Universal Serial Bus, or just USB, is one of the most widely adopted industry standards for computer peripherals and is used for everything from keyboards and mice to external storage devices like thumbdrives.
The upsides are obvious: standardised connectors are interchangeable between systems and the backward compatibility is a big bonus.
However, the USB drive, a popular and portable storage device, is often weaponised, and in one case, literally, by bad actors.
In March this year, reports surfaced about an incident in Ecuador where a journalist had a USB drive explode in his face.
Fortunately, Lenin Artieda only suffered light injuries, mainly to his face and hands.
The USB drives were mailed to Artieda, a TV presenter, and four other journalists, but theirs didn’t explode, perhaps because they didn’t plug in the drives or the cops intercepted them on time.
It is believed that the USB drive contained a 1cm long capsule with plastic explosive, with just half of the payload going off in the explosion.
It was reported that the office of the Ecuadorian attorney general acknowledged that a terrorism investigation had been initiated in response to the incident.
However, most attacks made through a USB drive are a little less hazardous, at least physically, but nevertheless no less harmful.
The FBI issued a notice early last year over USB drives sent by the hacker group FIN7 through the United States Postal Service (USPS) and United Parcel Service (UPS).
To trick the recipients into thinking the drives were legitimate, they were packaged with typical gift items like teddy bears.
At times, the FIN7 hackers would even employ social engineering, disguising themselves as Amazon workers or representatives of the US Department of Health and Human Services to convince targets.
Once plugged into a computer, the USB drives will use the human interface device to function as a keyboard, allowing hackers to key in commands and infect the computer with malware.
Compromised computers will typically have their data stolen and infected with other types of malware via remote access or a backdoor created by the USB drive.
FIN7 also used the compromised hardware to infect other workstations in the network – in April this year, it used the compromised computers to infect other machines with the Clop ransomware.
Ransomware gangs have also made use of the Clop ransomware in other attacks to prey on various targets, including two Prudential companies in Malaysia, via the high-profile MOVEit file transfer service hack.
More recently, cybersecurity firm Check Point Software discovered that a European healthcare institution had been infected through a USB drive belonging to a staff member.
The thumbdrive was infected with malware during an overseas conference, eventually finding its way to the institution.
These attacks can also come in a more primitive form, namely, a USB drop.
As the name suggests, it literally involves dropping USB drives on the ground and in the vicinity of the target, like at a parking lot used by a business or a government body.
A notable example of a USB drop is the Stuxnet worm attack on a nuclear facility in Iran back in 2010, which occurred because an employee picked up an abandoned USB drive and plugged it into his workstation.
As a result of the infection, several centrifuges at the facility began to fail and computers started crashing.
Earlier in 2008, the US military ended up leaking sensitive data to a remote server after a USB drive found in the parking lot of a military base in the Middle East was plugged into a laptop.
It took the Pentagon 14 months to clear their systems of the infection, which was described at the time as the worst cyberattack in the US military’s history.
And then there is the USB Killer, a device capable of actually damaging and “killing” the computer it’s plugged into by discharging a powerful surge of electricity into the USB port.
A student at the College of Saint Rose in New York used one such device to destroy 66 computers belonging to the institution. The student was sentenced to a year in prison and required to pay for the damages.
While not quite as bad as getting hit by malware or an exploding USB stick, unusually cheap USB drives being sold online are also something to be wary of.
Fraudulent vendors have been known to sell lower-capacity drives that have modified firmware that falsely shows a much higher storage size when plugged into a computer.
They could, say, appear as a 2TB storage device and function fine at first, but when the data exceeds the actual size, it will start overwriting older files since it does not actually have the reported capacity.
All in all, always be careful of suspiciously cheap high-capacity USB drives and never plug a random USB stick you find into your computer.