PERSPECTIVES FROM THE CAMPUS

One of the strengths of Indiana is that we bring together a variety of perspectives from the plethora of areas that touch the field of cyber, especially through the colleges, universities, and other institutions of higher education throughout our state. Hence the name "Perspectives From the Campus Series”, we invite experts -- immersed in the pursuit of educating their students -- to offer their knowledge for finding solutions in cybersecurity that benefit all Hoosiers.

In the second installment of this series, David Dungan, who serves as the Executive Director at the Center for Security Services and Cyber Defense at Anderson University, discusses the importance of protecting your personal information when it comes to USB devices and ports, as well as other forms of removable media.

By David Dungan

USB devices, CDs, SDs, and SIM cards make our lives easier in many ways, but it's important to understand the inherent vulnerabilities of these devices so you can keep your private information safe and secure.

One common attack relies on social engineering to infect devices. It starts with someone leaving a USB flash drive in common public places (even a parking lot), on someone’s desk, or it’s addressed to an individual with the hope that a person will plug it into their computer.

Call it curiosity or a desire to simply help someone, you might be tempted to insert the removable media to see who it belongs to, or to access the information (if they think it belongs to them), or if they need to plug in the removable media for a specific task. The problem is these devices act like a remote keyboard when the victim plugs them into their device. The removable media devices have pre-programmed keystrokes that can place malware on your computer, delete important files, open a backdoor for persistent access, and more.

Essentially, with a removable media attack or USB drop attack, the attacker can program the device to perform any actions that they would be able to perform, just as if they were sitting at your computer. You can protect yourself from this kind of attack by never plugging an unknown removable media device into your computer or mobile device.

Another common attack involves public USB ports that, more and more these days, are found in cafes, airports, and hotels. While these may be convenient if you’re traveling and your phone’s battery is running low, but you could be handing over your personal information directly to a malicious attacker. This type of attack works by modifying the port to include a device that will interact maliciously with your phone. A similar attack uses a malicious USB cable to steal private information.

To protect against attacks like these, never plug a phone into an unknown USB port and never use a charging cable that is not trustworthy. If you need to plug it into an unknown USB port, you can use a data blocker to prevent malicious devices from interacting with your phone. This data blocker works by not including the USB lines that transfer data in the port that connects to the suspicious device. It is important to plan ahead so that the next time you’re out in public and need a charge, you have your own charger or portable battery.

The bottom line is simple: all of us need to be wary of removable media that is not our own and take precautions whenever we’re plugging our devices into an unknown or, otherwise, suspicious USB port or charging station. If you want more information about these types of devices, Verizon and the National Cybersecurity Alliance also offers lots of great tips and best practices that you’ll find helpful.