Are USB drives a security risk?

The following was posted to Web4Lib this afternoon:

Subject: Disable USB drives on public computers
“This article provides a way to do this, while still allowing the use of USB peripherals such as mouse, keyboard or scanner. This only disables the storage drivers. This could have uses in preventing users from copying data from the computer, or running un-approved software from a portable device.”

The posting also included a link to the article which itself included downloadable software to make it even easier to disable a patron’s ability to use a USB drive. You may correctly assume that I’m not posting the link because I strongly disapprove of librarians doing any such thing. If you insist this is a must for your library you’ll need to go find the instructions and/or tool yourself as I’ll have no part in it.

The reasons for not disabling USB drive access are:

  1. If you’re storing sensitive data on a computer that the public has access to, you’ve got bigger security issues to deal with than USB drives.
  2. As a patron I want to be able to run my copy of Portable Firefox so I can use my browser, have access to my extensions, and use my bookmarks. Deny me that right and you’ll have an irate patron on your hands. Such apps are doing nothing to your computer so there’s no reason to keep me from doing it.
  3. I want to save what I’ve found while on your computer since I don’t have the money to pay for printouts. Better yet, I want to save that download which can’t be printed nor will it fit on a floppy.
  4. Most importantly, my data is stored on my USB drive and if you allow someone to use a floppy disk, why am I denied the ability to use my USB drive. Hey, my paper’s due tomorrow and my home computer’s busted.

There are arguments for denying the USB of USB drives. They are:

  1. Someone could boot from the USB drive and completely wipe out the system and/or compromise network security.
  2. Someone could install malicious software from their USB drive onto the library’s computer.

Well there are solutions to both of these potential hazards that do not involve denying all of the legitimate uses of these devices. In the case of the first potential problem, set the computer’s BIOS to only boot from the hard drive (as you should have already done to prevent people from booting from floppies,) and set a password on the BIOS to prevent anyone from changing those settings. (Again, something you should already have done. Potential problem number one solved.

As for potential problem number two; use something like Windows Dish Protection, Centurion Guard, or, my personal favorite, Deep Freeze. If someone installs something on your computer, just reboot and it’s gone. Potential problem number two solved.

So, answer the question I posed in the title of this post, there’s no security risk from USB drives that can’t be solved in ways that won’t also hurt the other 99% of your patrons.

April 28th, 2006 by