USB ‘critically flawed’ after bug discovery, researchers say(BBC)


Cyber-security experts have
dramatically called into question the
safety and security of using USB to
connect devices to computers.
image

Berlin-based researchers Karsten
Nohl and Jakob Lell demonstrated
how any USB device could be used
to infect a computer without the
user’s knowledge.
The duo said there is no practical
way to defend against the
vulnerability.
The body responsible for the USB
standard said manufacturers could
build in extra security.
But Mr Nohl and Mr Lell said the
technology was “critically flawed”.
It is not uncommon for USB sticks to
be used as a way of getting viruses
and other malicious code onto target
computers.
Most famously, the Stuxnet attack on
Iranian nuclear centrifuges was
believed to have been caused by an
infected USB stick.
However, this latest research
demonstrated a new level of threat –
where a USB device that appears
completely empty can still contain
malware, even when formatted.
The vulnerability can be used to hide
attacks in any kind of USB-connected
device – such as a smartphone.
“It may not be the end of the world
today,” Mr Nohl told journalists, “but
it will affect us, a little bit, every day,
for the next 10 years”.

“Basically, you can never trust
anything anymore after plugging in a
USB stick.”

‘Chip’ exploited
USB – which stands for Universal
Serial Bus – has become the
standard method of connecting
devices to computers due to its small
size, speed and ability to charge
devices.
USB memory sticks quickly replaced
floppy disks as a simple way to share
large files between two computers.
The connector is popular due to the
fact that it makes it easy to plug in
and install a wide variety of devices.
Devices that use USB contain a small
chip that “tells” the computer exactly
what it is, be it a phone, tablet or any
other piece of hardware.
It is this function that has been
exposed by the threat.

Smartphone ‘hijack’

In one demo, shown off at the Black
Hat hackers conference in Las Vegas,
a standard USB drive was inserted
into a normal computer.
Malicious code implanted on the
stick tricked the machine into
thinking a keyboard had been
plugged in.
After just a few moments, the
“keyboard” began typing in
commands – and instructed the
computer to download a malicious
program from the internet.
Another demo, shown in detail to the
BBC, involved a Samsung
smartphone.
When plugged in to charge, the
phone would trick the computer into
thinking it was in fact a network
card. It meant when the user
accessed the internet, their browsing
was secretly hijacked.
Mr Nohl demonstrated to the BBC
how they were able to create a fake
copy of PayPal’s website, and steal
user log-in details as a result.
Unlike other similar attacks, where
simply looking at the web address
can give away a scam website, there
were no visible clues that a user was
under threat.
The same demo could have been
carried out on any website, Mr Nohl
stressed.

‘Trust nothing’

Mike McLaughlin, a security
researcher from First Base
Technologies, said the threat should
be taken seriously.
“USB is ubiquitous across all
devices,” he told the BBC.
“It comes down to the same old
saying – don’t plug things in that you
don’t trust.
“Any business should always have
policies in place regarding USB
devices and USB drives. Businesses
should stop using them if needed.”
image

The group responsible for the USB
standard, the USB Working Party,
refused to comment on the
seriousness of the flaw.
But in more general terms, it said:
“The USB specifications support
additional capabilities for security,
but original equipment manufacturers
(OEMs) decide whether or not to
implement these capabilities in their
products.
“Greater capabilities of any product
likely results in higher prices, and
consumers choose on a daily basis
what they are willing to pay to receive
certain benefits.
“If consumer demand for USB
products with additional capabilities
for security grows, we would expect
OEMs to meet that demand.”
Mr Nohl said the only protection he
could advise was to simply be ultra-
cautious when allowing USB devices
to be connected to your machines.
“Our approach to using USB will have
to change,” he told the BBC.

Read Here>>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s