In 2009, I was working with a vendor of secure USB memory sticks. The devices were intended to mitigate the risks of data losses by automatically encrypting data copied onto them. At that time, data breaches by public and private sector organisations resulting from lost USB drives and laptops were regularly in the headlines, so a memory stick with onboard encryption was a simple, effective solution to a common problem.
However, I realised the writing was on the wall for USB-based storage when I started using Dropbox, which had launched around the same time. To me, the ability to have personal cloud storage and file sync seemed to negate the need for carrying devices like memory sticks. Coincidentally, Dropbox founder Drew Houston originally conceived the idea for the service after repeatedly forgetting and misplacing his USB flash drive while he was a student.
And this week, something happened which could sound the death knell for the use of memory sticks in business. The code for an unpatchable vulnerability which undermines the security of USB devices, and can turn any such device into a malicious agent, has now been published online.
The vulnerability was first revealed back in August at the Black Hat conference in Las Vegas, when two security researchers presented proof-of-concept malware called BadUSB. It could be installed on almost any USB device to completely take over a PC, invisibly alter files installed from the device, and more. BadUSB resides in the firmware that controls the basic functions of USB devices, so can stay hidden even if the device’s memory is wiped – and there’s no patch for the vulnerability.
Once a BadUSB-infected device is connected to a computer, the researchers described a range of possible exploits, from installing backdoors to hijacking internet traffic or spying on users’ data traffic from the infected machine. And with the details of BadUSB now available to any malware author who wants it, we can expect a deluge of new exploits targeting this major vulnerability.
So what can organisations do to protect themselves against this major new risk? They could update their policies on USB device usage to insist on only using trusted devices and only on trusted PCs (some may argue defeating the whole point in the process) – but even these measures rely on compliance from every employee, at all times. And, of course, organisations are wary of using public cloud storage services like Dropbox because of concerns over the lack of management controls and auditability.
I believe a better approach is to store confidential data in secured private cloud or on-premise services – such as those offered by companies like Accellion – where it can be accessed only by authorised devices. With data encrypted and access controls always enforced, information can be stored and shared safely, whether the users and devices are at home or in the office. This gives organisations the benefits of easy data sharing, with full control and audit capabilities, without the risk of data breaches.
We've decided to ban all USB drives here at Bridgeway. Perhaps it’s now time for other organisations to also say RIP to USB.