A USB stick is not passive like a book.

Is USB bad?

USB

USB is a protocolUniversal Serial Bus is a connection, communication and power supply protocol…

A protocol enables different devices to communicate.…which means that it defines how different devices can communicate: as a consequence, both sides are actively exchanging information. It’s not just “one side is reading some data written on the other side”.

A USB stick is not passive like a book.So, something like a USB stick is not pure data storage. It’s not just a book that you read.

Anything using actively USB  is a small computer.Even something as small as a USB key is actually a small computer.

Sticks, webcams, keyboards - even some chargers...This is also true for any active USB device: memory sticks, webcams, keyboards – even chargers can actively communicate.

It’s even possible for devices to behave in different ways depending on the user’s choice: for example, smartphones can act as simple storage device, or sync with a PC.

Anything using USB is a small computer. What are the consequences ?

Security

What about security?

USB is not a security protocol.Well, USB has nothing to do with security. It’s not meant to authenticate, encrypt…

Any USB device you plug can do whatever it wants.This means that any USB device can do whatever it wants:

Is that new? No!
Is USB bad? No!

Security is a problem that USB was not made to solve.

What about encrypted USB sticks ?

It’s an extra layer of security, implemented over USB: sadly, it’s sometimes easy to bypass their security.

Not only for bad purposes

It’s not just bad news: some USB devices, on the other hand, have extraordinary abilities, for good purposes:

an advanced USB device with awesome abilities

Innocent devices turned evil

Not only it’s possible to create malicious USB devices, but it’s possible to turn ‘innocent’ devices evil: standard USB controllers can be modified: they are cheap, so they have no protections against modifications at all:

“the integrity of these devices is based entirely on obscurity”
Brandon Wilson – DerbyCon 2014

So Richard Harman, Karsten Nohl, Sascha Krißler, Jakob Lell, Adam Caudill and Brandon Wilson studied Phison USB controllers (Phison has the biggest marker share in USB controllers), and eventually, modified firmwares for the Phison 2251-03 were developed and released.

The catch is that you can’t know from the outside which USB (key or device) could be altered, since USB device manufacturers don’t always use the same controller brand inside.

Avoid risks

  • How can you tell if a device is malicious?
    You can’t, at least not easily – it could even fake the result.
  • How likely is it to happen to you?
    It’s far from trivial to perform such a hack, so it’s very unlikely 😉
  • What is more likely to happen to me ?
    • stupid VBScript trojans made of trivial code snippets taken directly from MSDN, that replicates by infecting USB drives still survive nowadays, and this is more likely to happen than your neighbors patching the firmware of your webcam to hack you (well, your neighbors’ mileage may vary).
    • plugging your phone in an unknown phone charger booth at an airport is more likely to cause troubles: in this case, you might want to use a device that prevents data connection over USB, and just let charging power coming in.

Wrapping it up

Any USB device is a small computer.

It could be malicious, but it’s unlikely to happen as it’s far from trivial to make a malicious USB device, or infect an innocent USB device.

This is not new, as USB is not a security protocol, so it is not designed to make sure that a USB device is unmodified, and USB devices don’t protect themselves from modification.

On the other hand, you should be careful with unknown USB sticks, and unattended charging stations (in airports, …).

Engine developer