It’s an entirely new type of computer security risk: Not viruses, but manipulated firmware could allow USB devices to spy on computer users undetected. The new attacks are difficult to stop, warn IT experts.
Just drag a file from your computer to your own USB flash drive, connect the external hard drive or a webcam for video calls over the internet. That's what many people do every day - and take a greater security risk than previously believed. So far, USB sticks have been primarily associated with the spread of harmful viruses.
But now researchers from the Berlin data security company Security Research Labs have now shown how sniffer software can hide on tiny chips in the USB devices. This allows them to be controlled remotely, unnoticed, and there's nothing users can do about it. It's a horror scenario that could herald a new type of hacker attack.
It is a method that no one had expected, technology journalist Robin Cumpl said in an interview with DW. The malware is hidden inside the USB device in its firmware - the area responsible for controlling the device. It contains all the information about its function so that a computer can recognize immediately whether it is a memory stick, a webcam or a keyboard that can be connected via USB. "The firmware is then manipulated for purposes that the hacker can exploit," Cumpl said.
Highly secure passwords no longer safe
A possible attack scenario looks like this: A user inserts a USB flash drive into the computer. The anti-virus software gives the OK. In reality, the stick has been manipulated and behaves like a network card.
"The computer then thinks: Now I have to send all my data via this network card," Cumpl said. This allows the attacker to copy all the data traffic. Even worse, if hackers have prepared the stick, they can access the stolen data directly without ever having to gain physical control over the stick. An internet connection is enough.
The data theft can also use a keylogger, which records every keystroke. All that the user types is then stored. "If, for example, you enter highly secure passwords that everything will be recorded the keylogger, and then sent as a data packet once a day to the hacker," Cumpl said. Similarly, the USB stick could take screenshots - for example of a document with confidential data. A top-secret patent in an engineering office can easily be spied on with the new hacking method. "The dangers are virtually infinite," Cumpl said.
The disguise is near-perfect and hard to detect. The USB device could pretend to be a keyboard, a webcam, or a network adapter. And no one will notice, because a virus scanner cannot reveal the manipulated firmware. "Ultimately, there's an incredible number of manipulation options and that makes things so dangerous," Cumpl said. The manipulated control chip can evade any direct control.
It is also conceivable that the hacked firmware can feed malware into the computer. "The insidious thing about this is that no anti-virus program can scan this small area," Cumpl said. The destructive software remains undetected and can almost go unnoticed as it steals data from the target computer. Cumpl therefore assesses the risk as huge.
SR Labs chief scientist Karsten Nohl told Reuters news agency, "You cannot tell where the virus came from. It is almost like a magic trick."
Cumpl goes one step further. "Who says that a smartphone charger couldn't already be used to tap information?" The USB interface allows many possibilities for manipulation. Ultimately all devices are affected. "Once a device is compromised and contains the malicious code, you have a problem."
At present, it is not really possible to protect against this kind of daa theft. That's why experts are calling on the IT industry to urgently improve the USB standard. Cumpl says there is currently only one effective form of protection: "Don't use USB sticks at all."