New security loophole found in USB devices

USB port. (Duncan Alfreds, Fin24)
USB port. (Duncan Alfreds, Fin24)

Boston - USB devices such as mice, keyboards and flash drives can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin's SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in flash drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Hacking techniques

Computers do not detect the infections when tainted devices are inserted into a PC because anti-virus programs are only designed to scan for software written onto memory and do not scan the "firmware" that controls the functioning of those devices, he said.

Nohl and Jakob Lell, a security researcher at SR Labs, will describe their attack method at next week's Black Hat hacking conference in Las Vegas in a presentation titled: Bad USB - On Accessories that Turn Evil.

Thousands of security professionals gather at the annual conference to hear about the latest hacking techniques, including ones that threaten security of business computers, consumer electronics and critical infrastructure.

Nohl said he would not be surprised if intelligence agencies like the National Security Agency have already figured out how to launch attacks using this technique.

In 2013 he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden demonstrated that the US spy agency was using a similar technique for surveillance, which it called "Monkey Calendar".

An NSA spokesperson declined to comment.

SR Labs tested the technique by infecting controller chips made by major manufacturer Taiwan's Phison Electronics and placing them into USB memory drives and smartphones running Google's Android operating system.

Remote access

Similar chips are made by Silicon Motion Technology and Alcor Micro. Nohl said his firm did not test devices with chips from those manufacturers.

Phison and Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.

Nohl said he believes hackers would have a "high chance" of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.

"The sky is the limit. You can do anything at all," he said.

In his tests, Nohl said he was also able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard.

He said he was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to that PC, which would then corrupt machines that they contact.

Technology

"Now all of your USB devices are infected. It becomes self-propagating and extremely persistent," Nohl said. "You can never remove it."

Christof Paar, a professor of electrical engineering at Germany's University of Bochum who reviewed the findings, said he believes the new research will prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He called on manufacturers to move to better protect their chips to thwart any attacks.

"The manufacturer should make it much harder to change the software that runs on a USB stick," Paar said.

We live in a world where facts and fiction get blurred
In times of uncertainty you need journalism you can trust. For only R75 per month, you have access to a world of in-depth analyses, investigative journalism, top opinions and a range of features. Journalism strengthens democracy. Invest in the future today.
Subscribe to News24
ZAR/USD
15.25
(-0.09)
ZAR/GBP
20.29
(-0.13)
ZAR/EUR
18.23
(-0.16)
ZAR/AUD
11.25
(-0.20)
ZAR/JPY
0.15
(-0.04)
Gold
1787.51
(+0.09)
Silver
22.67
(+0.11)
Platinum
965.22
(+0.30)
Brent Crude
48.27
(+0.96)
Palladium
2413.01
(+0.60)
All Share
57822.50
(-0.17)
Top 40
53021.58
(-0.12)
Financial 15
11577.71
(-0.58)
Industrial 25
79894.95
(-0.12)
Resource 10
52804.55
(+0.03)
All JSE data delayed by at least 15 minutes morningstar logo
Company Snapshot
Voting Booth
Please select an option Oops! Something went wrong, please try again later.
Results
Yes, and I've gotten it.
21% - 349 votes
No, I did not.
51% - 828 votes
My landlord refused
28% - 448 votes
Vote