Hello, this is Hamamoto from TIMEWELL.
In June 2026, a slightly chilling piece of news broke. At the Ground Self-Defense Force's Middle Army command, a USB drive infected with malware—Chinese-made—had been connected to terminals of a system handling classified information. And it had gone unnoticed for about a year[^1]. Let me note this precisely: per the Defense Ministry, the malware was a classic self-propagating type, and information theft or external communication was not confirmed[^2]. So this is not a story of "secrets leaking to China." Even so, what this case laid bare feels heavy. It showed, plainly, that management of the physical entrance can collapse from a single USB drive.
When we hear "information leak," we tend to imagine sophisticated cyberattacks. But in reality, everyday carelessness—plugging in a USB, connecting a cable, joining free Wi-Fi—is often the entrance. This time I'll organize the risks of these physical routes based on verified facts. It isn't flashy, but sealing these off is, in the end, the most reliable leak prevention. If you're wondering whether your own data management is sound, check your footing first with our AI readiness check.
USB drives and external storage—the oldest and most effective entrance
As the JSDF case showed, USB drives are still the entrance to watch most. Even an isolated, air-gapped system that isn't connected to the internet gets crossed by USB.
History proves it. In 2008, the classified networks of the US Department of Defense were breached by a single infected USB drive plugged into a laptop at a base in the Middle East—later disclosed officially as the most significant breach of US military computers ever[^3]. Stuxnet, which struck Iran's nuclear facility in 2010, made its final leap into control equipment cut off from the network via USB as well[^4]. Even national-level, tightly secured environments have been broken through this route.
What's tricky is that the USB threat isn't just virus files. "BadUSB," published by researchers in 2014, rewrites a USB device's firmware to make a USB drive impersonate a keyboard and type commands on its own. The frightening part: antivirus software can't detect it, and reformatting doesn't remove it[^5]. It looks like just a USB drive, but inside it's an attacker's agent.
And people are more defenseless than they think. A research team at the University of Illinois and others ran an experiment dropping 297 USB drives around campus. The result: 98 percent were picked up, and 45 percent had their files opened[^6]. A dropped USB gets plugged into someone's PC at a considerable rate. In Japan too, in a case where about 35 million customer records were taken from a major education company, a contractor's engineer transferred them by cable from a work PC to a personal smartphone[^7]. Malicious exfiltration and the carelessness of a found USB both arise from the same physical route.
The countermeasures, at bottom, are simple. Don't connect external storage of unknown origin. On terminals handling classified information, control USB use itself and make any connected media subject to virus checks. What was flagged in the JSDF case was exactly that the virus-check rule wasn't followed and USB was left out of the check scope[^2]. Rules can exist and still break in practice. That's why you need to stop it with a system, not rely on human attention.
Struggling with AI adoption?
We have prepared materials covering ZEROCK case studies and implementation methods.
Charging cables and ports—cables can be tampered with
Next, an oft-overlooked area: charging. The assumption "it's just charging, so it's safe" becomes dangerous here.
Emblematic is the O.MG cable that researchers published. It looks like an ordinary charging cable anywhere, yet inside the housing sit a Wi-Fi chip and a keylogger, and it can remotely log keystrokes or inject commands. By 2021 it was mass-produced and even sold commercially[^8]. Tools like the "USB Rubber Ducky," which take the shape of a USB drive while auto-typing at furious speed, have been around for ages. You can't judge safety by appearance, for cables or drives.
On public charging stations, the FBI and FCC urge avoiding free USB charging ports at airports, hotels, and shopping centers, because of the risk of "juice jacking"—malware pushed in from a tampered USB port[^9]. Let me be honest here. The FBI's warning is general awareness-raising, and no publicly documented case of actual harm from juice jacking has been confirmed so far[^9]. So you needn't be overly afraid. But given that tools like the O.MG cable really are sold, it doesn't hurt to be prepared.
The practical countermeasures: charge with your own genuine cable and, ideally, an AC adapter—that is, a wall outlet. If you must use a public USB port, insert a data blocker that physically cuts the data lines. And don't plug a cable of unknown origin, borrowed from someone, into your own device. Just this nearly eliminates the risk via tampered cables.
HDMI, smart TVs, and free Wi-Fi—the traps of video and radio waves
Meeting-room TVs and networks away from the office have careless entrances too.
Start with smart TVs. In fact, on this point a lawsuit that backs up the intuition is actually underway. In December 2025, Texas Attorney General Paxton sued five major companies—Sony, Samsung, LG, and the Chinese-based Hisense and TCL[^10]. The issue is a technology in these TVs called ACR (Automated Content Recognition). ACR captures the sound and image on the screen every 500 milliseconds and—not just streaming but the display content of external devices connected via HDMI, such as cable boxes and game consoles—monitored and transmitted it externally, the AG alleges. The collected viewing data was said to be sold to data brokers for advertising, and the suit is based on the Texas Deceptive Trade Practices Act. Temporary restraining orders halting data collection have already been issued against Hisense and Samsung, and the complaint also touches on the point that data collected by Hisense and TCL could be shared with authorities under China's National Security Law. The final outcome isn't decided yet, but the claim that "the TV monitored and transmitted even the screen of an HDMI-connected external device" was formally raised by a state attorney general.
This picture is backed by research too. A 2024 academic study demonstrated that even when you use a TV as a mere external display connected via HDMI, ACR captures the content of that HDMI input[^11]. In the past, a US manufacturer collected viewing data without consent from about 11 million TVs and sold it, settling with authorities for 2.2 million dollars[^12]. ACR itself isn't unique to Chinese-made products; it's a risk common to smart TVs generally. But that two of the five companies Texas sued are Chinese-based, and China's legal system was named as a concern, is something you can't overlook from an economic-security standpoint. Is the TV showing your confidential material in the meeting room an internet-connected smart TV? It's worth checking once.
The other is free Wi-Fi. There's a technique called "Evil Twin" that sets up a fake access point identical to the real one to steal communications, and this is happening as actual crime, not theory. In 2024 in Australia, a person who ran fake free Wi-Fi at airports and on planes and stole the credentials of those who connected was prosecuted and given a prison sentence[^13]. The FBI has also warned specifically that hotel Wi-Fi can be abused for fake access points and fake login pages[^14]. The basic defenses don't change. Don't do sensitive exchanges on free Wi-Fi. If you use it, go through a VPN or use your smartphone's tethering. Check whether the connection point is genuine and the communication encrypted. It's plain, but it works.
Easy-to-miss, other careless traps
Beyond these three, there are still more careless entrances. Let me list them together.
- Shoulder surfing: your screen seen from behind on the train or in a café. In one experiment, the success rate of obtaining information by peeking reached 91 percent[^15]. A privacy filter and where you sit change this greatly.
- Physical implants on left-behind devices: the "Evil Maid attack," where an encrypted laptop left in a hotel room is tampered with in a short window, is well known. In a real case, at a UK bank, a culprit posing as an IT worker secretly connected a remote-control device to a branch PC and had large sums transferred[^16].
- Fake QR codes: "quishing," replacing a legitimate QR code with a sticker to lure you to a fake site. The FBI and FTC warn about it repeatedly.
- Bluetooth: vulnerabilities allowing takeover without pairing have been found in the past. Turn it off when not in use—that's the basic.
- Locking when you step away: plug a keyboard-impersonating USB into an unlocked device you left, just for a moment, and it can be operated without a trace.
Each of these looks trivial. But the state and companies alike are moving to seal off exactly this "physical entrance" through rules. Japan's Defense Ministry banned connecting personal USB devices back in a 2007 directive[^17], and the guidelines for eligible operators of economic-security information the Cabinet Office issued in 2025 require, in writing, that terminals handling important information not be connected to the internet, that logs of writing to portable media and printing be kept, and even that smartphones, recorders, and cameras be banned from the area[^18]. Cutting off physical leak routes is the foundation of preventing tech outflow, and the institutional side clearly recognizes it too.
Crush "carelessness" with a system
Laying all this out, a common thread emerges. Every one of them, so long as it relies on individual attention, will break someday. The JSDF case, too, had rules that weren't kept in practice. When people are busy, they plug in found USBs, charge at airports, and join free Wi-Fi. That's why, beyond urging caution, making the dangerous act impossible in the first place is what works.
Control USB ports, encrypt media, isolate environments handling sensitive information. On top of these endpoint defenses, grasping for yourself "where the data to protect is, and who can access it" lowers the leak risk twofold. Our enterprise AI, ZEROCK, was designed to handle data on domestic servers in Japan and to let you control who can use which information. The effort to seal the physical entrance, and a foundation that lets you manage the data itself. Only when both wheels are in place does information become hard to leak. On the risks that physical-AI and IoT devices themselves carry, I've written in detail in the article on checking where devices' data goes. Reading it alongside this will give you the full picture, from entrance to exit.
Information leaks usually begin not with a flashy incident but with quiet carelessness. Before you plug in the USB, before you borrow the cable, before you join the Wi-Fi—take a breath. Turning that breath from an individual's mindfulness into an organization's system is, I believe, the realistic answer for tech-outflow prevention going forward. If you'd like to discuss how to shore up your own information security, reach out through an individual consultation.
References
[^1]: A case in which a Chinese-made disguised USB drive (malware-infected) was connected to terminals including closed/classified systems at the Ground Self-Defense Force's Middle Army command for about a year. Nikkei (June 25, 2026). https://www.nikkei.com/article/DGXZQOCD075JJ0X00C26A5000000/ [^2]: The Defense Ministry's explanation that it was "a classic self-propagating malware, with no confirmed information theft or external communication," and that USB was left out of virus-check scope on the terminals. piyolog summary (2026). https://piyolog.hatenadiary.jp/entry/2026/07/08/002522 [^3]: The 2008 breach of US Department of Defense classified networks via an infected USB drive plugged in at a Middle East base (Operation Buckshot Yankee), officially disclosed by Deputy Secretary of Defense William J. Lynn III. Foreign Affairs (2010). https://www.foreignaffairs.com/articles/united-states/2010-09-01/defending-new-domain [^4]: Stuxnet (2010) entering an air-gapped environment via removable (USB) drives, exploiting the LNK vulnerability CVE-2010-2568. Symantec "W32.Stuxnet Dossier." https://nsarchive2.gwu.edu/NSAEBB/NSAEBB424/docs/Cyber-044.pdf [^5]: BadUSB (a USB device impersonating a keyboard; undetectable by antivirus and not removable by reformatting). Karsten Nohl et al. (SR Labs, Black Hat USA 2014). https://radetskiy.wordpress.com/wp-content/uploads/2014/08/srlabs-badusb-blackhat-v1.pdf [^6]: A study testing whether people connect dropped USB drives (of 297, 98% were picked up and 45% had files opened). Tischer, Durumeric et al., IEEE Symposium on Security and Privacy 2016. https://ieeexplore.ieee.org/document/7546509/ [^7]: A customer-data exfiltration incident at a major education company (a contractor's engineer transferred data by cable from a work PC to a personal smartphone; violation of the Unfair Competition Prevention Act). Various reports (2014). [^8]: The O.MG cable (a charging cable with a built-in Wi-Fi chip and keylogger; mass-produced and sold commercially from 2021). Vice (September 2, 2021) and Hak5 official. https://www.vice.com/en/article/k789me/omg-cables-keylogger-usbc-lightning [^9]: FBI and FCC warnings on public USB charging (juice jacking), and the point that no publicly documented case of actual harm from juice jacking has been confirmed. KrebsOnSecurity (2023) and the FCC consumer advisory. https://krebsonsecurity.com/2023/04/why-is-juice-jacking-suddenly-back-in-the-news/ and https://www.fcc.gov/juice-jacking-dangers-public-usb-charging-stations [^10]: Texas AG Paxton's lawsuit against five smart-TV companies (Sony, Samsung, LG, and Chinese-based Hisense and TCL) over ACR (Automated Content Recognition) data collection without consent (December 15, 2025). ACR is alleged to capture screen sound/image every 500 milliseconds and monitor/transmit the display of cable boxes and HDMI-connected devices, asserting a Texas Deceptive Trade Practices Act (DTPA) violation. Temporary restraining orders (TROs) halting data collection against Hisense and Samsung. The complaint also notes data from Hisense and TCL could be shared with authorities under China's National Security Law. Outcome undecided. Texas AG announcement and Alston & Bird / IAPP commentary. https://www.texasattorneygeneral.gov/news/releases/attorney-general-paxton-sues-five-major-tv-companies-including-some-ties-ccp-spying-texans and https://iapp.org/news/a/automated-content-recognition-technology-takes-privacy-enforcement-spotlight [^11]: A study demonstrating that smart-TV ACR (Automated Content Recognition) captures and transmits to servers the content of HDMI-connected external devices. Anselmi, Vekaria et al., "Watching TV with the Second-Party," ACM IMC 2024. https://arxiv.org/abs/2409.06203 [^12]: A US manufacturer collecting and selling viewing data without consent from about 11 million TVs via ACR, settling with the FTC and others for 2.2 million dollars (February 2017). FTC. https://www.ftc.gov/news-events/news/press-releases/2017/02/vizio-pay-22-million-ftc-state-new-jersey-settle-charges-it-collected-viewing-histories-11-million [^13]: Prosecution and imprisonment of a person who ran fake free Wi-Fi (Evil Twin) at airports and on planes to steal credentials. Australian Federal Police (AFP, June 2024). https://www.afp.gov.au/news-centre/media-release/man-charged-over-creation-evil-twin-free-wifi-networks-access-personal [^14]: FBI/IC3 warning on hotel Wi-Fi risks (fake access points, fake login pages, device monitoring) (October 6, 2020, PSA). https://www.ic3.gov/PSA/2020/PSA201006 [^15]: A 91% success rate for obtaining information via visual hacking (shoulder surfing) in a global experiment across eight countries. Ponemon Institute and 3M. https://multimedia.3m.com/mws/media/1254330O/global-visual-hacking-experiment-whitepaper.pdf [^16]: A case at a UK bank branch where a culprit posing as an IT worker secretly connected a KVM switch and communication device to transfer funds remotely (2013; sentencing 2014). The Register. https://www.theregister.com/2014/04/25/kvm_crooks_jailed/ [^17]: Japan Defense Ministry "Directive on Information Assurance" (Directive No. 160 of 2007), Article 45, banning the connection of personal USB and similar devices to information systems. https://www.clearing.mod.go.jp/kunrei_data/a_fd/2007/ax20070920_00160_000.pdf [^18]: Cabinet Office "Guidelines for Eligible Operators on the Protection and Use of Important Economic Security Information" (May 2025). Requires, in writing, non-connection to the internet of terminals handling important information, retention of logs of writing to portable media and printing, a ban on bringing smartphones, recorders, and cameras into the area, and encrypted storage of media. https://www.cao.go.jp/keizai_anzen_hosho/hogokatsuyou/doc/jigyousyagl.pdf
