This, via the Beeb. Go there for more and video:
USB ‘critically flawed’ after bug discovery, researchers say
Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers.
Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user’s knowledge.
The duo said there is no practical way to defend against the vulnerability.
The body responsible for the USB standard said manufacturers could build in extra security.
But Mr Nohl and Mr Lell said the technology was “critically flawed”.
It is not uncommon for USB sticks to be used as a way of getting viruses and other malicious code onto target computers.
You can never trust anything anymore after plugging in a USB stick”
Most famously, the Stuxnet attack on Iranian nuclear centrifuges was believed to have been caused by an infected USB stick.
However, this latest research demonstrated a new level of threat – where a USB device that appears completely empty can still contain malware, even when formatted.
The vulnerability can be used to hide attacks in any kind of USB-connected device – such as a smartphone.
“It may not be the end of the world today,” Mr Nohl told journalists, “but it will affect us, a little bit, every day, for the next 10 years“.
“Basically, you can never trust anything anymore after plugging in a USB stick.” [Of course not all of us are so naïve as to let people plug their gizmos into our computers.]
The connector is popular due to the fact that it makes it easy to plug in and install a wide variety of devices. Devices that use USB contain a small chip that “tells” the computer exactly what it is, be it a phone, tablet or any other piece of hardware.
It is this function that has been exposed by the threat.
In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer.
Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in.
After just a few moments, the “keyboard” began typing in commands – and instructed the computer to download a malicious program from the internet.
Another demo, shown in detail to the BBC, involved a Samsung smartphone.
When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked.
Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal’s website, and steal user log-in details as a result.
Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat.
The same demo could have been carried out on any website, Mr Nohl stressed.
Mike McLaughlin, a security researcher from First Base Technologies, said the threat should be taken seriously.
“USB is ubiquitous across all devices,” he told the BBC.
“It comes down to the same old saying – don’t plug things in that you don’t trust.
“Any business should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed.”
Allow me to dovetail this into what I posted the other day about username and password management. HERE There was a security breach that netted some hackers over a Billion username and passwords combos.
Since I do a lot online, I am careful. Also, within the last 6 months I recall a moment when a friend asked if he could plug his little USB stick into my laptop. I almost came out of my skin. It is not that I don’t trust him, but not everyone is as careful or savvy about what they do with their email and the sites they surf. In another instance, someone gave me a stick with a file on it: I handled that one with tongs too. I look at other people’s USB stick and computers as if they were someone infected with Ebola: handle with extreme care.
This could be a big deal for, say, teachers who accept homework assignments from students on USB drives and, consequently, the students who get them back from the teachers!
There are ways to scan drives for viruses, malware. I don’t think we are yet at the level of checking out the chip in the drive, however. Were I a teacher/student who was constantly swapping USB sticks in and out, I would have a dedicate computer for the task. It would not be connected to my network or the internet. It could be any old computer, not necessarily state of art. I’d look at everything on that computer before I did anything else with it.
Also, on PC, I hold down the SHIFT key when inserting a USB drive. This disables autoplay. Install an antivirus onto the USB drive and scan.
For defending a key from other people tampering with it or getting into it, I have an IronKey which one of you readers sent to me.
FATHERS! BE CAREFUL! If people have “bad stuff” they could transfer to your computer or your network, or your own USB drive… you are hosed.
I am sure that some of you tech savvy readers could chime in with other ideas and strategies.
Also, given that a lot of life is online these days, I also use the service LifeLock, and I make sure that all my information is updated. I have an affiliate account with LifeLock. You might give it some consideration.
“But Father! But Father!”, some of you are surely hooting. “All this talk of mors improvisa and hackers and EMPs and now USB sticks. You sound paranoid.”
Call it what you want, dear readers. It’s always someone else, until it happens to you.