An Ecuadorian journalist has been injured by a bomb hidden inside a USB drive, according to AFP. Lenin Artieda, a television journalist, received an envelope containing what “looked like a USB drive,” the BBC reported. When he loaded it into his computer, it exploded. Fortunately, Artieda only sustained “slight injuries,” AFP reports, and no one else was hurt in the targeting campaign, which included “at least five journalists.”
While this is an incredibly extreme example, it is an important reminder to never insert strange USB devices—and especially USB pen or thumb drives—into your computer. The most commonplace threat they pose is that they could come packed with malware. It’s called a USB attack, and they rely on the victim willingly inserting a USB device into their computer. In some cases, they’re being Good Samaritans and trying to return a USB drive to someone who’s lost it. In others, they’re lied to and told the USB drive has a list of things they can spend a gift card on, or even confidential or important information.
However it happens, once the target inserts the USB device, the hackers and other bad actors have gotten what they want. USB devices provide them with multiple ways to ruin your day. In fact, researchers at Ben-Gurion University of the Negev in Israel identified four broad categories of attack.
Type A attacks are where one USB device, like a thumb drive, impersonates another, like a keyboard. When you plug it in, the keyboard automatically sends keystrokes that can install malware, take over your system, and basically do whatever the attacker wants. It’s called a Rubber Ducky attack, which is a pretty cute term for something that can cause a lot of problems.
Type B1 and B2 attacks are similar. Instead of impersonating a different USB device, the attacker either reprograms the USB drive’s firmware (B1) or exploits a software bug in how the computer’s operating system handles USB devices (B2) to do something malicious. Finally, type C attacks deliver a high-powered electrical charge that can destroy the computer.
In any case, these attacks aren’t theoretical. Infected USB keys were used to take down Iranian nuclear centrifuges. They’ve also been used to infect US power plants and other infrastructure, like oil refineries. And it’s not just heavy industries that are affected—banks, hospitality providers, transport companies, insurance providers, and defense contractors have all been targeted over the past few years with USB drives sent through the mail.
While email is still the most common method of malware delivery and most attacks target large companies, small businesses and individual users should still be careful. Ransomware in particular is a very real threat at the moment.
So what do you do if you find a USB key abandoned on the ground? Well, your best bet is to pop it in the nearest trash can—or better yet, send it to an e-waste recycling center. Whatever you do, don’t plug it into your computer.
If you receive a USB key in the mail, you should do much the same—unless you are expecting one from someone you trust.
Even the free USB keys that companies give out at conferences likely should be treated the same way. It’s too easy for a bad actor to sneak in, pretend to be working for a firm at the show, and hand out loads of malware-infected devices.
And if you do insist on plugging it in, check out our guide on how to do it as safely as possible. It’s still can be a risky gambit—and it doesn’t mitigate risk from, in what’s certainly a very rare case, an explosive device—but at least the chance of your PC getting infected with malware will be reduced.