NSA Tool for Detecting USB Drives on a Network

Ryan Paul at Ars highlights an oblique reference in a government fiscal report that includes a tantalizing mention of this tool, USBDetect. There aren’t any details of how it actually works. If I had to guess, based on the fact that what is mentioned is specifically Windows, it must rely on some network chirp Windows boxen emit when such a drive is attached.

That seems plausible as the excerpt mentions all manner of attached storage, not just jump drives. Perhaps it is some part of the hidden shares that Windows supports for lettered drives in the OS. If my theory is correct, then I doubt the tool works outside of a given subnet, i.e. no drive detection over the internet. This is consistent with Paul’s explanation that the tool, now in its third revision, is most used to detect violations of the policy many agencies have barring portable media.

I suspect that if some law enforcer tried to use this on a civilian network without proper oversight, we would have seen evidence of it via a complaint in a criminal case or a subsequent civil suit.

Leave a Reply

Your email address will not be published. Required fields are marked *