Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

January 31, 2007

USB U3 – the device that lies.

Filed under: General Security @ 12:03 am

U3 USB devices sound like a great idea – a device that will run particular software when you plug it into a computer.

How does it achieve this?

Wisely recognising that most companies disable autorun on USB storage devices, because of the security risks, the framers of the U3 standard chose to create a device format that comes as a USB storage device, but claims to be a CD-ROM or DVD-ROM drive, so that it can auto-execute the U3 Launchpad, which is what opens all the various U3 applications.

So, if you want to stop automatic execution of applications on USB storage devices such as thumb-drives, you’ll need to also disable autorun on CD/DVD drives as well.


  1.   bradley — January 31, 2007 @ 12:48 am    Reply

    Those U3’s are EVIL. I hate usb devices that have that logo.

  2.   Andrew Yeomans — February 5, 2007 @ 7:21 am    Reply

    Surely after the Sony rootkit debacle, you will want to disable autorun on CD drives anyway. And I’ve seen anti-virus software triggered by CD-R disks make on an infected home computer.

    What’s wanted is the option to allow automatic running of your local good copy of a media player or web browser, but never execution of code from the disk.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs