USB Ransomware Attacks: The temptation of finding USB drives and IoT devices

29-03-2022 | By Robin Mitchell

In the US, the FBI has issued a warning to those who may be tempted to insert lost USB drives into their devices of possible cyberattacks, including ransomware. What challenges are posed by dangerous USB devices, is there a way to safely open such devices, and how could resold IoT devices also perform similar actions?

What challenges do rouge USB devices present?

As technological improvements in electronics continue, the price per MB of storage falls. This fall in price reflects in one or two ways, a cheaper USB drive or a USB drive with more capacity. Chances are most people have a USB drive in their possession, and they are very easy to lose compared to older mediums of storage, including portable hard drives, floppy disks, and CDs. It is not uncommon to find misplaced USB drives in libraries, cafes, or even on the street.

While it may be tempting to take one and view the drive’s contents, only those who have expertise in security practices should do so in a controlled environment, as there is a chance that the drive was purposely left to infect an unsuspecting user with malware. Such malware could be purely destructive by wiping user files, a trojan horse and installing backdoors, or worse, ransomware whereby the users’ files are encrypted with a one-off payment being the only way to retrieve the files.

This kind of attack is becoming increasingly popular due to the many misconceptions about malware and how it gets onto computers. One such myth is that malware is sent by email through links, and thus a user is safe so long as they do not click any links. Another myth would be that malware comes in the form of executable code, and thus by not running any files on a USB drive, no harm can be done.

However, the truth behind the malware is that it can be loaded onto systems in a huge number of ways, whether it is exploiting a weakness in a firewall, taking advantage of embedded scripts, or even bugs in an OS that allow remote code execution. In the case of viewing the contents of a USB drive, attackers may even rename files and icons to look like documents or text files but are instead executable files that, once launched, can deliver their payload.

This is particularly troublesome for large corporations whereby unsuspecting employees infect an office machine that can then go on to infect the entire internal network. In light of such attacks, it is becoming more common for IT staff to disable USB functionality on machines with the exception of a list of specific devices.

Is there a way to safely open such devices?

This is a difficult question to answer as it is highly dependent on the type of attack that a USB drive will do. For example, some USB drives will have executable files that look like word documents, while other more sinister drives will integrate microcontrollers and instead behave as a USB keyboard that can instantly open a terminal and enter commands.

However, we can take measures to protect ourselves while exploring the contents of an unknown USB device. To start, we can assume that any malware on the device would likely be targeted at a Windows machine as they are the most common. As such, the first measure we can take is to view the contents of the USB drive on a Linux system.

The second measure to take is that whatever system is being used to view the contents of the drive must not have a network connection whatsoever. Malware often targets network connections to spread across systems, infect server files, and receive commands remotely.

The final measure to take for those who are particularly paranoid is to open the UBS drive itself to see if there are any additional ICs other than the flash memory. Additional ICs could be indicative of microcontrollers with keyboard capabilities that can launch scripts. Even after all of this, extreme caution must be taken should the drive be used in any other machine that has network capabilities, remote control capabilities, or valuable files.

How can re-sold IoT devices present challenges?

It is not just “lost” USB drives that can present challenges to cybersecurity; even second-hand IoT devices could be a point of attack for cybercriminals. The ongoing semiconductor shortage combined with the rising pressure on consumers to upgrade to newer technologies will see customers looking towards second-hand IoT devices.

But these devices could easily be reprogrammed with malicious firmware that can perform cyberattacks once connected to a user’s home network. Furthermore, their network connection would easily allow for remote attacks and accept remote commands that allow a hacker to view an internal network.

This introduces a new challenge to the world of cybersecurity as the integrity of firmware on IoT devices is not exactly easy to do, especially if the firmware was made by a hacker from the ground up. For example, the ESP32 is a very common device that is found in a whole range of products, and its widespread availability makes it an easy target.

Overall, the industry needs to start thinking about ways of preventing devices from being reprogrammed so that they cannot be used as trojans when their ownership changes hands.


By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.