Are thumb drives a real cyber threat?

Are stories of cyber attacks via malicious thumb drives for real, or some sort of scary urban legend?

By Peter Welander July 20, 2012

Dear Control Engineering: I was reading about cyber criminals trying to gain access to industrial systems by leaving USB thumb drives loaded with malware around the parking lot. Come now, does that sort of thing really happen, or is that a scary bedtime story?

In a word, yes, it does indeed happen. This is one social engineering attack vector that has been used because people are often more curious than they are cautious. By the time you know what’s on the thumb drive, it’s too late. This kind of attack vector can be very effective. It is particularly useful for networks that have strong perimeter defenses or are effectively isolated. Remember Stuxnet? Matt Luallen compares this to finding a syringe lying on the ground and injecting yourself with whatever is in it or taking candy from strangers. Most people are too smart to do that, we hope.

There was a recent report of an incident at a chemical plant in the Netherlands where this very thing happened. Alas, for the hackers, it was a defeat. In a victory for good security training, the individuals who found the suspect drives took them to their IT people rather than plugging them into the control system. They were indeed loaded with malware, specifically a keylogger that captures passwords and sends them to the hackers.

Chalk one up for the good guys.

Peter Welander, pwelander@cfemedia.com