“Computer users pass around USB sticks like silicon business cards,” Andy Greenberg reports for Wired. “lthough we know they often carry malware infections, we depend on antivirus scans and the occasional reformatting to keep our thumbdrives from becoming the carrier for the next digital epidemic. But the security problems with USB devices run deeper than you think: Their risk isn’t just in what they carry, it’s built into the core of how they work.”
“That’s the takeaway from findings security researchers Karsten Nohl and Jakob Lell plan to present next week, demonstrating a collection of proof-of-concept malicious software that highlights how the security of USB devices has long been fundamentally broken,” Greenberg reports. “The kind of compromise they’re demonstrating is nearly impossible to counter without banning the sharing of USB devices or filling your port with superglue. ‘These problems can’t be patched,’ says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. ‘We’re exploiting the very way that USB is designed.'”
Greenberg reports, “The problem isn’t limited to thumb drives. All manner of USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed — in addition to USB memory sticks, Nohl and Lell say they’ve also tested their attack on an Android handset plugged into a PC… University of Pennsylvania computer science professor Matt Blaze speculates that the USB attack may in fact already be common practice for the NSA. He points to a spying device known as Cottonmouth, revealed earlier this year in the leaks of Edward Snowden. The device, which hid in a USB peripheral plug, was advertised in a collection of NSA internal documents as surreptitiously installing malware on a target’s machine.”
Much more in the full article here.