Hackers could easily load malicious software into USB devices since they are not built to have anti-malware features. Chief scientist Karsten Nohl of the SR Labs in Berlin says "You cannot tell where the virus came from. It is almost like a magic trick." SR Labs is a research firm that is famous for unraveling major threats in mobile phone technology.
According to Nohl, his firm has conducted test attacks by placing a malicious code in USB control chips which are normally used in smartphones and thumb drives. Once the infected USB device is attached to a PC, the malicious content can start harming the hardware by logging the keystrokes, spying on exchanged communications and destroying data.
Nohl added that these tainted devices cannot be detected by computers simply because anti-virus programs are meant to work only with software as opposed to using it with firmware.
"Consumers should always ensure their devices are from a trusted source and that only trusted sources interact with their devices. Consumers safeguard their personal belongings and the same effort should be applied to protect themselves when it comes to technology," Forum spokeswoman Liz Nardozza says.
At present, there are no known effective defenses that would protect the PC against harmful USB attacks. Malware scanners have no way of accessing the firmware that runs on USB devices. "USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a bad USB device's behavior when it changes its persona looks as though a user has simply plugged in a new device," adds Nohl.
The researchers explained that since the USB has become ubiquitous, users don't seem to care about its security implications. Consumers would usually consider that USBs are perfectly safe and would believe that an occasional virus scan on a USB stick is more than enough.
In addition to USB sticks, Nohl and his team of researchers simulated attacks on an Android device that's connected to a PC thru USB. If the device is infected, it can replace its installed software with either a corrupted or a backdoored version. Moreover, it can start acting like a USB keyboard by typing certain commands. "It can do whatever you can do with a keyboard, which is basically everything a computer does," says Nohl.
The best way for consumers to avoid these malware attacks is by using only USB devices which they believe are 100 percent trustworthy. The sources for their USB devices should also be a trusted entity.