USB flash drive security
||This article includes a list of references, but its sources remain unclear because it has insufficient inline citations. (September 2009)|
Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.
An increasing number of portable devices are used in business, such as laptops, notebooks, universal serial bus (USB) flash drives, personal digital assistants (PDAs), advanced mobile phones and other mobile devices.
Companies in particular are at risk when sensitive data are stored on unsecured USB flash drives by employees who use the devices to transport data outside the office. The consequences of losing drives loaded with such information can be significant, and include the loss of customer data, financial information, business plans and other confidential information, with the associated risk of reputation damage.
Major dangers of USB drives
USB flash drives pose two major challenges to information system security: data leakage owing to their small size and ubiquity; system compromise through infection from computer virus and other malicious software.
The large storage capacity of USB flash drives relative to their small size and low cost means that using them for data storage without adequate operational and logical controls can pose a serious threat to information confidentiality, integrity, and availability. The following factors should be taken into consideration for securing USB drives assets:
- Storage: USB flash drives are hard to track physically, being stored in bags, backpacks, laptop cases, jackets, trouser pockets, or left at unattended workstations.
- Usage: tracking corporate data stored on personal flash drives is a significant challenge; the drives are small, common, and constantly moving. While many enterprises have strict management policies toward USB drives, and some companies ban them outright to minimize risk, others seem unaware of the risks these devices pose to system security.
The average cost of a data breach from any source (not necessarily a flash drive) ranges from less than $100,000 to about $2.5 million.
- customer data (25%)
- financial information (17%)
- business plans (15%)
- employee data (13%)
- marketing plans (13%)
- intellectual property (6%)
- source code (6%)
Examples of security breaches resulting from USB drives include:
- In the UK:
- HM Revenue & Customs lost personal details of 6,500 private pension holders
- In the United States:
In the early days of computer viruses and malware the primary means of transmission and infection was the floppy disk. Today, USB flash drives perform the same data and software storage and transfer role as the floppy disk, often used for transferring files between computers which may be on different networks or in different offices, owned by different people; this has made USB flash drives a leading form of information system infection. When a piece of malware gets onto a USB flash drive it may infect the devices into which that drive is subsequently plugged.
The prevalence of malware infection by means of USB flash drive was documented in a 2011 Microsoft study  analyzing data from more than 600 million systems worldwide in the first half of 2011. The study found that 26 percent of all malware infections of Windows system were due to USB flash drives exploiting the AutoRun feature in Microsoft Windows. That finding was in line with other statistics, such as the monthly reporting of most commonly detected malware by antivirus company ESET, which lists abuse of autorun.inf as first among the top ten threats in 2011.
The Windows autorun.inf file contains information on programs meant to run automatically when removable media (often USB flash drives and similar devices) are accessed by a Windows PC user. The default Autorun setting in Windows versions prior to Windows 7 will automatically run a program listed in the autorun.inf file when you access many kinds of removable media. Many types of malware copy themselves to removable storage devices: while this is not always the program’s primary distribution mechanism, malware authors often build in additional infection techniques.
Examples of malware spread by USB flash drives include:
Since the security of the physical drive cannot be guaranteed without compromising the benefits of portability, security measures are primarily devoted to making the data on a compromised drive inaccessible to unauthorized users and unauthorized processes, such as may be executed by malware. One common approach is to encrypt the data for storage, and routinely scan drives for malware with an antivirus program, although other methods are possible.
Software solutions such as dm-crypt, FreeOTFE, Data Protecto and TrueCrypt allow the contents of a USB drive to be encrypted automatically and transparently. Also, Windows 7 Enterprise and Ultimate Editions and Windows Server 2008 R2 provide USB drive encryption using BitLocker to Go. The Apple Computer Mac OS X operating system has provided software for disc data encryption since Mac OS X Panther was issued in 2003 (see also: Disk Utility).
Additional software can be installed on an external USB drive to prevent access to files in case the drive becomes lost or stolen. Installing software on company computers may help track and minimize risk by recording the interactions between any USB drive and the computer and storing them in a centralized database.
Some USB drives utilize hardware encryption in which microchips within the USB drive provide automatic and transparent encryption. Some manufacturers offer drives that require a pin code to be entered into a physical keypad on the device before allowing access to the drive. The cost of these USB drives can be significant but is starting to fall due to this type of USB drive gaining popularity.
Hardware systems may offer additional features, such as the ability to automatically overwrite the contents of the drive if the wrong password is entered more than a certain number of times. This type of functionality cannot be provided by a software system since the encrypted data can simply be copied from the drive. However, this form of hardware security can result in data loss if activated accidentally by legitimate users, and strong encryption algorithms essentially make such functionality redundant.
As the encryption keys used in hardware encryption are typically never stored in the computer's memory, technically hardware solutions are less subject to "cold boot" attacks than software-based systems. In reality however, "cold boot" attacks pose little (if any) threat, assuming basic, rudimentary, security precautions are taken with software-based systems.
The security of encrypted flash drives is constantly tested by individual hackers as well as professional security firms. At times (as in January 2010) data on flash drives that have been positioned as secure were found to have a bug that potentially could give access to data without knowledge of the correct password.
Flash drives that have been compromised (and fixed) include:
- SanDisk Cruzer Enterprise
- Kingston DataTraveler BlackBox
- Verbatim Corporate Secure USB Flash Drive
- Trek Technology ThumbDrive CRYPTO
All of the above companies reacted immediately. Kingston offered replacement drives with a different security architecture. SanDisk, Verbatim, and Trek released patches.
In commercial environments, where most secure USB drives are used, a central/remote management system may provide organizations with an additional level of IT asset control, significantly reducing the risks of a harmful data breach. This can include initial user deployment and ongoing management, password recovery, data backup, remote tracking of sensitive data, and termination of any issued secure USB drives. Such management systems are available as software as a service (SaaS), where Internet connectivity is allowed, or as behind-the-firewall solutions.
- Health Insurance Portability and Accountability Act (HIPAA) (Moving confidential data requires encryption.)
- Cruzer Enterprise
- Data remanence
- Kingston Technology
- ENISA (PDF), June 2006
- Secure USB flash drives. European Union Agency for Network and Information Security. 1 June 2008. ISBN 978-92-9204-011-6. Retrieved 21 July 2014.
- SanDisk Survey, April 2008
- Swartz, Jon (16 August 2006). "Small drives cause big problems". USA Today.
- Watson, Paul (18 April 2006). "Afghan market sells US military flash drives". Los Angeles Times.
- Microsoft Security Intelligence Report Volume 11, January-June, 2011.
- Global Threat Report, December 2011.
- ESET discovers second variation of Stuxnet worm. Network World, July 2010.
- Stuxnet, Flamer, Flame, Whatever Name: There’s just no good malware. ESET Threat Blog, June, 2012.
- "How to create a password-protected (encrypted) disk image in Mac OS X 10.3 or later". Accessed 2 May 2010.
- Hardware-Encrypted Secure Flash Drive, GoldKey (January 2013)
- White Paper: Hardware-Based vs. Software-Based Encryption on USB Flash Drives, SanDisk (June 2008)
- "freeotfe.org". freeotfe.org. Retrieved 2014-02-10.
- [dead link]
- "Verbatim Europe - Data Storage, Computer & Imaging Consumables". Verbatim.com. Retrieved 2014-02-10.
- Analysis of USB flash drives in a virtual environment, by Derek Bem and Ewa Huebner, Small Scale Digital Device Forensics Journal, Vol. 1, No 1, June 2007 (archived from the original on October 19, 2013)
- Dataquest insight: USB flash drive market trends, worldwide, 2001–2010, Joseph Unsworth, Gartner, 20 November 2006.
- Computerworld Review: 7 Secure USB Drives, by Bill O'Brien, Rich Ericson and Lucas Mearian, March 2008 (archived from the original on February 17, 2009)
- BadUSB - On Accessories that Turn Evil on YouTube, by Karsten Nohl and Jakob Lell