Berlin-based researchers Karsten
Nohl and Jakob Lell demonstrated
how any USB device could be used
to infect a computer without the
The duo said there is no practical
way to defend against the
The body responsible for the USB
standard said manufacturers could
build in extra security.
But Mr Nohl and Mr Lell said the
technology was “critically flawed”.
It is not uncommon for USB sticks to
be used as a way of getting viruses
and other malicious code onto target
Most famously, the Stuxnet attack on
Iranian nuclear centrifuges was
believed to have been caused by an
infected USB stick.
However, this latest research
demonstrated a new level of threat –
where a USB device that appears
completely empty can still contain
malware, even when formatted.
The vulnerability can be used to hide
attacks in any kind of USB-connected
device – such as a smartphone.
“It may not be the end of the world
today,” Mr Nohl told journalists, “but
it will affect us, a little bit, every day,
for the next 10 years”.
“Basically, you can never trust
anything anymore after plugging in a
USB – which stands for Universal
Serial Bus – has become the
standard method of connecting
devices to computers due to its small
size, speed and ability to charge
USB memory sticks quickly replaced
floppy disks as a simple way to share
large files between two computers.
The connector is popular due to the
fact that it makes it easy to plug in
and install a wide variety of devices.
Devices that use USB contain a small
chip that “tells” the computer exactly
what it is, be it a phone, tablet or any
other piece of hardware.
It is this function that has been
exposed by the threat.
In one demo, shown off at the Black
Hat hackers conference in Las Vegas,
a standard USB drive was inserted
into a normal computer.
Malicious code implanted on the
stick tricked the machine into
thinking a keyboard had been
After just a few moments, the
“keyboard” began typing in
commands – and instructed the
computer to download a malicious
program from the internet.
Another demo, shown in detail to the
BBC, involved a Samsung
When plugged in to charge, the
phone would trick the computer into
thinking it was in fact a network
card. It meant when the user
accessed the internet, their browsing
was secretly hijacked.
Mr Nohl demonstrated to the BBC
how they were able to create a fake
copy of PayPal’s website, and steal
user log-in details as a result.
Unlike other similar attacks, where
simply looking at the web address
can give away a scam website, there
were no visible clues that a user was
The same demo could have been
carried out on any website, Mr Nohl
Mike McLaughlin, a security
researcher from First Base
Technologies, said the threat should
be taken seriously.
“USB is ubiquitous across all
devices,” he told the BBC.
“It comes down to the same old
saying – don’t plug things in that you
“Any business should always have
policies in place regarding USB
devices and USB drives. Businesses
should stop using them if needed.”
The group responsible for the USB
standard, the USB Working Party,
refused to comment on the
seriousness of the flaw.
But in more general terms, it said:
“The USB specifications support
additional capabilities for security,
but original equipment manufacturers
(OEMs) decide whether or not to
implement these capabilities in their
“Greater capabilities of any product
likely results in higher prices, and
consumers choose on a daily basis
what they are willing to pay to receive
“If consumer demand for USB
products with additional capabilities
for security grows, we would expect
OEMs to meet that demand.”
Mr Nohl said the only protection he
could advise was to simply be ultra-
cautious when allowing USB devices
to be connected to your machines.
“Our approach to using USB will have
to change,” he told the BBC.