USB discovered to have a critical undetectable security flaw
A recently discovered flaw within USB (Universal Serial Bus) devices could be used to infect a computer and perform malicious activity without the user’s knowledge. Whilst it is common and well known for USB devices to easily spread malware by infecting the device itself, this new threat poses a serious and dangerous problem which can become even more widespread. Devices can be infected and contain malware, even USB devices which appear to be empty.
The researchers Karsten Nohl and Jakob Lell say there is no practical way to defend against such vulnerability. The USB working party, who are responsible for USB standards, said that manufacturers could build in extra security.
A USB contains a small chip which is used to identify what type of device has been connected to a computer, such as a phone, mouse, keyboard or any other hardware. The chip is what led to the USB becoming so universally accepted due to its versatility and compact size, but has also proved to be its security downfall.
A demonstration by Nohl and Lell showed how malicious code was implanted on a USB memory stick which tricks the computer into thinking a keyboard has been plugged in. The device then started “typing in” commands to download malicious files from the internet, which can all be done without the user knowing. Nohl also demonstrated how they were able to create a bogus copy of a legitimate website, such as PayPal, and steal user credentials. Similar methods can also be used to hijack internet browsing sessions. However, unlike attacks of a similar nature where the fake website could be identified by looking at the website address, there were actually no visible clues that the user was under threat.
Unfortunately, due to the nature of this new vulnerability, there is little users can do to protect themselves from attacks of this kind. However users should never plug in USB unless it is a device that can be 100% trusted. Never use a USB device which has been used by anyone else before or if there’s a chance that it could be compromised, such as freebies at a fair.