Researchers turn USB cable into attack tool
Software allows for surreptitious attack while someone is charging a smartphone or syncing data between a smartphone and a computer.
Two researchers have figured out a way to attack laptops and smartphones through an innocent-looking USB cable.
Angelos Stavrou, an assistant professor of computer science at George Mason University, and student Zhaohui Wang wrote software that changes the functionality of the USB driver so that they could launch a surreptitious attack while someone is charging a smartphone or syncing data between a smartphone and a computer.
Basically, the exploit works by adding keyboard or mouse functionality to the connection so an attacker can then start typing commands or click the mouse in order to steal files, download additional malware, or do other things to take control of the computer, Stavrou told CNET in an interview. The exploit is enabled because the USB protocol can be used to connect any device to a computing platform without authentication, he said.
He and his partner were scheduled to demonstrate an attack at the Black Hat DC conference today.
The exploit software they wrote identifies what operating sysetm is running on the device the USB cable is connected to. On Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but there is no easily recognizable way to halt the process, Stavrou said. The Mac pop-up can be quickly removed by an attacker with a command sent via the smartphone so the laptop owner may not even see it, while the Windows pop-up lasts only one or two seconds in the lower left corner, making that an ineffective warning too, he said.
Linux machines offer no warning, so users will have no idea that something out of the ordinary is happening, particularly since the regular keyboard and mouse continue to function normally during an attack, Stavrou said.
"The operating system should present a pop-up and ask if the user really wants to connect the device" and specify what type of device is being identified to the system, he said.
The researchers wrote the exploit for Android devices only at this point. "It can be done for iPhone, but we didn't do it yet," Stavrou said. "It can work on any computing device that uses USB," and it can work between two smartphones by connecting a USB cable between then, he said.
"Say your computer at home is compromised and you compromise your Android phone by connecting them," he said. "Then, whenever you connect the smartphone to another laptop or computing device I can take over that computer also, and then compromise other computers off that Android. It's a viral type of compromise using the USB cable."
The original compromise can happen by downloading the exploit from the Web or running an app that is compromised. The researchers have created exploit software to run on a computer, and an exploit to run on Android that is a modification of the Android operating system kernel. Scripts can then be written for the actual attack.
Antivirus software wouldn't necessarily stop this because it can't tell that the activities of the exploit are not controlled or sanctioned by the user, Stavrou said. "It's hard to separate good behavior from bad behavior when it comes from the keyboard," he said.
There's not much a person can do to protect against this at this time, according to Stavrou. The operating systems should have the capability for devices to inspect USB traffic and alert users about what exactly is happening over the connection and give them the option of refusing an action, he said.