INSUBCONTINENT EXCLUSIVE:
Last week, Spotify sent a number of USB drives to reporters with a note: &Play me.&
It not uncommon for reporters to receive USB drives in
Companies distribute USB drives all the time, including at tech conferences, often containing promotional materials or large files, such as
videos that would otherwise be difficult to get into as many hands as possible.
But anyone with basic security training under their hat —
which here at TechCrunch we have — will know to never plug in a USB drive without taking some precautions first.
Concerned but undeterred,
we safely examined the contents of the Spotify drive using a disposable version of Ubuntu Linux (using a live CD) on a spare computer
It was benign and containeda single audio file
&This is Alex Goldman, and you&ve just been hacked,& the file played.
The drive was just a promotion for a new Spotify podcast
Because of course it was.
The USB drive that Spotify sent journalists (Image: TechCrunch)
Jake Williams, a former NSA hacker and founder of
Rendition Infosec, called the move &amazingly tone deaf& to encourage reporters into plugging in the drives to their computers.
USB drives
are not inherently malicious, but are known to be used in hacking campaigns — like power plants and nuclear enrichment plants — which
are typically not connected to the internet
USB drives can harbor malware that can open and install backdoors on a victim computer, Williams said.
&The files on the USB itself may
contain active content,& he said, which when opened can exploit a bug on an affected device.
A spokesperson for Spotify did not comment
Instead, it passed our request to Sunshine Sachs, a public relations firm that works for Spotify, which would not comment on the record
beyond that &all reporters received an email stating this was on the way.&
Plugging in random USB drives is a bigger problem than you might
Elie Bursztein, a Google security researcher, found in his own research that about half of all people will plug into their computer random
USB drives.
John Deere earlier this year caused a ruckus after it distributed a promotion drive that actively hijacked the computer keyboard
The drive contained code that, when plugged in, ran a script, opened the browser and automatically typed in the company website
Even though the drive was not inherently malicious, the move was highly criticized, as malware often acts in an automated, scripted
way.
Given the threats that USB drives can pose, Homeland Security cybersecurity division, CISA, last month updated its guidance about USB
Journalists are among those who are frequent targets by some governments, including targeted cyberattacks.
Remember: Always take precautions
And never plug one in unless you trust it.
No one, not even the Secret Service, should randomly plug in a strange USB stick
