USB Drops at Fire Stations — Threat Model, Group Policy Controls, and the Charging Problem

A thumb drive on a concrete floor in an apparatus bay looks like a lost tool. It has a lanyard or a rubber sleeve and it is lying near the bay door where someone dropped it. A firefighter picks it up and plugs it into the station workstation to find the owner's name in the file directory. That is the end of the attack surface analysis for about ninety percent of public safety agencies.

The attacker never needs to break a lock. They just need to get within throwing distance of an open bay door and leave something that looks like it belongs.

> The DHS study found that 60 percent of USB drives dropped in parking lots were plugged into internal networks within minutes.

USB Drop Attack Prevention for Fire Stations

USB drops are not new. They have been tested against government facilities and corporate campuses and military installations for years. The Department of Homeland Security ran exercises where they left drives in parking lots and measured how many ended up plugged into internal networks. The numbers were consistently high.

Fire stations have a harder version of this problem because the bay doors stay open during the day and apparatus bays are semi-public. Civilians walk past. Delivery drivers come in. The line between the public area and the operations floor is often just a painted stripe on the concrete. A person does not need to bypass a fence. They just need to walk past the bumper of the engine and leave something on the bench.

The risk is not the drive itself but what happens when it gets plugged into a station workstation that has access to CAD, ePCR, or billing systems. A single drive with a Rubber Ducky payload can open a reverse shell in under thirty seconds. The workstation becomes a pivot point into whatever else the agency is running.

QR-code quishing attacks at the station cover a similar entry vector through a different medium. Both rely on the same thing. A first responder trained to help will help.

How to Disable USB Mass Storage via Group Policy

The technical controls are straightforward and deployment-ready for any agency running Windows workstations.

The Group Policy path is:

Computer Configuration > Administrative Templates > System > Device Installation Restrictions

Enable the policy that prevents installation of devices not on an approved list. Then configure the list to allow only specific classes. HID devices like keyboards and mice stay. Mass storage devices get denied.

For agencies that do not use Active Directory, the same restriction works through local Group Policy or the registry. The USBSTOR service can be disabled by setting its Start value to 4:

HKLM\System\CurrentControlSet\Services\USBSTOR\Start = 4 (DWORD)

A reboot applies the change. Workstations no longer mount USB mass storage. This is a single-registry-change defense that blocks the entire class of storage-based USB attacks.

But it does not block HID attacks. A Rubber Ducky presents itself as a keyboard. The OS will accept its input regardless of USBSTOR settings. That is why registry changes alone are not enough.

Securing Public Safety Workstations from USB Threats

Endpoint detection and response tools catch some of what the registry misses. EDR software can detect the rapid keystroke rate of a HID payload. A human being can type about two hundred characters per minute. A Rubber Ducky types over a thousand. That pattern is visible to tools that monitor input behavior.

Least privilege stops the rest because a logged-in user without local admin rights cannot install drivers, modify registry keys, or persist across reboots. The station workstation should run under an account that can use the browser and the ePCR application and nothing else.

This is easier said than done because many ePCR vendors still require admin rights to run their software. That condition is itself a threat vector that should be raised with the vendor. An EMS application that requires admin rights on the workstation is a design problem.

USB Data Blockers for EMS Station Charging

The operational friction point is charging. Medics and firefighters need to charge phones and tablets and the station workstation has USB ports that are right there. Blocking storage through GPO does not stop someone from plugging in a phone cable. The phone charges, but it also enumerates as a device and establishes a data connection.

The fix is a USB data blocker. This is a physical adapter that connects the power pins and breaks the data pins. A phone plugged through a data blocker can charge at full speed while the workstation sees nothing connected. The hardware costs about ten dollars each. Put one on every station workstation cable.

Some agencies go further and install dedicated charging stations in the day room or the kitchen. A multi-port charger bolted to the wall removes the incentive to use the CAD workstation as a phone charging dock. That solves the human problem without asking anybody to change their behavior.

Preventing Rubber Ducky Attacks in Public Safety Agencies

Combining the controls works better than any single one. Block mass storage via registry or GPO, deploy data blockers on every station workstation cable, and install physical charging stations in common areas. Run EDR on every workstation and enforce least privilege accounts. Audit USB device logs weekly.

The combination approach matters because no single control covers every attack. Registry changes block storage. Data blockers eliminate the data path on charging cables. EDR catches HID emulation. Least privilege limits what a successful payload can do. The combination covers the attack surface better than any one of them alone.

Frequently Asked Questions

Can I just disable Autorun to stop USB attacks

No. Modern USB attacks use HID emulation. The drive presents itself as a keyboard, not a storage device. Autorun settings do not apply because the OS never sees a file to run.

How do we let staff charge phones without opening the system to USB threats

Use USB data blockers. These are physical adapters that connect power pins and break data pins. They cost about ten dollars each. Put one on every workstation USB cable or install dedicated charging stations away from critical machines.

What is the biggest risk of a USB drop in a fire station

Ransomware deployed through a station workstation that has access to CAD or ePCR systems. That stops the agency from dispatching or charting calls. It delays patient care and creates a HIPAA breach if patient data is encrypted or exfiltrated.

Does disabling USBSTOR stop Rubber Ducky attacks

No. USBSTOR controls mass storage. A Rubber Ducky presents as a keyboard and the OS treats it as an HID device. You need EDR and least privilege to cover this class of attack.

What is the single cheapest control I can deploy tomorrow

A registry change to disable USBSTOR takes sixty seconds and costs nothing. Deploy it via GPO or locally on every station workstation. It does not stop HID payloads, but it removes the entire storage-based attack class for zero dollars.

The attacker who drops a drive in an apparatus bay is betting that a firefighter will plug it in out of habit. That is a reasonable bet based on the numbers. The job is to make the bet wrong on every workstation in the agency.

-- Steven