB-borne malware operates on a Windows feature known as AutoRun. AutoRun was developed in the 1990s to make it easier for people to install software on their computers; when you insert a disk, Windows looks for instructions telling it what to do. Usually these instructions are benign—the disk tells the PC to install a legitimate application—but AutoRun could also be used by hackers to install malware instantly. Over the years, Microsoft, security firms, and IT managers have become much more sophisticated about fighting AutoRun viruses. New versions of Windows prompt users about the software on a disk before running it, and corporate IT staffers often disable Windows' AutoRun features. But Stuxnet evades those measures; it can infect PCs even when AutoRun is turned off. "All you have to do is open up the folder and view the contents, and you're infected," Sullivan says. "It's such a minimal action that's required—something anyone would do just to see what's on the disk. That's why it spread."


There is, of course, a failsafe way to prevent Stuxnet from infecting high-security machines—why not just prohibit users from sticking USB devices into computers that have been purposefully separated from the Internet? "That would have worked," says Sophos' Wisniewski, "but the reality is the world is still pretty crappy at security." Companies either don't have such policies or don't enforce them—maybe, perhaps, because selfish employees (like yours truly) consider USB sticks extremely convenient. If you want to hand over a huge PowerPoint presentation to your colleagues down the hall, what's easier than sticking it on a USB disk?

If a company wants to ratchet up security, it's not as simple as banning all thumb drives. To be extra careful, you'd have to ban iPods, cameras, and every other USB-based doohickey—all of those devices are capable of carrying Stuxnet-like viruses, too. I asked Sean Sullivan, of F-Secure, if he could imagine any failsafe IT policy that would have worked to thwart Stuxnet. "Well, in our malware test machines, sometimes we put glue in the USB ports," he joked. Wisniewski, of Sophos, says, the only hope is education: Don't trade USB sticks, don't stick an unknown one into your machine, and don't pick one up off the street and plug it in your machine just to see what's inside.

"But I don't know if we're ever going to win that battle," Wisniewski says. "It's human nature. If I were a normal person and I didn't work in this bubble of security? If I found a USB drive, the first thing I would want to do is want to plug it in, too."

Become a fan of Slate  and  Farhad Manjoo on Facebook. Follow us on Twitter.


Sports Nut

Grandmaster Clash

One of the most amazing feats in chess history just happened, and no one noticed.

The Extraordinary Amicus Brief That Attempts to Explain the Wu-Tang Clan to the Supreme Court Justices

Amazon Is Officially a Gadget Company. Here Are Its Six New Devices.

How Much Should You Loathe NFL Commissioner Roger Goodell?

Here are the facts.

Amazon Is Officially a Gadget Company


The Human Need to Find Connections in Everything

It’s the source of creativity and delusions. It can harm us more than it helps us.


How to Order Chinese Food

First, stop thinking of it as “Chinese food.”

Scotland Is Inspiring Secessionists Across America

You Shouldn’t Spank Anyone but Your Consensual Sex Partner

Sept. 17 2014 5:10 PM The Most Awkward Scenario in Which a Man Can Hold a Door for a Woman
  News & Politics
Sept. 18 2014 10:42 AM Scalia’s Liberal Streak The conservative justice’s most brilliant—and surprisingly progressive—moments on the bench.
Business Insider
Sept. 17 2014 1:36 PM Nate Silver Versus Princeton Professor: Who Has the Right Models?
Sept. 18 2014 11:25 AM Gays on TV: From National Freakout to Modern Family Fun
  Double X
The XX Factor
Sept. 18 2014 11:40 AM Where Pregnant Women Aren't Allowed to Work After 36 Weeks  
  Slate Plus
Slate Fare
Sept. 17 2014 9:37 AM Is Slate Too Liberal?  A members-only open thread.
Brow Beat
Sept. 18 2014 11:48 AM Watch the Hilarious First Sketch From Season 4 of Key & Peele
Future Tense
Sept. 18 2014 10:07 AM “The Day It All Ended” A short story from Hieroglyph, a new science fiction anthology.
  Health & Science
Bad Astronomy
Sept. 18 2014 7:30 AM Red and Green Ghosts Haunt the Stormy Night
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.