ETS - Erb's Technology Solutions, Connecting People with Technology

5 Ways Your USB Stick Can Be a Security Risk

October 29, 2018

5 Ways Your USB Stick Can Be a Security Risk

October 29, 2018

It might store as little as 256 MB or as much as 256 GB, but as useful as your USB stick is, it can prove to be a major security risk.


Major security incidents, viruses, and USB-specific malware are among the risks you face. While these can be mitigated by adopting good practices, it’s important to appreciate just what is at stake if you don’t take steps to secure your USB flash drive.


1. Losing Your USB Stick

Perhaps the most well-known security risks concerning USB flash devices are those that occur when a device is lost.

If you have password protected — or better still, encrypted — your USB flash device, then you should not be overly concerned when you lose it. Assuming you’ve still got the data backed up elsewhere, you’ll be fine. It’s astronomically unlikely that anyone will be able to break the encryption (certainly not using modern, commercially available hardware) so your data will remain safe whether the device is lost or stolen.

But losing a USB flash device without password protection is another matter entirely. We’re talking major security issues here, depending on the importance of the data stored. Of course, if it’s just your resume, you might not be overly concerned; on the other hand, these can be very personal documents, especially if it’s in draft.

Say you’re carrying sensitive data for your employer on a USB stick. Losing the device could result in a security incident being declared, internal investigation and perhaps a reprimand — or even the loss of your job.

The simple way to avoid losing a USB stick is to make sure it is stored securely on your person. Perhaps an inside pocket or somewhere it cannot be seen. It should also be placed where it will not be damaged, as excessive shock or pressure can break or corrupt the data.

2. Finding a USB Stick

Just as concerning, but in a completely different way, is the security risk of finding a USB flash drive. “But, free stuff!” you’re probably thinking, and yes, potentially it is. Unfortunately, a USB flash drive can be used to fool you into loading malware onto your computer.

A study has shown that almost 50 percent of people who find a USB flash device insert it into their computer without taking any precautions. Only security experts should be checking the contents of a found USB flash drive. Secure PCs with sandboxing and specialized security software should be used, not your laptop.

While some anti-virus software can protect autorun malware from infecting your PC from a USB flash device, this might not work if your system is not up-to-date. So, if you find a USB flash drive, leave it alone, or put it in the bin. Perhaps put a call out on social media for the owner.

But don’t plug it in.

3. Giving a USB Stick to Someone

Perhaps you just received a new USB flash device and have decided that your older stick is no good for your purposes. If so, you might be thinking 

about selling or giving it away. While you might make enough small change for a light lunch, the most important thing on your mind should not be profit.

Instead, you should be thinking about data security. Have you deleted the contents of the disk? If so, was the data securely removed? Whether you’re giving the device to a friend or a stranger, you should certainly take the time to fully delete the contents.

4. USB Specific Malware

While we’ve considered the risks of inserting a found USB flash drive into your PC, you need to know about the malware that can be run. Some standard Trojans and worms can be found auto-running, and these will attain a good level of success without security software on your PC.

And then there’s BadUSB.

Fortunately created by security researchers who kept the source code to themselves, BadUSB is nevertheless a good demonstration to hackers. Stored on the firmware of USB devices (which includes keyboards and phones as well as flash drives), it is virtually undetectable, and can result in a targeted PC being hijacked.

This isn’t an attack that is likely to be used on Joe Public. But the BadUSB proof of concept shows that an infected USB device could be used to target an individual. Perhaps someone working for a bank, or a military contractor.

4. Know Your USB Stick

Safe storage of your USB flash device is vital, but so is recognition. Security and privacy can be breached in embarrassing manner if you pass a USB stick to a colleague that turns out to have some salacious images of your partner stored on it.

And in your bag, the USB disk with the sales report on it still sits.What To Do with That Found USB Stick

Often USB sticks are very difficult to tell apart. Unless they have been given a particularly ostentatious design (Lego, wood, etc), then it is easy to get them muddled up. Applying sticky labels is one option, but you might also consider having specific storage areas for them. Keep your personal drives separate from the ones you use for work, and always check the contents of a drive before handing it to someone else.

Just to be sure!