Invasion of the Pod Slurpers

Sales figures of 100 million iPods were announced yesterday by Apple Inc. The pocket-sized music player is popular with consumers and has been instrumental in defining modern youth as "the iPod generation". Yet the same gadget can be used by anyone wishing to steal data or upload malignant software.

Pod slurping occurs when a portable USB device such as a PDA, flash drive pen or memory stick is used to download large amounts of information without the owner's consent. Such devices are plugged into a computer in order for the data stored upon them to be copied illicitly.

The dangers of the technique are twofold. Firstly, the Universal Serial Bus port and its "trident" logo are almost omnipresent, making the vast majority of computers vulnerable to this practice. Secondly, the devices themselves - such as iPods - are so popular to be nearly as widespread, usually carried by people with perfectly innocent explanations for owning them. Unlike, say, a disk loaded with malware, society has come to accept the fact that people like to have their music on the move.

The possibilities of USB networking have become part and parcel of work and leisure, supplying the unscrupulous with opportunities. The same principles that make these facilities so popular and useful also line up a potential windfall for thieves.

USB-based attacks could be a universal problem, but those terminals where anonymity and large financial yields are real possibilities provide the most lucrative targets. Research shows that many such attacks are "inside jobs", where those with physical access to data can bypass the standard software-based guards that would normally prevent incursions from viruses, spam and spyware. The temptation embodied in an unattended PC provides the pathway to being pod slurped.

The danger of pod slurping was first identified less than two years ago, when applications entrepreneur Abe Usher staged a demonstration of the technique by using a mobile storage device to capture 100 MB of documentation in under two minutes. Ever since, the solutions to the problem have varied in sophistication, from bunging up USB ports with epoxy resin to installing software which provides complex removable storage management settings. A number of third-party anti-slurping solutions have appeared in the software market. Some companies simply ban portable storage devices from the workplace. All such solutions are aimed at curbing data theft and/or obstructing the introduction of malware onto networks.

There is a basic problem at the heart of pod slurping: growing prosperity and improving technologies continue to increase its potential scale and sophistication. Unlike the hackers and virus-writers of the 1990s, one does not need much skill or equipment to be a pod slurper. The 80 GB storage space on a personal music device could hold an equivalent amount of commercial data, which could then be used in fraudulent or other illicit ways.

The picture is not one-sidedly grim, however. One way to address the problem is to raise awareness: computer crimes that rely on attacking the hardware are taken less seriously than their networked counterparts, but this could change. Another way of tackling pod slurping is shoring up the information security landscape through effective software and information management.

"Although there is room for improvement, businesses and individuals in the region are rightly concerned about web-based threats to computer security. The scope to abuse popular portable storage devices means that vigilance is also needed for networks accessible through a simple USB port. People are shocked when sensitive data goes missing on lost laptops, but there's potentially an equally serious problem lurking in music lovers' pockets," said Justin Doo, Managing Director of Trend Micro in the Middle East and Africa region.