Never Plug Into a USB You Don’t Own
Never Plug Into a USB You Don’t Own
March 26, 2018
TechRepublic — It’s long been known that you should never insert an unknown USB drive to your computer because it could be loaded with malware. However, new BGU research now exposes 29 types of USB attacks, and they extend to your smartphone.
It shows that you should never use a USB charger you find lying around or plug into a public USB port. Both can be compromised by attackers, according to one of the researchers, Ran Yahalom.
Yahalom is the co-author of an article published in the journal Computers & Security with Dr. Nir Nissim, head of the Malware Lab at Cyber@BGU, and Prof. Yuval Elovici, who heads Cyber@BGU.
“There are many non-trivial USB-based attacks. Some are carried out by the host, the computer connecting the USB peripheral. The most common ones are infected, or malicious. Once connected, they have access and take control of your computer,” says Yahalom.
Ran Yahalom speaks about the hazards of trusting USBs >>
“Microcontrollers are another attacks category. Microcontrollers can impersonate a USB peripheral. For example, you can program a teensy microcontroller or an Arduino [board] to act like a keyboard or a mouse. Once you program a keyboard and connect, it actually starts injecting key presses. It’s actually like having someone working on your computer,” Yahalom says.
“If you go into a coffee shop and use a charger there, or an airport or a train station, any charger that is not your own, you don’t know what that piece of hardware really does,” he stresses. “It may not be a charger, but a microcontroller hidden inside a charger casing. It could be something else. You don’t know. Once put into your phone, anything could happen.
“The general rule of thumb is: treat technology as something you don’t naturally trust. As users, we have a tendency to trust technology, to trust peripherals. You trust your flash drive; you trust your keyboard, but you trust it because you’re not aware.
“Treat it as a syringe: You wouldn’t find a syringe in the parking lot, pick it up and inject it in yourself. Because you’re aware you could be infected. You have no knowledge of what could happen, but are afraid because it could be dangerous. This is exactly the same thing.
“Now that we’re moving from the cyber world to the physical world, it becomes increasingly clearer and we must get the word out,” he says.
Some basic rules:
“Bring your own charger.
“Use your own hardware.
“Don’t trust Wi-Fi networks.
“Educate yourself about different levels of security. For example, 3G is commonly believed to be more secure than Wi-Fi, since Wi-Fi’s easier to hack.”
By Jason Hiner, a fellow of Americans for Ben-Gurion University’s 2018 Murray Fromson Journalism Fellowship
Read more on the TechRepublic website >>
Stories Like This
