Data on a USB device can be compromised merely by connecting it to a PC. Similarly, connecting an infected USB device to a PC can easily corrupt the host machine itself. This tip explains how.
Universal Serial Bus, commonly referred to by just its acronym USB, is a serial bus standard used to connect devices to a host computer. A bus is a subsystem that transfers data between computers or among computer components. Being a serial bus, USB sends data sequentially one bit at a time. It was created to improve the plug-and-play capabilities of the increasing number of devices people wanted to connect to their computers.
If you remember back to the early days of personal PCs, it was a real chore to connect a new device. It was often necessary to set jumpers, add extra serial or parallel ports, install device drivers and reboot, probably several times. Now thanks to USB, a single standardised interface socket, those days are gone. USB devices can be connected and disconnected without rebooting the computer or turning off the device. It has, of course, been widely adopted as the connection interface of choice, and according to the USB Implementers Forum, as of 2008, there are about 2 billion wired USB devices in the world.
USB, however, is only a standard to interface devices to a host computer. It doesn't provide any security features to filter the data that passes through the connection. In this respect, it is exactly the same as an Ethernet or printer cable; any device connected to a PC via a USB connection can be accessed by an application running on the host PC. Therefore, if the PC has been infected by malware, for example, the malware could access data on a portable hard drive that is connected to the PC via a USB cable. The danger could occur in reverse as well, should a U3-enabled USB drive with auto-launching applications (including malware) connect to a PC could and then access data on the host PC or logs all characters typed on the computer keyboard.
To mitigate these risks, you can disable all USB ports on a PC, but this is rarely practical because the ports may be required for devices such as keyboards and mice. If your organization runs a Windows-based network, then you can control USB drives using Active Directory. Individuals and groups that do not need to use a USB drive can be denied access to the ubstor.pnf and ubstor.inf files through an Active Directory group policy. New to Windows Vista, an administrator can now allow users to install only devices that are on an approved list or deny read or write access to devices that are removable or that use removable media. There are also third-party programs that provide a range of access controls for USB drives.
Hopefully, you can see that USB is merely a means to connect a device to a PC, not to control what the device does. In order to protect the USB device, you will need to provide security measures, which should, of course, be supported by policies that cover and clearly communicate the appropriate use of USB devices.