How small is the smallest computer on the market today? As small as your thumb, according to flash drive developer, U3.
U3 Smart Drives are USB drives that not only allow users to transport documents and data files, but also complete applications which are installed, configured and ready to run on any available PC. Along with office documents and family pictures, users can load personal applications with their settings, usernames, passwords and bookmarks already configured.
The addition of the Disk-On-Keys feature to existing USB devices revolutionized USB flash drives, making them “smart” and active as opposed to traditional passive storage devices. This U3 technology has become so popular that it is automatically built in to many of the flash drives currently on the market. A person buying a flash drive today may not even be aware that the USB drive being purchased is a U3 device. However, while U3 capabilities empower users and improve their productivity, smart devices may also introduce new security threats to the enterprise’s IT infrastructure.
U3 smart drives consist of two key components: a read-only special partition on the device, and pre-installed, packaged applications.
The read-only partition is started automatically when a user connects the device to the host computer – with or without administrator privileges. The U3 Launchpad is then loaded and appears on the taskbar, listing the applications available on the U3 Smart Device.
The packaged applications are stored on the writable partition of the U3 smart drive. These applications come pre-installed, with all the required files packaged neatly in one file. Users can easily add applications to the drive and can transport favorite programs, personal settings and preferences.
To the enterprise’s IT infrastructure, smart devices pose new threats. A user connecting a drive to a computer can run his or her own applications, regardless of the enterprise’s existing IT policy. Applications for some smart drives are designed to run without the need for an installation prompt and without the need for administrative privileges. While a convenient and time-saving feature, this means that even if the enterprise’s IT policy does not grant employees local administrative privileges, users are still able to load and run their own applications directly from the smart drive.
The reliability of individual U3-ready applications is also questionable. Although U3 maintains a website with “approved” U3 applications, programs for U3 smart drives can be developed by even novice programmers and distributed without endorsement from U3. While approved U3 applications must adhere to the strict U3 guidelines, such as not affecting the host computer’s OS and not leaving a trace of personal data when the U3 drive is disconnected, rogue U3 applications may not adhere to these restrictions once installed on a user’s U3 smart drive.
Even when using approved applications, the enterprise’s IT policy can still be breached: U3 applications use their own set of preferences and configurations, ignoring any policy set by the enterprise’s CSO. For example, an enterprise might force all mail client applications i.e. Microsoft Outlook, to use encrypted network connections. However a user bringing in a U3 smart drive with a mail client preinstalled, can read mail without any encryption, overriding enterprise IT policy.
Recently, the read-only partition on a U3 smart drive was compromised. The partition, which displays as a CD-ROM drive, is used to automatically start the U3 Launchpad once the drive is connected to the host computer. Hackers have managed to re-write that partition and modify the Launchpad, opening an attack path for pre-loaded malware. Even if a user becomes aware of the presence of the malware, most would not be able to remove the harmful programs unless the partition could be re-written.
Outsmarting the devices
U3 smart drives are just a precursor to the new technologies and innovations yet to come. While the further development of smart devices will increase productivity, enterprises must prepare for the trade-off of security versus convenience that such technology presents.
Fortunately, there are software solutions available which offer the capability of blocking U3 functionality on organizational PCs and laptops. Application control is another security feature which can reduce the security risk to a company’s IT infrastructure. Ultimately, however, it is the development of strong corporate information security policy and stringent enforcement that will offset the risks posed by U3 devices. Prohibiting the use of smart devices or issuing approved devices to specific users and then actively monitoring for unauthorized usage remains an effective way to intelligently utilize the benefits of “smart” devices.
Gil Sever is CEO of Safend.