Mar 17 2015

Beware Of Strange Devices

Honestly, if you are security conscious or just generally paranoid, this is likely a belief you hold near and dear. I still remember people on my earliest IT teams having an isolated computer that was used for triaging “foreign” media, things like memory sticks and USB drives that someone wanted to use on our network. The reasoning was simple – if the device in question had malicious code on it, either known or unknown, only the isolated computer would be impacted.

But what if the device in this example, a USB thumb drive-was not containing malicious code, but rather malicious hardware? And, instead of creating a mess and requiring time and software to clean up, the end result could very well be a completely fried computer?

This isn’t a pipe dream, it is not a work of fiction. A proof of concept device has actually been built by someone who had heard of such devices before, but decided to see for himself if, in fact, said device could be built and actually work. The short answer is yes. As to how? The thumb drive contains hardware that converts the electrical charge given off by the USB port and then stores it in transistors, which are in turn discharged back into the computer in a cycle. The end result is way too much current is flowing back into the computer-plenty strong enough to fry delicate and critical circuit boards and even the CPU.

Moral of this tale? Unless you know, with certainty, the origins and provenance of a device being plugged into your computer, you’d be wise to treat any device as a possible vulnerability. While that stance will no doubt seem to be paranoid by some, any professional who takes IT security seriously will recognize it as a wise move. If you don’t know or trust where it came from, you have to assume the worst. Similarly, if you just happen to find a device laying around, even if curiosity has you wanting to mount the drive and peruse it’s files in an effort to find the owner, resist at all costs. While the most likely scenario may be that an employee simply dropped the device, there’s nothing to say an enterprising hacker didn’t physically gain access to your space, intentionally leaving a device behind in the hopes that a company employee would be curious enough to plug in the trojan horse for him. It only seems impossible until it happens, at which point you are in damage control mode.

When in doubt, assume the worse and quarantine the device until proven safe.