USB Stick Social Engineering – Peace Summit Style?

Monday, June 11th was a historic day.
It will go down in history as the day that The US’s President Trump and North Korea’s Kim Jong-un began to work towards some degree of peace and understanding between two nations that have long been at odds.
We won’t use our digital ink to expound on the significance or non-significance of the meeting. We won’t get into whether or not the US conceded too much or if it was a rousing success for either side. We won’t even talk about Dennis Rodman’s MANY piercings.
Sneaky Swag?
No, we’re here to talk about the goodie bags that were given out to the myriad international journalists covering the historic event. In a generous gesture by the Singapore Communications Ministry (SCM), small gift bags that contained a bottle of water bearing the likeness of Trump and Kim Jong-un, a Singapore Tourism guide, a free trial to a local newspaper and a tiny hand-held fan that plugs into a mini-USB port were handed out to all official reporters.
Pretty typical as far as welcoming swag goes.
But let’s go back to that tiny fan. Sure it’s important to stay cool in a place as balmy as Singapore in the early Summer. It sure was nice of the SCM to consider that perhaps journalists coming from more temperate climates like oh, Alaska, might need some way to cool down quick if they start to overheat. But the fact that it plugs into a USB port has a whole lot of security experts worried.
USB Sticks – Social Engineering 101
After a Dutch journalist posted a picture of his fan on Twitter, cyber security experts began to warn journalists of the potential dangers associated with USB sticks. Noted security journalist Barton Gellman advised everyone to throw their fans away or give them to a local university computer science department for a “class exercise”. And security expert Rickey Gevers tweeted: “All accredited journalists get a free USB fan. Oh man, this is classic!”
And if the USBs do actually contain malware, it is indeed a classic social engineering move, one that security experts have been warning people about for ages. While we shouldn’t rush to pass judgement, it’s not such a far-fetched idea that certain people might want to keep tabs on what journalists are writing regarding such a politically loaded event.
Any USB device can carry and spread malware. A typical USB stick ploy goes something like this: An infiltrator with malicious intent leaves USB sticks lying around in places where the intended victims are pretty much guaranteed to find them, like office parking lots, cafe tables or university libraries. Attackers hope that human curiosity will trump logic and that the finder will stick that USB into his or her device to see what’s on it. To up the ante, sticks usually bear enticing labels like “Salaries.2018” or “Pictures from Hawaii Vacation”, because they know that people generally can’t  pass up the chance to see information they aren’t privy to.
The University of Illinois Urbana-Champaign USB Study
Think you’re too smart to fall for such a rouse?
In the now famous University of Illinois study whose results were presented at BlackHat in 2016, Google’s head of Anti-abuse Elie Bursztein and his research team planted USB sticks around the Urbana-Champaign campus and tracked victim interaction with the sticks. They found that almost 95 percent of the sticks were picked up and worse still, almost half of those were plugged in eventually. None of the files on the ones planted by Bursztein‘s team were actually malicious but that’s irrelevant; what matters is that USBs are foreign objects that have the distinct potential to compromise data and most people don’t think twice about the risks they bring.
When it comes to social engineering, it turns out that most people aren’t “too smart to fall for it”. If even the most savvy thinkers can get taken for a ride, you can too if you aren’t taking the proper precautions. So the next time you need to transfer data, make sure you use a USB stick that you know you can trust. Newer models have fingerprint authentication which will prevent anyone else from using yours. Never use the same sticks for work and home – if one network has malware on it, you’ll wind up infecting the other one as well. And although it should be self-evident, don’t go plugging in random USB sticks.
Much Ado About Nothing?
According to the SCM, there is nothing to worry about as the fans have no storage or memory — the port is there simply to charge the devices. So all this hullabaloo may prove to be pure paranoia — but when it comes to events of such great significance, there is always a chance that someone may try to get their hands on something they shouldn’t have access to. In the words of Joseph Heller, just because you’re paranoid doesn’t mean they aren’t after you.