Wait, Now USB Devices May Be Unsafe Too?

Thumb drives, keyboards, and mice, oh my! That’s right, these USB devices now may be the latest “lions, tigers, and bears” to fear in our high-tech world.

According to a recent Reuters article, such USB devices possibly can be compromised to hack into personal computers in a previously unknown form of attack that supposedly can side-step current security precautions.

As reported by Reuters, Karsten Nohl, a chief scientist at SR Labs in Berlin, has stated that hackers potentially can load software onto very small and inexpensive chips that control the functions of USB devices, but which presently do not have “built-in shields” that would prevent tampering with the devices’ operative code.

Nohl states that one “cannot tell where the virus came from.” He adds that it is “almost like a magic trick.”

Nohl’s firm has tested this out by writing malicious code onto USB control chips used in thumb drives and smartphones to perform attacks. Apparently, when a compromised USB device then is attached to a computer, the malicious software can cause all kinds of mischief, like monitoring communications, deleting data, and logging keystrokes.

Once a computer has become “infected,” Nohl believes that it could be programmed to infect other USB devices that later are attached to the computer, which devices then would infect subsequent computers into which they attach.

And quite problematic is Nohl’s claim that computers do not detect the “infections” when the compromised devices are inserted because current anti-virus programs do not scan “firmware” that controls the functioning of the devices — instead they only scan for software written onto memory.

Nohl has speculated (and this appears to be pure speculation) that intelligence agencies like the NSA may be launching these types of attacks already.

Is this a real and present USB danger, or are Nohl and SR Labs together a lone voice in the wilderness?

Hopefully, this problem will not materialize, and if it does or if it is about to launch, efforts will be made to erect adequate security protections.

Eric Sinrod (@EricSinrod on Twitter) is of counsel in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress