Sister CISA CISSP

Sep 27 2010   4:24PM GMT

“Free” USB Drive Calls Home



Posted by: Arian Eigen Heald
Tags:
Data Breaches
Hardware & InfoSec
information security
Privacy

At a conference I attended not long ago, part of the conference package I received was a “free” USB drive from one of the vendors. Every attendee received one of the drives.

Being the information security person that I am, “free” USB drives make me wary. Marketers also make me wary. So, I looked at the instructions included with the USB drive, and found the following:

This USB drive is backed by iClick’s lifetime replacement warranty. To help identify authenticity the USB drive may connect to iClick servers for verification when it is plugged into a computer connected to the Internet. No personal information will be sent or recorded other than the IP address.By utilizing this USB drive you consent to allow this possible server connection.

So, from a security perspective, let’s take this apart: To help identify authenticity… How does connecting to their Internet servers identify anything about the USB drive? This appears to be a blatant falsehood to justify the next action, …(may) connect to the Internet. How many times will it connect to the Internet? Every time you plug it in? We don’t know.

No personal information will be sent or recorded other than the IP address. Can we trust this statement? Given the previous statement, should we believe this? How do we know? Not without some security testing. If it connects more than once, showing the IP address, how long is that information stored? Does it connect to a web page automatically that may have malware hidden in the HTML code?

The final statement on the “instructions?” By utilizing this USB drive you consent to allow this possible server connection. How many people read “instructions” after getting a “free” USB drive? Everyone “knows” you just plug it in to your USB port on your computer. So we’ve “consented,” i.e., removed any legal action against this “possible server connection.” We can just eliminate “possible” here, I would suspect.

Can we remove this software? According to the iClick website, they can “lock” the files on the USB drive so they won’t be deleted. I don’t know if the drive can disallow formatting but frankly, this went in the trash.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: