USB drives (also known as thumb drives) are handy little things. They’re great for carrying huge chunks of data around in your pocket. If you’re at a friend’s place, they can give you copies of pictures or other files. It’s often quicker and easier than sending files via email or via the cloud. But they have fundamental security issues that should make you think twice about using them.
It’s not just that the files you’re transferring can carry viruses. That’s a well-known issue which can happen with any file you load onto your computer, and if you have an up to date virus scanner, you should be able to spot those and deal with them. The problem goes deeper than that.
Wired recently reported that security researchers have shown how malware can be hidden in the firmware of the USB stick itself. Even if you delete everything from the device, it can still be toxic. This hidden malware can be used to “completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.” There is no technical fix, warn the experts. Just think very carefully before plugging a USB stick into your device, or putting your USB stick into someone else’s device.
Here at PRR, we stopped about 90% of our thumb drive usage (with untrusted computers) a couple years ago because we didn’t feel it was safe. We now make use of Dropbox and OneDrive to securely transfer files between computers. For our technician tools, we set up a protected page on our web site which provides downloads of all the tools we commonly use. It’s basically like our own cloud thumb drive for tech tools, so we can access whatever we need, whenever we need it, and works great.
When we’re talking to clients, we recommend that you stop using physical media as much as possible to reduce the risk of malware being transferred between computers. USB drives are fine for things you want to share between your own computers and keep private: for example, if you’re copying a large video file or presentation from your desktop to your laptop.
Most of the time, though, it’s far better to use cloud storage for files you need to share, even if it’s a bit slower. It’s safer, and you don’t have to worry about remembering to carry a USB drive. In short, never plug an untrusted USB drive into your computer.