USB drives are one of the easiest ways for cybercriminals to spread malware and infect machines. Which is why, when Trump and Kim met for the US-North Korea summit in Singapore, security researchers were alarmed to discover journalist swag bags were stocked with portable fans that plug into computer USB ports.
Reporters from all over the world were at the summit. Given their jobs, they would likely be in contact with government and business personnel—essentially access points to high-value targets. As The Washington Post reports, “Hackers and spies can use them (USB drives) as Trojan horses — devices that seem innocuous but are loaded with malware designed to take control of a target’s computer and steal information.”
Because USB drives are renowned for their ability to inflict damage, the US military banned the use of thumb drives in 2008. Around that time, the NSA’s top computer systems protection officer was notified of a hack while in a meeting with President George W. Bush. “The attack was unexpected because classified military systems are not connected to outside networks. The source was isolated to a worm loaded onto a USB key that had been carefully set up and left in large numbers to be purchased from a local internet kiosk,” writes The Conversation.
Supply chain attacks zero in on the least secure element of an organization’s infrastructure. A USB drive can trigger the chain of events, as can an IP phone or a printer. All it takes is one element or one user that’s plugged into the network. From there, the malicious software can spread rapidly and extensively to compromise or steal data.
A researcher who deconstructed the USB fan gadget from the North Korea summit found no evidence of malicious software. But as The Washington Post reports, “He said that malicious actors could have narrowly targeted one reporter who was of special interest out of 100, meaning that most fans may have appeared harmless even as some might have been used to target specific journalists.”
The bottom line: Experts emphasize that users should never use hardware that is found or provided by strangers. Kind of like what your mom used to tell you about candy.
Get the full story at The Washington Post.