Securing Your Devices from Others: USB Threats, Cheap Hardware, and Phishing
Not every threat comes through the internet. Some of them arrive on your desk disguised as a flash drive, a charging cable, or a bargain-priced router. The devices you connect to your computer and the hardware you choose to trust are attack surfaces — and most people never think twice about them.
Phishing is still the front door
Before talking about hardware, it’s worth restating the obvious: phishing remains the most common way attackers get an initial foothold. A convincing email, a fake login page, one click — and your credentials are in someone else’s hands.
We covered this in detail recently. If you haven’t read it, take a few minutes with our post on phishing emails at work and how to spot fakes from coworkers and management. The short version: verify before you act, use a second channel, and never let urgency override judgment. Everything else in this post matters less if an attacker already has your password.
Don’t trust USB devices you didn’t buy new from a trusted source
This one makes people uncomfortable because USB devices feel harmless. A flash drive is just storage. A keyboard is just a keyboard. Except when it isn’t.
A USB device can identify itself to your computer as anything it wants. A device that looks like a flash drive can tell your operating system it’s a keyboard — and then “type” commands at machine speed. Within seconds it can open a terminal, download malware, create a backdoor, and close the window before you notice anything happened. These aren’t theoretical attacks. Tools that do exactly this are commercially available and cost less than fifty dollars.
Found a USB drive in a parking lot? Don’t plug it in. This is one of the oldest social engineering tricks. Attackers drop infected drives in places where curious people will find them — office lobbies, conference rooms, parking lots. The instinct to see what’s on it is exactly what they’re counting on.
Someone gave you a USB device as a gift or promotional item? Don’t plug it in. The same applies to cables. Malicious USB cables exist that contain embedded chips capable of exfiltrating data or injecting keystrokes. They look identical to the real thing.
Bought a used device or received one from an unknown source? Don’t plug it in. There is no way to visually inspect a USB device and determine whether its firmware has been modified. Once tampered firmware is on a device, no amount of formatting or scanning will remove it.
If you absolutely must use an untrusted USB device
Sometimes there’s no alternative — you need to access data on a device you didn’t purchase yourself. In that case, use an air-gapped machine. That means a computer with no network connection — no Wi-Fi, no Ethernet, no Bluetooth. A machine that is physically isolated from every other system and network you care about.
Use that isolated machine to examine the contents of the device. Do not connect it to your regular network afterward without wiping it. Treat the air-gapped machine as potentially compromised the moment you insert the untrusted device.
This may sound extreme. It isn’t. The damage a single malicious USB device can do to an unprotected system — and from there, an entire network — is orders of magnitude worse than the inconvenience of maintaining an isolated machine for exactly this purpose.
Avoid cheap hardware — it often comes with backdoors
The router that costs a third of what the name-brand version costs. The off-brand security camera. The budget smart plug from a manufacturer you’ve never heard of. These devices are tempting, especially for small businesses watching their expenses. But the discount often comes at a cost that isn’t on the price tag.
Cheap hardware frequently ships with known vulnerabilities or intentional backdoors. Budget routers have been found with hardcoded administrator credentials that can’t be changed. Security cameras have been caught sending data to overseas servers with no user notification. Smart home devices have shipped with open telnet ports and default passwords that grant root access to anyone on the network.
Firmware updates are rare or nonexistent. Even when vulnerabilities are discovered and publicly documented, manufacturers of bottom-tier hardware often have no mechanism — or no incentive — to push updates. The device you bought works today, but six months from now it’s running software with known, unpatched exploits that anyone can find with a search engine.
Supply chain compromise is real. Some inexpensive hardware is manufactured in facilities with minimal oversight. Components can be added or modified before the device ever reaches you. This isn’t speculation — government agencies in multiple countries have issued advisories about specific brands and product categories where supply chain tampering has been confirmed.
What to buy instead
You don’t have to buy the most expensive option on the shelf. But you should buy from manufacturers with a track record of issuing security patches, responding to vulnerability disclosures, and being transparent about where and how their products are made.
For routers, look at vendors like Ubiquiti, Netgear’s business lines, or similar. For any device that connects to your network, check whether the manufacturer publishes a security update policy. If they don’t mention security anywhere on their site, that tells you everything you need to know about their priorities.
The bottom line
The threats to your devices don’t all arrive through your inbox. A USB device you didn’t buy, a cable you found in a drawer, a router you grabbed because it was cheap — any of these can give an attacker a way in that bypasses every software defense you’ve set up.
Buy hardware from trusted sources. Don’t plug in anything you can’t verify. Keep an air-gapped machine available for situations where you have no choice. And remember that the cheapest option on the shelf is often the most expensive one in the long run.