USB drives are an essential tool for many businesses, including highly regulated industries. They’re often used for firmware updates to production equipment and for secure data transfers between air-gapped systems. Not to mention the day-to-day transfer of data that can’t be uploaded to the cloud.
However, removable media remains a widespread blind spot in modern security frameworks. While you invest in firewalls, endpoint protection, and network segmentation, USB devices have the potential to bypass every one of these controls.
According to industry research, removable media accounts for 30% of virus and malware infections. The human factor amplifies USB security risk. Studies show 48% of people will plug in found USB drives without checking them first, a statistic that attackers exploit through deliberate “USB drop” attacks in parking lots and public spaces.
The problem isn’t that companies lack USB security policies. It’s that many treat removable devices as data leakage concerns when the real threat is attack delivery.
Five USB Control Gaps That Increase Your Exposure
1. The Air Gap As Security Theatre
Compliance auditors love air-gapped systems because they physically separate critical infrastructure from the internet. But air gaps are only as secure as the USB devices companies use to transfer data across them.
Fifteen years after Stuxnet used USB drives to compromise Iran’s air-gapped nuclear facility, the attack pattern remains viable. Physically isolated systems need maintenance and data transfers, and when operational technology goes down, the fix arrives on a USB drive.
ISO 27001, NIST frameworks, and PCI DSS focus on network segmentation but provide minimal guidance on physical media controls. They check whether air gaps exist, not whether USB usage is monitored, logged, or secured. The assumption is simple and wrong: if it’s not networked, it’s secure.
2. The Expanding USB Attack Surface
Your internal employees may follow USB security policies, but what about the field service technician arriving with USB-based diagnostic tools? Supply chain security typically focuses on software vendors and network connections. Physical media from contractors and third-party service providers is barely mentioned.
This is the gap that the Raspberry Robin worm exploited. Access brokers seek out and compromise service providers precisely because they have trusted physical access to isolated systems. Compromise the contractor first, and use their legitimate access to introduce malware during scheduled maintenance.
3. BadUSB: Firmware-Level Attacks That Defeat Traditional Antivirus
USB devices contain reprogrammable firmware that controls how they identify to operating systems. A drive can appear as storage while secretly functioning as a keyboard that types malicious commands when it’s plugged in. Firmware-level attacks operate below the level of the operating systems, where traditional antivirus software can’t detect them.
Many USB security implementations require malware scanning and endpoint protection. But firmware-level attacks bypass these controls entirely. A traditional virus scanner can examine every file on the drive and find nothing, because the malware isn’t in the files. It’s in the controller chip.
Even sophisticated technical controls like Apple’s USB Restricted Mode, which is designed to prevent unauthorized USB access, have proven vulnerable. CVE-2025-24200, disclosed in January 2025, demonstrated a bypass of iOS USB restrictions in an “extremely sophisticated” attack.
4. Policy Compliance Without Technical Enforcement Is Wishful Thinking
Compliance frameworks tend to allow policy-based controls as an acceptable mitigation. Organizations draft USB compliance policies. Auditors verify the policy exists and mark the control as “implemented.”
In many organizations, that’s as far as it goes. Removable media remains in use with no technical USB security enforcement and no scanning requirements. Technical enforcement requires real controls: port-level logging, mandatory scanning, and device restrictions.
5. Defense Industry Requirements Go Beyond “Use Encrypted Drives”
Organizations handling Controlled Unclassified Information (CUI) for defense contracts face requirements that generic USB compliance programs don’t meet. The Cybersecurity Maturity Model Certification (CMMC) 2.0 program began being included in DoD contract requirements in late 2025. It imposes specific standards that many “compliant” organizations aren’t meeting.
Key requirements include:
- FIPS-validated encryption: NIST SP 800-171 requirements 3.8.9 and 3.13.11 together mandate FIPS 140-validated encryption for CUI stored on removable media.
- Evidence-based assessment: CMMC assessments require documented artifacts and evidence to demonstrate compliance. That can include scanning logs, access controls, usage records, and technical enforcement.
- System Security Plans: Organizations must maintain an SSP documenting how NIST SP 800-171 media protection requirements are implemented through both policy and technology.
CMMC represents where compliance frameworks are heading. The trend is away from policy attestation and toward technical validation and proof of implementation. Organizations serving defense OEMs, aerospace manufacturers, or technology companies in the defense supply chain need to understand these requirements now.
Hardware Enforcement: Closing the USB Control Gap
Hardware USB decontamination stations create a mandatory checkpoint. Every USB device passes through multi-layer scanning before it is connected to sensitive systems.
The TYREX approach addresses each compliance and security gap through layered detection:
- Multi-engine scanning runs up to five antivirus engines and two anti-malware solutions simultaneously, catching threats that single-engine systems miss. This addresses the 51% of malware now optimized for USB delivery, including variants designed to evade traditional detection.
- Firmware-level inspection detects BadUSB attacks by examining the device’s electronic and software layers, not just file contents. When USB devices attempt to masquerade as different device types, TYREX Decontamination Stations identify and flag the deception.
- Behavioral analysis identifies zero-day threats and advanced persistent threats through deep inspection and anomaly detection, catching attacks that signature-based tools miss entirely.
- Centralized logging creates the audit trail compliance frameworks demand, but organizations rarely have. Every scan generates a record: device details, timestamp, scan results, and whether the device was approved or quarantined. When auditors ask for proof-based evidence of USB security controls, these logs provide it.
TYREX integrates with your existing security infrastructure through Security Information and Event Management (SIEM) platforms and management servers, providing enterprise-wide visibility without replacing existing tools.
To learn more about how TYREX Decontamination Stations close the USB security gap, schedule a consultation with our experts.
