A recently discovered flaw within USB (Universal Serial Bus) devices could be used to infect a computer and perform malicious activity without the user’s knowledge, even USB devices which appear to be empty.
The researchers Karsten Nohl and Jakob Lell say there is no practical way to defend against such vulnerability. The body responsible for the USB standard, the USB working party, said that manufacturers could build in extra security.
Whilst it is common and well known for USB devices to easily spread malware by infecting the device itself, this new threat poses a serious and dangerous problem which can become even more widespread.
The research tells us that a USB contains a small chip which the computer uses to identify what type of device has been connected, such as a phone, mouse, tablet or any other hardware. The chip is what led to the USB becoming so popular and universally accepted due to its versatility, but has also proved to be its security downfall.
A demonstration by Nohl and Lell showed how malicious code was implanted on a USB memory stick which tricks the computer into thinking a keyboard has been plugged in. The device then started “typing in” commands to download malicious programmes from the internet, which can all be done without the user knowing. Nohl also demonstrated how they were able to create a fake copy of a legitimate website, such as PayPal, and steal user login credentials. Similar methods can also be used to hijack internet browsing sessions. However, unlike attacks of a similar nature where the fake website could be identified by studying the website address, there were no visible clues that the user was under threat.
Unfortunately, due to the nature of the new vulnerability, there is little users can do to protect themselves from such attacks. However users should never plug in USB unless it is a device that can be 100% trusted. Never use a USB device which has been used by anyone else before or if there’s a chance that it could be compromised (for example, freebies at a fair).
