Posted by: Arian Eigen Heald
Data Breaches, Hardware & InfoSec, information security, Privacy
At a conference I attended not long ago, part of the conference package I received was a “free” USB drive from one of the vendors. Every attendee received one of the drives.
Being the information security person that I am, “free” USB drives make me wary. Marketers also make me wary. So, I looked at the instructions included with the USB drive, and found the following:
This USB drive is backed by iClick’s lifetime replacement warranty. To help identify authenticity the USB drive may connect to iClick servers for verification when it is plugged into a computer connected to the Internet. No personal information will be sent or recorded other than the IP address.By utilizing this USB drive you consent to allow this possible server connection.
So, from a security perspective, let’s take this apart: To help identify authenticity… How does connecting to their Internet servers identify anything about the USB drive? This appears to be a blatant falsehood to justify the next action, …(may) connect to the Internet. How many times will it connect to the Internet? Every time you plug it in? We don’t know.
No personal information will be sent or recorded other than the IP address. Can we trust this statement? Given the previous statement, should we believe this? How do we know? Not without some security testing. If it connects more than once, showing the IP address, how long is that information stored? Does it connect to a web page automatically that may have malware hidden in the HTML code?
The final statement on the “instructions?” By utilizing this USB drive you consent to allow this possible server connection. How many people read “instructions” after getting a “free” USB drive? Everyone “knows” you just plug it in to your USB port on your computer. So we’ve “consented,” i.e., removed any legal action against this “possible server connection.” We can just eliminate “possible” here, I would suspect.
Can we remove this software? According to the iClick website, they can “lock” the files on the USB drive so they won’t be deleted. I don’t know if the drive can disallow formatting but frankly, this went in the trash.