Most USB devices have a fundamental security weakness that can be exploited to infect computers with malware in a way that cannot easily be prevented or detected, security researchers found.
The problem is that the majority of USB thumb drives, and likely other USB peripherals available on the market, do not protect their firmware -- the software that runs on the microcontroller inside them, said Karsten Nohl, the founder and chief scientist of Berlin-based Security Research Labs.
[ Watch out for 11 signs you've been hacked -- and learn how to fight back. Find out how in InfoWorld's PDF special report. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
This means that a malware program can replace the firmware on a USB device like a thumb drive by using secret SCSI (Small Computer System Interface) commands and make it act like some other type of device, for example, a keyboard, Nohl said.
The spoofed keyboard could then be used to emulate key presses and send commands to download and execute a malware program. That malware could reprogram other USB thumb drives inserted into the infected computer, essentially becoming a self-replicating virus, the researcher said.
Researchers from Security Research Labs have developed several proof-of-concept attacks that they plan to present at the Black Hat security conference in Las Vegas next week.
One of the attacks involves a USB stick that acts as three separate devices -- two thumb drives and a keyboard. When the device is first plugged into a computer and is detected by the OS, it acts as a regular storage device. However, when the computer is restarted and the device detects that it's talking to the BIOS, it switches on the hidden storage device and also emulates the keyboard, Nohl said.
Acting as a keyboard, the device sends the necessary button presses to bring up the boot menu and boots a minimal Linux system from the hidden thumb drive. The Linux system then infects the bootloader of the computer's hard disk drive, essentially acting like a boot virus, he said.
Another proof-of-concept attack developed by Security Research Labs involves reprogramming a USB drive to act as a fast Gigabit network card.
As Nohl explained, OSes prefer a wired network controller over a wireless one and a Gigabit ethernet controller over a slower one. This means the OS will use the new spoofed Gigabit controller as the default network card.
The USB device also emulates a DHCP (Dynamic Host Configuration Protocol) server that automatically assigns a DNS (Domain Name System) server to the spoofed controller, but not a gateway address. In this case, the OS will continue to use the gateway specified by the real network card -- so the Internet connection will not be disrupted -- but the DNS server from the spoofed controller, Nohl said. By controlling the DNS server, which translates domain names into IP (Internet Protocol) addresses, an attacker can hijack the Internet traffic, he said.
To show that this attack is not only possible with USB thumb drives, the researchers will also use an Android phone connected to the computer to emulate a rogue network card.
Any USB connection can turn evil, Nohl said. If you let someone connect a USB thumb drive or charge a phone on your computer you essentially trust them to type commands on your computer, he said.