Hackers Can Tap USB Devices in New Attacks, Researchers Warn

New research says that USB devices like thumb drives, and even keyboards and mice, pose one of the biggest cyber threats to enterprises.

Two scientists and researchers with Berlin’s SR Labs presented on the newest cyber threat at the recent “Black Hat” hacking conference in Las Vegas in a presentation titled: “Bad USB – On Accessories that Turn Evil.”

Malicious code can creep into these devices through malware on a computer and be used to hack both personal and business computers, according to SR Labs. Karsten Nohl, chief scientist at the German company, said that hackers or malware can load malicious software onto the computer chips that control the functions of USB devices, which typically don’t have any protection against tampering with their code.

Even more disconcerting is the fact that it’s virtually impossible to tell from where the virus originated.

SR Labs is known for uncovering major flaws in mobile phone technology.

The new research indicates just how easy it is for hackers to exploit weaknesses in simple devices in order to do serious damage to a computer or network.

SR Labs has performed attacks by writing malicious code onto USB control chips used in thumb drives and smart phones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

A USB device that appears completely empty can still contain malware, even when formatted.

Interestingly, the computer to which the infected USB device is attached does not detect the virus because anti-virus programs only scan software written into a computer or a device’s memory. However, these viruses can be implanted in the “firmware” which controls the device’s functions, and anti-virus programs do not scan firmware.

SR Labs, when running its tests, was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. The virus in the USB device was also able to change DNS network settings on a computer, instructing it to route all of its Internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to it, which would then in turn corrupt machines that they contact. In other words, if one tainted USB device is inserted into a workplace computer attached to a network, it can infect all USB devices in your workplace.

“It becomes self-propagating and extremely persistent,” Nohl said in a prepared statement. “You can never remove it.”

In one demo, shown off at the “Black Hat” conference, a standard USB drive was inserted into a normal computer. Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in.

After just a few moments, the “keyboard” began typing in commands – and instructed the computer to download a malicious program from the Internet.

Another demo involved a Samsung smart phone. When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant that when the user accessed the Internet, their browsing was secretly hijacked.

Nohl demonstrated how they were able to create a fake copy of PayPal’s website, and steal user log-in details as a result.

Unlike other similar attacks, where simply looking at the Web address can give away a scam website, there were no visible clues that a user was under threat.


The takeaway

USB is ubiquitous across all devices, and all desktop and laptops have at least two and often more than four USB outlets for plugging in keyboards, mice, peripherals like printers and scanners, mobile phones, tablets and USB devices.

If you have not already done so, you should have a policy prohibiting your staff from plugging in USB devices that were not issued to them at work. In fact, you may want to consider even prohibiting your staff from using company-issued USB devices such as memory sticks or mobile phones.