The dangers of USB drives.

Innovation, the Internet, gadgets, and more.
Oct. 5 2010 5:20 PM

Don't Stick It In

The dangers of USB drives.

USB device. Click image to expand.
USB drives can spread viruses.

Talking to a computer security researcher about Stuxnet is like asking an art critic to describe the finer points of the Mona Lisa. The world's top cybersecurity minds are absolutely in awe. Stuxnet, which was discovered in June and has since spread to millions of machines around the world, is the most sophisticated computer attack we've ever seen. Though its true purpose is unknown—teams of experts across the globe are poring through the code in an effort to divine its intentions—the deviousness of its design has prompted many researchers to call it a "cyber-weapon," one perhaps created by the United States or Israel to disrupt Iran's nuclear program.

Why should we think of Stuxnet as a weapon? Because it's the first digital worm known to infiltrate and secretly reprogram machines that run sensitive industrial processes—power plants, pipelines, telecommunications centers, airports, and ships. Iranian officials have said that Stuxnet infected employee computers at the country's Bushehr nuclear-power plant. Siemens, the German conglomerate, says that Stuxnet has already breached at least 14 factories running its software. (It hasn't caused any damage.) The worm, researchers say, is clearly the product of months or even years of work, perhaps by a large team with specialized knowledge about obscure industrial systems. In order to invade their targets, hackers often try to find a hidden bug—known as a "zero-day vulnerability"—in Windows or some other widely used software. Stuxnet's brilliant authors didn't find just one bug; the worm gets into Windows PCs using four distinct and previously unknown security holes. Its authors also managed to "sign" the worm with encryption certificates they'd stolen from two computer companies in Taiwan. These pilfered certificates allow Stuxnet to masquerade as legitimate Windows software.

Advertisement

But what's most interesting about Stuxnet isn't how smart its authors were; it's how dumb they guessed we all would be. How did the worm's creators expect to get it inside some of the most secure installations in the world? After all, sensitive machines often operate behind an "air gap"—that is, their networks are physically separated from the Internet and other dangerous networks where viruses can roam freely. Getting anything inside one of these zones requires the complicity of an employee. That's exactly what Stuxnet got, because its authors designed the worm to piggyback on the perfect delivery system—the ubiquitous, innocent-looking USB flash drive, the planet's most efficient vector of viruses, worms, and other malware.

Look at some of the most spectacular computer attacks in the last few years, and you'll usually find a USB stick at the center. Conficker, the worm that corralled millions of PCs into a giant botnet last year, got into the French navy and the city of Manchester, England—among many, many other organizations—through infected USB disks. (Manchester was temporarily unable to issue parking tickets as a result.) In August, William Lynn, the deputy secretary of defense, disclosed that the U.S. military was hit by a worm called agent.btz two years ago "when an infected flash drive was inserted into a U.S. military laptop at a base in the Middle East." (Lynn says that the attack was a deliberate effort by a "foreign intelligence agency," but security experts are skeptical that it was anything more than a routine infection.) In 2008, the central computer at the Spanish airliner Spainair was hit by a virus introduced through a USB drive; the malware slowed down a machine responsible for monitoring airplane failures, which an investigative report later fingered as one factor in the cause of the deadliest air disaster in Spanish history.

What makes USB drives so great at carrying malware? They're the mosquitoes of the digital world—small, portable, and everywhere, so common as to be nearly invisible. I've got half a dozen USB disks on my desk right now, several of unknown origin—I know I purchased a couple of them, but I've also picked up USB drives from friends, colleagues, and at trade shows, where they're handed out as freely as pens and candy. Funny story: At a conference in Australia last year, IBM handed out thumb drives that turned out to be infected by malware. It was a computer-security conference.

That gets to what's most dangerous about USB drives—many computer users are in the dark about their capacities for trouble. Over the last decade we've all grown used to the dangers of Internet-borne scams and malware. We know we shouldn't click on e-mail attachments from strangers, and we know we should be wary of typing our passwords into shady sites online. But the USB disk has somehow evaded our suspicion; few of us look at them and recoil at the dangers that could be lying within. Indeed, USB sticks evoke exactly the opposite emotion—if you saw a stray one on the street or lying around your office, wouldn't you pick it up and put it in your computer to try to identify the rightful owner?

TODAY IN SLATE

Politics

Talking White

Black people’s disdain for “proper English” and academic achievement is a myth.

Alabama’s Insane New Abortion Law Gives Fetuses Lawyers and Puts Teenage Girls on Trial

Tattoo Parlors Have Become a Great Investment

A Jaw-Dropping Political Ad Aimed at Young Women, Apparently

The XX Factor
Oct. 1 2014 4:05 PM Today in GOP Outreach to Women: You Broads Like Wedding Dresses, Right?

Big Problems With the Secret Service Were Reported Last Year. Nobody Cared.

Crime

Operation Backbone

How White Boy Rick, a legendary Detroit cocaine dealer, helped the FBI uncover brazen police corruption.

Hong Kong’s Protesters Are Ridiculously Polite. That’s What Scares Beijing So Much.

This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century

Moneybox
Oct. 1 2014 8:34 AM This Gargantuan Wind Farm in Wyoming Would Be the Hoover Dam of the 21st Century To undertake a massively ambitious energy project, you don’t need the government anymore.
  News & Politics
Politics
Oct. 2 2014 11:01 AM It Wasn’t a Secret A 2013 inspector general report detailed all of the Secret Service’s problems. Nobody cared.
  Business
Moneybox
Oct. 2 2014 12:58 PM Why Can’t States Do More to Protect Patients From Surprise Medical Bills? It’s complicated.
  Life
Lexicon Valley
Oct. 2 2014 1:05 PM What's Wrong With "America's Ugliest Accent"
  Double X
The XX Factor
Oct. 2 2014 12:37 PM St. Louis Study Confirms That IUDs Are the Key to Lowering Teen Pregnancy Rates
  Slate Plus
Behind the Scenes
Oct. 1 2014 3:24 PM Revelry (and Business) at Mohonk Photos and highlights from Slate’s annual retreat.
  Arts
Brow Beat
Oct. 2 2014 1:29 PM Want to Know What Makes David Fincher Great? Focus on What He Doesn’t Do.
  Technology
Future Tense
Oct. 2 2014 1:22 PM If Someone Secretly Controlled What You Say, Would You Notice? What cyranoid experiments reveal about how people act.  
  Health & Science
Science
Oct. 2 2014 12:53 PM The Panic Virus How public health officials are keeping Americans calm about the Ebola threat.
  Sports
Sports Nut
Oct. 1 2014 5:19 PM Bunt-a-Palooza! How bad was the Kansas City Royals’ bunt-all-the-time strategy in the American League wild-card game?