London Heathrow Airport’s security laid bare by one lost USB stick

If someone set out to invent a risky way to transport important data around it’s hard to imagine they’d better the USB flash stick for calamitous efficiency.

They’re cheap enough to feel disposable, store large numbers of files, and despite years of mishaps barely any are sold with encryption security.

They’re also incredibly popular – which is why in 2017 we’re still writing about cases like the USB stick found in a west London street that turned out to contain 2.5Gb of unprotected files detailing many of the anti-terrorism procedures and systems used to protect one of the world’s busiest airports.

This included: the route taken by the Queen, politicians and dignitaries when using the airport’s secure departure suite; radio codes used to indicate hijackings; details of maintenance and escape tunnels and CCTV locations; a timetable of police patrols; information of security ID cards; and details of the surveillance system used to monitor runways and the airport perimeter.

The only reason we know any of this is that the man who picked up the stick decided to report the discovery to a national newspaper, prompting the airport to launch a “very, very urgent” investigation.

Superficially, this resembles a good news story, a lucky escape that could have been so much worse.

Heathrow will ask the same questions as countless organisations before it: who copied the data and why? Did they have permission? Why wasn’t the stick secured?

The optimistic scenario is that someone unwisely decided to move a few files around and lost the USB stick in an act of carelessness. A more pessimistic possibility is that someone stole the data to order or to sell, which implies troubling things about network data security at Britain’s biggest airport.

The nature of the leaked information shows that USB stick incidents aren’t merely embarrassing, they can be extremely serious.

The lesson might be that in an era when employees can use more secure cloud storage, USB sticks should simply be banned. This has been tried, most notably by the US Department of Defense in 2008.

Mandating that sticks must be encrypted is another option, but this comes with the drawback that drivers are needed for every platform the drive might be plugged into (i.e. Mac and Linux machines as well as Windows).

Using sticks in this way also means organisations must invest in a provisioning system capable of tracking individual drives, resetting passwords, and remotely wiping data.

Even then, there’s still the small matter of making the sticks immune to more advanced cryptographic and physical tampering demanded by many compliance regimes, which for storage is governed by the US Government’s FIPS 140 levels 1-4.  This involves a lot of testing and doesn’t come cheap.

We haven’t even mentioned the fact that USB sticks have a bad habit of picking up malware on their travels.

But let’s not fall into the trap of assuming that because USB sticks are somewhere between an expensive hassle and an outright grade one security risk, they can be quickly pensioned off.

Like it or not, they are inside every organisation by the bucket-load and won’t go away any time soon. As long as there are USB ports on computers to plug them into, they will be a problem.

From the fateful day the first USB sticks were plugged into computers by delighted employees in the late 1990s, securing them has been – at best – about containment. If only we’d known then what we know now.