USB 'critically flawed' after bug discovery, researchers say

Karsten Nohl shows Dave Lee a threat on a USB-connected smartphone

Related Stories

Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers.

Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge.

The duo said there is no practical way to defend against the vulnerability.

The body responsible for the USB standard said manufacturers could build in extra security.

But Mr Nohl and Mr Lell said the technology was "critically flawed".

It is not uncommon for USB sticks to be used as a way of getting viruses and other malicious code onto target computers.

Start Quote

You can never trust anything anymore after plugging in a USB stick”

End Quote Karsten Nohl Security Research Labs

Most famously, the Stuxnet attack on Iranian nuclear centrifuges was believed to have been caused by an infected USB stick.

However, this latest research demonstrated a new level of threat - where a USB device that appears completely empty can still contain malware, even when formatted.

The vulnerability can be used to hide attacks in any kind of USB-connected device - such as a smartphone.

"It may not be the end of the world today," Mr Nohl told journalists, "but it will affect us, a little bit, every day, for the next 10 years".

USB memory stick in laptop The USB memory stick is a convenient connector used across many devices

"Basically, you can never trust anything anymore after plugging in a USB stick."

'Chip' exploited

USB - which stands for Universal Serial Bus - has become the standard method of connecting devices to computers due to its small size, speed and ability to charge devices.

USB memory sticks quickly replaced floppy disks as a simple way to share large files between two computers.

The connector is popular due to the fact that it makes it easy to plug in and install a wide variety of devices. Devices that use USB contain a small chip that "tells" the computer exactly what it is, be it a phone, tablet or any other piece of hardware.

Karsten Nohl: "You can never trust anything anymore after plugging in a USB stick"

It is this function that has been exposed by the threat.

Smartphone 'hijack'

In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer.

Start Quote

Any business should always have policies in place regarding USB devices and drivers”

End Quote Mike McLaughlin First Base Technologies

Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in.

After just a few moments, the "keyboard" began typing in commands - and instructed the computer to download a malicious program from the internet.

Another demo, shown in detail to the BBC, involved a Samsung smartphone.

When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked.

Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal's website, and steal user log-in details as a result.

Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat.

The same demo could have been carried out on any website, Mr Nohl stressed.

'Trust nothing'

Mike McLaughlin, a security researcher from First Base Technologies, said the threat should be taken seriously.

"USB is ubiquitous across all devices," he told the BBC.

"It comes down to the same old saying - don't plug things in that you don't trust.

"Any business should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed."

line
USB
Universal Serial Bus (USB)
  • Standard method of connecting devices to computers
  • Popular due to its small size
  • Easy to plug in and install a variety of devices
line

The group responsible for the USB standard, the USB Working Party, refused to comment on the seriousness of the flaw.

But in more general terms, it said: "The USB specifications support additional capabilities for security, but original equipment manufacturers (OEMs) decide whether or not to implement these capabilities in their products.

"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits.

"If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand."

Mr Nohl said the only protection he could advise was to simply be ultra-cautious when allowing USB devices to be connected to your machines.

"Our approach to using USB will have to change," he told the BBC.

Follow Dave Lee on Twitter @DaveLeeBBC

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

Fiery moment

2014: An amazing year in aviation

Highs and lows in air tech Read more...

Programmes

  • Stephen Sackur with Status Quo's Francis RossiHARDtalk Watch

    Watch extracts of some of Stephen Sackur's best interviews from 2014

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.