In Depth

Drives and Ambition

USB drives are great for exchanging sensitive documents, but how safe are they?

By Simson Garfinkel

August 01, 2004 — CSO — USB drives (those cheap, thumb-size storage devices that plug in to laptops and desktops) are reasonably cheap, reusable, fast, durable and much more convenient to carry around than a stack of CD-ROMs. They work on Macs, PCs and even Linux-powered laptops. And these little devices are just the thing for exchanging sensitive documentsinformation that's far too important to send by e-mail.

During the past two years, in fact, USB drives have become an incredibly popular way to exchange information. This past spring, for instance, I was teaching a class that had a "no student grades may be sent by e-mail" policy. When one of the professors needed an electronic copy of the roster listing every student's final grade, I simply popped a 64MB drive into my laptop, dragged the file in question to the drive's icon, pulled the drive and plopped it into his hand. As demonstrated by my little exchange with the good professor, physically handing someone a confidential file means that you don't need to worry about VPN settings, e-mail encryption, misaddressed messages or unscrupulous exchange administrators.

But USB drives have a dark side: a range of security problems resulting from the very factors that make them convenient. The problems are so significant that some organizations have tried to outlaw them. Others are trying to minimize the danger through a combination of education and technology.The First Risk: Data TheftThe obvious risk of high-capacity portable storage is that someone will walk into your organization, slap a USB drive onto one of your computers, copy a few choice documents, then walk away with your goods. Such theft is a real risk, although it's a risk that's not unique to USB.

Back in 1992, a friend of mine walked into a trade show in San Francisco, hot-wired a portable hard drive to the back of a Unix workstation and copied the prerelease operating system that the workstation vendor was demonstrating on the exhibit floor. Fortunately my friend wasn't interested in industrial espionage. He was a journalist who wanted a copy of the operating system for an article he was writing. (The vendor had been less than cooperative.) The whole operation took about 20 minutes, and it happened right under the nose of the company's vice president of marketing.

Today this sort of attack has gone mainstream. Shortly after the release of the Apple iPod, for instance, computer stores started reporting that the portable music player had become a tool-of-choice among software pirates. iPod-equipped thieves were walking into stores, connecting their players to the Macintosh computers on the store floor, and making off with fully enabled copies of Microsoft Office and Adobe Photoshop.