The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Android device, say security researchers in a frightening piece by Wired.
Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.
“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”
“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”
Even if a PC was completely protected against standard malware, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs without needing to compromise the PC itself.
The researchers also managed to hack the USB controller in an Android handset connected to a PC.
As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.