When you plug a USB stick into your laptop, you probably aren’t too worried about it completely taking over your computer. However, Ars Technica reports that researchers at Security Research Labs in Berlin are scheduled to unveil a new exploit at the Black Hat conference in Las Vegas next week that will allow an infected USB stick to take over your computer and use it to execute malicious code.
The researchers have found a way to hack USB sticks so that once you plug them into your computer, it can make your machine “act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations.” And this technique doesn’t just work with standard USB sticks but also with Android phones, cameras, keyboards and pretty much any device you can connect to your machine through a USB port.
“If you put anything into your USB, it extends a lot of trust,” Karsten Nohl, Security Research Labs’ chief scientist, explained to Ars. “Whatever it is, there could always be some code running in that device that runs maliciously. Every time anybody connects a USB device to your computer, you fully trust them with your computer. It’s the equivalent of [saying] ‘here’s my computer; I’m going to walk away for 10 minutes. Please don’t do anything evil.”
Worst of all, this sort of malicious activity is almost impossible to detect through conventional means, as virus scans done with machines infected via the USB exploit will turn up nothing. The researchers have found that the only way to effectively figure out whether a device is infected is to take it apart and reverse engineer it.
We’re definitely eager to see the researchers’ full presentation at Black Hat next week.