PC users pass around USB flash drives like business cards. Unknowingly, they sometimes carry malware infections. We depend on antivirus scans and the occasional reformatting to keep our USB flash drives from becoming the carrier for the next digital epidemic but the security problems with USB devices run deeper than you think. The risk isn't just in what they carry. It’s built into the core of how they work.
The cyber security experts, Jakob Lell and Karsten Nohl, have performed a vulnerability test that makes it extremely difficult for users to defend against USB-based attacks. The current USB standards vulnerability makes it hard to defend against attacks, even if manufacturers starting developing additional security layers. Significantly, an empty USB flash drives can even contain malware even if it's formatted - a troubling sign for many of the companies that rely on flash drives to transfer data.
"USB is ubiquitous across all devices," said Mike McLaughlin, First Base Technologies, in a statement to BBC. "It comes down to the same old saying - don't plug things in that you don't trust. On every business there should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed."
Unfortunately, even with a growing number of cloud solutions - which have their own security concerns - many employees will still save and transfer documents using USB drives.
It's very unclear exactly how USB flash drive manufacturers will respond to the addressed issues, but the more immediate answer may simply be a more careful approach to how we use the drives. That's bad news for lots of projects — including live-boot systems like Tails, which typically reside on USB drives — but it would keep users safe from scary attacks from all corners, including possibly the NSA. As researcher Matt Blaze points out, the Snowden documents revealed a number of USB-based attacks used by the NSA, which may rely on the same vulnerability.
For best practices, never use USB flash drives on copying from one place to another on or off corporate scale and accessing the files using Unix based operating systems should be good enough.