This article is from the source 'bbc' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.
You can find the current article at its original source at http://www.bbc.co.uk/news/technology-28701124
The article has changed 3 times. There is an RSS feed of changes available.
Version 0 | Version 1 |
---|---|
USB devices can secretly infect computers, researchers say | USB devices can secretly infect computers, researchers say |
(about 5 hours later) | |
Cyber-security experts have dramatically called into question the safety and security of using USB to connect devices to computers. | |
Berlin-based researchers Karsten Nohl and Jakob Lell demonstrated how any USB device could be used to infect a computer without the user's knowledge. | |
The duo said there is no practical way to defend against the vulnerability. | The duo said there is no practical way to defend against the vulnerability. |
The body responsible for the USB standard said manufacturers could build in extra security. | The body responsible for the USB standard said manufacturers could build in extra security. |
It is not uncommon for USB sticks to be used as a way of getting viruses and other malicious code onto target computers. | It is not uncommon for USB sticks to be used as a way of getting viruses and other malicious code onto target computers. |
Most famously, the Stuxnet attack on Iranian nuclear centrifuges was believed to have been caused by an infected USB stick. | Most famously, the Stuxnet attack on Iranian nuclear centrifuges was believed to have been caused by an infected USB stick. |
However, this latest research demonstrated a new level of threat - where a USB device that appears completely empty can still contain malware, even when formatted. | However, this latest research demonstrated a new level of threat - where a USB device that appears completely empty can still contain malware, even when formatted. |
The vulnerability can be used to hide attacks in any kind of USB-connected device - such as a smartphone. | The vulnerability can be used to hide attacks in any kind of USB-connected device - such as a smartphone. |
"It may not be the end of the world today," Mr Nohl told journalists, "but it will affect us, a little bit, every day, for the next 10 years". | "It may not be the end of the world today," Mr Nohl told journalists, "but it will affect us, a little bit, every day, for the next 10 years". |
"Basically, you can never trust anything anymore after plugging in a USB stick." | "Basically, you can never trust anything anymore after plugging in a USB stick." |
'Chip' exploited | 'Chip' exploited |
USB - which stands for Universal Serial Bus - has become the standard method of connecting devices to computers due to its small size, speed and ability to charge devices. | USB - which stands for Universal Serial Bus - has become the standard method of connecting devices to computers due to its small size, speed and ability to charge devices. |
USB memory sticks quickly replaced floppy disks as a simple way to share large files between two computers. | USB memory sticks quickly replaced floppy disks as a simple way to share large files between two computers. |
The connector is popular due to the fact that it makes it easy to plug in and install a wide variety of devices. Devices that use USB contain a small chip that "tells" the computer exactly what it is, be it a phone, tablet or any other piece of hardware. | The connector is popular due to the fact that it makes it easy to plug in and install a wide variety of devices. Devices that use USB contain a small chip that "tells" the computer exactly what it is, be it a phone, tablet or any other piece of hardware. |
It is this function that has been exposed by the threat. | It is this function that has been exposed by the threat. |
Smartphone 'hijack' | Smartphone 'hijack' |
In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer. | In one demo, shown off at the Black Hat hackers conference in Las Vegas, a standard USB drive was inserted into a normal computer. |
Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in. | Malicious code implanted on the stick tricked the machine into thinking a keyboard had been plugged in. |
After just a few moments, the "keyboard" began typing in commands - and instructed the computer to download a malicious program from the internet. | After just a few moments, the "keyboard" began typing in commands - and instructed the computer to download a malicious program from the internet. |
Another demo, shown in detail to the BBC, involved a Samsung smartphone. | Another demo, shown in detail to the BBC, involved a Samsung smartphone. |
When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked. | When plugged in to charge, the phone would trick the computer into thinking it was in fact a network card. It meant when the user accessed the internet, their browsing was secretly hijacked. |
Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal's website, and steal user log-in details as a result. | Mr Nohl demonstrated to the BBC how they were able to create a fake copy of PayPal's website, and steal user log-in details as a result. |
Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat. | Unlike other similar attacks, where simply looking at the web address can give away a scam website, there were no visible clues that a user was under threat. |
The same demo could have been carried out on any website, Mr Nohl stressed. | The same demo could have been carried out on any website, Mr Nohl stressed. |
'Trust nothing' | 'Trust nothing' |
Mike McLaughlin, a security researcher from First Base Technologies, said the threat should be taken seriously. | Mike McLaughlin, a security researcher from First Base Technologies, said the threat should be taken seriously. |
"USB is ubiquitous across all devices," he told the BBC. | "USB is ubiquitous across all devices," he told the BBC. |
"It comes down to the same old saying - don't plug things in that you don't trust. | "It comes down to the same old saying - don't plug things in that you don't trust. |
"Any business should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed." | "Any business should always have policies in place regarding USB devices and USB drives. Businesses should stop using them if needed." |
Universal Serial Bus (USB) | Universal Serial Bus (USB) |
The group responsible for the USB standard, the USB Working Party, refused to comment on the seriousness of the flaw. | The group responsible for the USB standard, the USB Working Party, refused to comment on the seriousness of the flaw. |
But in more general terms, it said: "The USB specifications support additional capabilities for security, but original equipment manufacturers (OEMs) decide whether or not to implement these capabilities in their products. | But in more general terms, it said: "The USB specifications support additional capabilities for security, but original equipment manufacturers (OEMs) decide whether or not to implement these capabilities in their products. |
"Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. | "Greater capabilities of any product likely results in higher prices, and consumers choose on a daily basis what they are willing to pay to receive certain benefits. |
"If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand." | "If consumer demand for USB products with additional capabilities for security grows, we would expect OEMs to meet that demand." |
Mr Nohl said the only protection he could advise was to simply be ultra-cautious when allowing USB devices to be connected to your machines. | Mr Nohl said the only protection he could advise was to simply be ultra-cautious when allowing USB devices to be connected to your machines. |
"Our approach to using USB will have to change," he told the BBC. | "Our approach to using USB will have to change," he told the BBC. |
Follow Dave Lee on Twitter @DaveLeeBBC | Follow Dave Lee on Twitter @DaveLeeBBC |