Summary of "Why Adam Savage Won't Trust USB Keys"

Key Argument: Don’t Rely on “USB Trust” or Simple Blocking

Adam Savage argues that people shouldn’t depend on “USB trust” settings or basic USB-drive blocking, because attackers can disguise malicious payloads as USB devices that behave like keyboards or otherwise bypass simple controls.

He also describes how, at conferences, he refuses to plug in USB keys provided by fans, since unknown devices can contain malware—and may act maliciously as soon as they’re connected.

How Physical Devices Can Compromise Systems (Underestimated Threats)

Threat Locker security experts explain that physical-access devices can be more dangerous than many organizations assume:

Entry-level threat: malicious USB “keystroke loggers.” These are installed between a keyboard and computer. Once connected, they can capture passwords and all typed data, and the attacker can later retrieve the device.
More dangerous threat: devices that bypass USB-drive restrictions by acting as a keyboard. Even if an organization blocks or doesn’t “trust” USB drives, a device can still work if it presents itself as a keyboard rather than a drive. In other words, restrictions may fail because the device isn’t behaving like a storage device.
Data theft behaviors after connection: Once plugged in, such devices can use built-in tools (e.g., PowerShell) to:
- exfiltrate documents,
- capture screenshots on an interval,
- upload data to cloud storage,
- avoid detection (including compressing data into a single archive and targeting services that generate high background traffic).
Detection blind spots: Demonstrations emphasize that major endpoint detection solutions may not alert if attacks use legitimate system utilities and low-visibility upload patterns.

USB Isn’t the Only Attack Path

The experts also stress that “USB” is not the only pathway:

Modern devices and convenience features introduce other channels for attack.
Bluetooth is one example, such as intercepting connections through paired earbuds (e.g., AirPods on macOS).
Attackers may gain persistent control and data access without relying on traditional USB-drive behavior.

Defense Strategy: Constrain Damage (Assume Prevention Won’t Be Perfect)

Rather than aiming to stop every malicious device or every user mistake, the coverage focuses on limiting impact:

Apply least privilege / zero trust-style controls, limiting what software and tools can do—especially built-in utilities like PowerShell and curl.
Restrict internet and data access for components that don’t need it.

Threat Locker’s approach also includes software-style enforcement plus IT training, based on the idea that users will inevitably make mistakes. The goal is to treat defenses as “crash barriers”—preventing small incidents from becoming catastrophic compromises.

Practical Advice for Viewers

Don’t plug in unknown devices.
Validate requests through IT via trusted channels (not just messages or calls).
Avoid running untrusted downloads.
Where possible, separate high-risk activities (like banking) onto dedicated machines—especially since “free” downloads and games often carry risks, even when unintentional.

Presenters / Contributors

Adam Savage
ThreatLocker (security experts shown in the discussion; including a speaker identified as “Kieran” during an attacker/victim demo—“Kieran here is my attacker”)
ThreatLocker team (mentioned generally, e.g., “security experts from Threat Locker,” “threat intelligence team,” and “chief product officer”)