usb gone bad
August 1, 2014

Should You Be Worried About Malicious Things On Your USB Devices?

John Hopton for - Your Universe Online

It is the stuff of technological nightmares - malicious software which is undetectable by scans and which is capable of all the things we fear across all devices that come into contact with it. Researchers in Berlin believe that such a thing could come to haunt us from deep within the functioning of USB devices, although the extent to which it will become a widespread problem is currently in dispute.

Karsten Nohl and Jakob Lell from the respected security consultancy SR Labs say that hackers could target the tiny chips used to control the operational systems of USB devices. Equipment such as a mouse, keyboard or flash drive would all be susceptible to the bugs, and computer security is not designed to detect threats at so fundamental a level within electronics components.

"You cannot tell where the virus came from. It is almost like a magic trick," Nohl told Reuters reporter Jim Finkle.

Devices which are subsequently connected to an infected computer would also be at risk, with the potential for spreading the problem being obvious.

The scenario prompted Nohl to tell Wired reporter Andy Greenberg, who was among the first to report on the findings, that USBs may end up having to be treated "like hypodermic needles." Once established, the hostile element could be used to spy on communications, log keystrokes, remove data and send information to the hackers over the internet.

SR Labs performed their own investigative attacks by writing malicious code onto USB control chips used in various devices including smartphones, which constitute an area of particular expertise for the consultants. Their findings will be presented at the upcoming Black Hat security conference in Las Vegas, under the title: "Bad USB - On Accessories that Turn Evil."

SR Labs' theory was tested by infecting controller chips made by the large Taiwanese manufacturer Phison Electronics Corp. The chips were then placed in USB memory drives and smartphones which run Google Inc's Android operating system. Phison's attorney, Alex Chiu, said that "Mr. Nohl did not offer detailed analysis together with work product to prove his finding," and that "Phison does not have ground to comment (on) his allegation." There was no comment from Google. Unsurprisingly, there was no comment either from the NSA, to whom USB attacks like these may be old news, according to University of Pennsylvania computer science professor Matt Blaze, based in part on the revelations of Edward Snowden in 2013.

Some of the rhetoric on the subject of the threat to USBs paints an apocalyptic vision of the technological future, with Nohl saying that we could end up in a situation where " can’t trust your computer anymore. This is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.”

VentureBeat, meanwhile, told their readers that they have "...some really bad, scary news to share with you: Every single device plugged into a USB port on your computer could pose a threat worse than any malware we've ever seen. Yes, it’s as bad as it sounds." They do go on to say, however, that "It’s worth noting that Nohl and Lell’s exploit has not yet been independently verified and could still be debunked by security experts once they've had a chance to analyze the pair’s findings."

The possibility of those with malicious intent gaining access to USB mechanics on a large scale is a worrying but unlikely scenario. Although the nature of the threat is of considerable concern, the extent to which it can be utilized is still in question.