IT security professionals are well aware of the risk of malware being introduced via infected USB drives, especially when the devices come from untrusted sources. However, a recent security incident has shown that even when the devices come from trusted sources there is still a risk that they may introduce malware.
Today, the American Dental Association (ADA) issued a statement warning members that some of the USB drives included with its CDT 2016 manual contained malware. Plugging the USB drives into a computer could result in the malware being copied onto the device.
The ADA had received a number of reports from members informing them that the USB storage devices included in the back pocket of the manual contained malware. The malware was flagged by their anti-virus software.
The malware was first discovered by an ADA member from Pittsburgh called “Mike.” Prior to plugging the device into his computer – which contained patient information – he decided to test the device to determine if it was clean. He discovered malicious code in one of the files.
The code contained a link to a malicious URL known to be used to distribute malware. Should a user’s antivirus software fail to detect and block the malware, it is possible that criminals could download further malicious software that would allow them to take control of the device. This could potentially cause a breach of protected health Information.
The ADA conducted an investigation and determined that 37,000 copies of the USB drive were likely infected. The infection had been introduced when data was copied on to the device. The devices were manufactured in China, and a subcontractor of the Chinese vendor had inadvertently allowed malware to be copied onto the drives. One of a number of duplicating machines had become infected during a production run for a different customer. The ADA said it had performed random tests of the devices prior to shipping, but those tests failed to pick up the malware.
It is unclear why the ADA chose to send USB drives out with the manual. The devices contained an electronic copy of the 2016 CDT manual, which could have been made available for download on the ADA website.
The ADA has now sent an email to all members warning them not to use the USB drive. They have now been provided with a link they can click to download the electronic manual from the ADA website should they so wish. The ADA will now review whether USB drives should be used when sending future copies of the manual to members.