The Hidden Dangers of Public USB Ports
Over the past twenty-five years, there has been an explosion in mobile device usage, particularly among business users. The roots of that revolution go back to 1994, with the invention of the humble USB port. The purpose of USB was to create a single jack-of-all-trades port to connect peripheral devices to computers. USB also includes the ability to transmit power, which quickly made USB the default charging mechanism for most mobile devices. However, there is a hidden danger involved with using a charging system that also doubles as a data connection. Something the average user is not aware of. Unfortunately, hackers are.
As a result, there has been a wave of cybersecurity incidents using USB ports as an attack vector. It is a threat so large that the US Federal Bureau of Investigation recently had to issue a warning about using public USB charging stations.
For businesses, public USB ports are not the only USB-based attack vector they need to worry about. This article goes in depth into not only the hidden dangers of public USB ports, but also the other ways hackers exploit USB ports to gain access to business data and networks.
How Hackers Exploit Public USB Charging Stations
A public USB charging station can be a lifesaver when a mobile device runs low on power. Unfortunately, there are a variety of ways that hackers can manipulate USB charging stations to infiltrate any device plugged into them. It is a phenomenon so common these days that it has a name—juice jacking.
One of the most common methods of juice jacking is when an attacker leaves an altered charging cable plugged in at the station. To the passer-by, it may seem like a kind act by a benevolent stranger. Instead, it is a trap. By adding an inline data storage device to the USB cable, the attacker can inject malware into any device plugged into it.
That is not all. Depending on the charging station’s location, an attacker might even gain access to the USB port’s wiring. They can then install a hidden data storage device that would affect devices even when they use their own charging cables. It is a type of attack that is almost impossible to detect until it is too late.
How To Protect Devices While Using Public USB Chargers
The best way to guard against a compromised public USB charging station is to avoid using them all together. However, if that is not an option, there are a few things that can be done to stay safe. The best option is to use a USB data blocker. It is a device that acts like a firewall between a device and the charging port. It is also important not to use a charging cable belonging to someone else.
Another safe option is a portable power bank, which can be used to give a device a power boost when it needs it. A power bank can also be charged using a public charging station. Since there is no data functionality built into a power bank, it can serve as an effective buffer between a device and a public USB charging station.
Other USB Attack Vectors
Business owners do not only have to worry their company devices being plugged into public USB charging stations. They should also be careful of the USB ports inside their company’s facilities. Any of them could provide a simple route into their network if accessed improperly.
A USB port on a computer in a public area provides an inviting target for an attacker. All they have to do is plug in a USB flash drive with malware preloaded on it. Since most PCs automatically access flash drives upon connection, that is all it would take to compromise the PC.
Or, the attacker could use a simple, off-the-shelf USB stick that can either execute preprogrammed attack scripts or silently copy user credentials from web browsers in a matter of moments.
Businesses should also be wary of foreign USB sticks ending up inside their facilities. This is because hackers often drop flash drives in company parking lots in the hope that some unwitting employee will pick one up and plug it into their work PC to see what is on it. These so-called drop attacks are more common than ever, with an estimated 63% of all businesses worldwide reporting at least 1 drop attack in 2021.
Defending Against Common USB Attack Vectors
The most foolproof way for businesses to defend against common USB attack vectors is to disable as many USB ports as possible on devices within their facilities. It is a good idea to disable USB ports on devices in public areas as a matter of policy. Plus, USB ports on devices in private employee offices should be under strict control, as well.
In most cases, the most flexible way to handle the threat of unauthorized USB devices is to deploy endpoint protection software that can monitor and control USB port usage. That way, the business can define which devices an end-user can plug into USB ports. Additionally, most endpoint protection systems also offer real-time activity monitoring that can detect a USB-based attack and halt it before it can do any damage.
It is also a good idea to create a strict policy forbidding the use of outside USB devices on work computers. For employees who require flash drives to transport data to and from their PC, the business should provide those drives and document their provision. Encryption should also be deployed on these devices to protect the data they contain.
Striking the Balance Between USB Convenience and Safety
At the end of the day, the reason that USB ports offer such appealing targets for hackers is their ubiquity. Since people frequently need places to charge devices on the go, public charging stations offer hackers the opportunity to target countless devices with very little effort. Additionally, inside offices, the fact that almost every modern computing device has at least one onboard USB port means that attackers only need a single user to make a careless mistake to gain access to a protected business.
The best solution to this problem is a combination of education, common-sense restrictions, and vigilance. That is where Outsource IT can help. We offer managed IT services that includes device security and monitoring options. We also offer comprehensive IT services with proactive cybersecurity for businesses which already have in-house IT staff. Whatever the need, all you have to do is contact an Outsource IT account manager, so they can design a service plan that meets your business’s exact needs.