
on a specific trick, or on the OS it’s connected to.
Is that new? No!
Is USB bad? No!
Security is a problem that USB was not made to solve.
It’s an extra layer of security, implemented over USB: sadly, it’s sometimes easy to bypass their security.
It’s not just bad news: some USB devices, on the other hand, have extraordinary abilities, for good purposes:
Not only it’s possible to create malicious USB devices, but it’s possible to turn ‘innocent’ devices evil: standard USB controllers can be modified: they are cheap, so they have no protections against modifications at all:
“the integrity of these devices is based entirely on obscurity”
Brandon Wilson – DerbyCon 2014
So Richard Harman, Karsten Nohl, Sascha Krißler, Jakob Lell, Adam Caudill and Brandon Wilson studied Phison USB controllers (Phison has the biggest marker share in USB controllers), and eventually, modified firmwares for the Phison 2251-03 were developed and released.
The catch is that you can’t know from the outside which USB (key or device) could be altered, since USB device manufacturers don’t always use the same controller brand inside.
Any USB device is a small computer.
It could be malicious, but it’s unlikely to happen as it’s far from trivial to make a malicious USB device, or infect an innocent USB device.
This is not new, as USB is not a security protocol, so it is not designed to make sure that a USB device is unmodified, and USB devices don’t protect themselves from modification.
On the other hand, you should be careful with unknown USB sticks, and unattended charging stations (in airports, …).
2 thoughts on “Is USB bad?”