Stocking Stuffer Security: USB Problems

Today is Black Friday, which is no longer really the biggest shopping day of the year unless you’re only counting North America (that title belongs to Singles’ Day now), but still a pretty big deal. Personally, the only serious deal that caught my eye was sold out before I had a chance, but that’s OK. It’s fun watching the folks over at Cards Against Humanity stack up $50,000 in orders for absolutely nothing, and I’m actually looking forward to getting a basic, cheap smartwatch after biting on Meh’s mediocre pitch.

You don’t care about that. Let’s talk USB.

USB drives and cords are on sale all over the place. If you want the latter, it would be a good idea to check Benson Leung’s Amazon review list above. He’s an engineer at Google, and he’s been ordering loads of USB Type C cables for testing with their Chromebooks and other devices. Mostly he’s been shaming manufacturers for falsely advertising standards compliance, which is good, because according to a knowledgeable Gizmodo commenter that could spell disaster for some devices.

Want a new USB drive to carry around files? Those are dirt cheap too, especially today, but you’ll have to do some serious research to find one that doesn’t represent a security problem.

See, USBs are basically insecure at a level that can’t be countered. WIRED does a nice job breaking down the problem, which comes down to firmware with inconsistent standards. As Karsten Nohl states in that piece: “You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer.”

The good news is that apparently this is only applicable to roughly 50% of all USB drives manufactured. The bad news is, figuring out which ones are actually secure is a crapshoot. It’s a chip manufacturer problem.

If you’re seriously concerned about this kind of thing — and there are some who will argue you don’t need to worry— IronKey is currently the only manufacturer making sure their own USB drives aren’t vulnerable. Unfortunately, they’re not the type to put stuff on sale for the holidays, and the prices are steep.

Perhaps a more reasonable action to take if you’re worried about USB port security would be to get yourself a “USB condom” for your phone cord. Because those complimentary charging ports available at airports and other places might represent a means for the companies providing them to get information about your device.

Finally, consider this a reminder that even if you’re willing to accept the risks in buying your own cheap USB drives, NEVER plug a free drive you just happened to find lying around into your computer. Because not only is that an easy way to spread a virus, but some of them just might fry your hardware. Truly, an innovative attack.