When paranoia makes sense
We had an interesting office conversation this week after a supplier generously gifted us an office Bluetooth speaker. Someone remarked they would never connect to it. Why? Because they didn’t trust it. But what could go wrong? …and how big is the risk?
A wireless device may not pose the same physical threat as a physical USB stick (see below), but with Christmas just around the corner I’d like to suggest some rules of thumb when it comes to connecting devices to your computer or smartphone.
Never, ever, plug in a random USB device you ‘found’, regardless of how attractive it seems.
If you still have a ‘she’ll be right’ attitude about this, then this will probably change your mind:
The device could be a USB KILLER. When plugged into a USB port, a "USB killer" device rapidly charges its capacitors from the USB port. Then, when it's charged, it discharges -200V DC over the data lines of your device. This will instantly kill almost any computer or electronic device that has a USB port.
Devices like this come from AliExpress for as little as $15, and for an extra hundy the v4 Pro from https://usbkill.com has remote trigger so the attacker can time the damage for maximum effect. Why would anyone do this? Well, I don’t understand why people would throw a Lime scooter into the Avon either…but it happens.
Avoid other people’s USB devices if you can…
This can be difficult – especially when it’s a friend or family member, or if it’s urgent. Maybe you don’t want to appear paranoid, or be teased about wearing a tinfoil hat, but if you can then suggest an alternative sharing method instead. Tell them you’ve been warned USB sticks can be dangerous and use Airdrop, Nearby Share, Drop Box, Google Drive, One Drive etc are all good options.
Stay healthily paranoid
You shouldn’t take drugs/medicines from an untrusted source or have unsafe sex with a stranger. Similarly, to protect your Internet banking, personal communications, and family photos, don't be careless about your IT security.
Having no condom is inconvenient – but you’re hopefully equipped to choose your action at the time based on how you perceive the risk. Are you suitably equipped to assess the risk of untrusted USB or Bluetooth devices?
The challenge with Information security is that the risks keep changing. School never taught us this stuff, and even if it did, it’d be out of date by now. Our mainstream culture is still very blasé about information security.
Cyber-attacks and ransomware are such a huge problem today (just think Waikato District Health Board) that I hope we’ll see a significant culture shift towards better personal information security in coming years. Think:
- Drink driving campaigns in the 1970s, breath tests in 1984, on-the-spot fines in 1988, and sustained advertising campaigns fundamentally changing NZ’s drink driving culture.
- AIDS awareness fundamentally changing the behaviour of gay and bisexual men.
- The 911 attacks and threat of terrorism forever changed air travel.
- Similarly, ransomware and cyber-attacks will fundamentally change the way we view Information Security.
So, is it okay for us to plug in that shiny new unbranded Bluetooth speaker?
Yeah, probably. The risk is low, but healthy paranoia is still good. It’s about finding the right balance. Almost everyone has a powerful personal computer in their pocket these days (aka Smart Phone) and as IT professionals we can help others assess make good choices.
My main goal right now is encouraging my family and friends to use a password manager. Poor password hygiene poses a much greater threat than an unbranded Bluetooth speaker and we all need to pick our battles.
I still wouldn’t plug in a random USB stick though.