Last week, Spotify sent a number of USB drives to reporters with a note saying “Play Me”.
It’s not rare for reporters to receive USB drives in the post. Companies send USB drives all the time, especially at tech conferences. Most of the times, these contain promotional materials or large files, such as videos that would otherwise be tedious to circulate among as many people as possible.
However, anyone with basic security training under their hat will know, never to plug in a USB drive without executing certain precautionary steps.
How TechCrunch Acted upon the Situation?
According to TechCrunch, it too received the USB drive. People at TechCrunch were a little concerned but at the same time undaunted. They safely examined the contents of the Spotify drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer. It was benign and contained a single audio file. “This is Alex Goldman, and you’ve just been hacked,” the file played.
The drive was just a promotion for a new Spotify podcast.
Jake Williams, a former hacker for National Security Agency (NSA) and founder of Rendition Infosec, referred the move as “amazingly tone deaf” to motivate reporters into plugging in the drives to their computers.
USB drives are not inherently malicious but they are considered to be used in hacking campaigns, such as in power plants and nuclear enrichment plants, which are typically not connected to the Internet. According to Williams, USB drives can harbor malware that can open and install backdoors on a victim’s computer.
“The files on the USB itself may contain active content,” he said, which when accessed can exploit a bug on an affected device.
When TechCrunch tried to dig into the matter by approaching Spotify, a spokesperson for the music streaming company refused to comment. Instead, the person passed their request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on record beyond that “all reporters received an email stating this was on the way.”
Plugging in random USB drives is a bigger problem than it appears to be. Elie Bursztein, a Google security researcher, found in his research that about half of all people will plug random USB drives into their computers.
Earlier this year, John Deere created a ruckus after it circulated a promotional drive that actively hacked the computer’s keyboard. The drive contained a code that, when plugged in, ran a script, opened the browser and automatically typed in the company’s website. Even though the drive was not inherently malicious, the move was highly scrutinized, as malwares often act in an automated, scripted way.
Considering the threats that USB drives can posses, Homeland Security’s cybersecurity division, CISA, last month revised and updated its guidance about USB drive security. Journalists are among those who are frequent targets by some governments, including targeted cyber attacks.
Hence, it is advisable to take precautionary steps when handling USB drives. And never plug one in unless you completely trust it.