No one, not even the Secret Service, should randomly plug in a strange USB stick

NelsonG · April 8, 2019

If you’ve been on Twitter today, you’ve probably seen one story making the rounds.

So the Secret Service stuck Zhang's thumbdrive into their computer. https://t.co/0T6LAfOtEl pic.twitter.com/RSfUgw4I4n

— Chris Wysopal (@WeldPond) April 8, 2019

The case follows a Chinese national, Yujing Zhang, who is accused of trying to sneak into President Trump’s private Florida resort Mar-a-Largo last month. She was caught by the Secret Service with four cellphones, a laptop, cash, an external hard drive, a signals detector to spot hidden cameras, and a thumb drive.

The arrest sparked new concerns about the president’s security amid concerns that foreign governments have tried to infiltrate the resort.

Allegations aside and notwithstanding, what sent alarm bells ringing was how the Secret Service handled the USB drive, which cannot be understated — it was not good.

From the Miami Herald:

Secret Service agent Samuel Ivanovich, who interviewed Zhang on the day of her arrest, testified at the hearing. He stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said. The analysis is ongoing but still inconclusive, he testified.

What’s the big deal, you might think? You might not think it, but USB keys are a surprisingly easy and effective way to install malware — or even destroy computers. In 2016, security researcher Elie Bursztein found dropping malware-laden USB sticks was an “effective” way of tricking someone into plugging it into their computer. As soon as the drive plugs in, it can install malware that can remotely surveil and control the affected device — and spread throughout a network. Some USB drives can even fry the innards of some computers.

A Secret Service spokesperson said the device was “standalone,” but wouldn’t be pressed on details. It remains unknown why the agent “immediately” pulled out the drive in a panic.

It didn’t take long for security folks to seize on the security snafu.

Jake Williams, founder of Rendition Infosec and former NSA hacker, criticized the agent’s actions “threatened his own computing system and possibly the rest of the Secret Service network.”

“It’s entirely possible that the sensitivities over determining whether Zhang was targeting Mar-a-Lago or the president — or whether she was a legitimate guest or member — may have contributed to the agent’s actions on the ground,” he said, “Never before has the Secret Service had to deal with this type of scenario and they’re probably still working out the playbook.”

Williams said the best way to forensically examine a suspect USB drive is by plugging the device into an isolated Linux-based computer that doesn’t automatically mount the drive to the operating system.

“We would then create a forensic image of the USB and extract any malware for analysis in the lab,” he said. “While there is still a very small risk that the malware targets Linux, that’s not the normal case.”