Top computer researchers revealed that USB devices can be used by hackers to access personal computers without being detected.
Karsten Nohl and Jacob Lell of Security Research Labs found hackers could load malware to computer chips and control the functions of USB devices such as keyboards, thumb drives and mice - especially those that are not equipped with code tampering protection - without being detected by an average personal computer. This attack is invisible because the anti-virus loaded on personal computers is designed to scan software but not firmware, Reuters reported.
"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl.
Researchers experimented on the security flaw by encoding a malicious code inside USB control chips commonly used for thumb drives and smartphones. They were able to record keystrokes, spy on communications, and even delete data after attaching the USB device in the personal computer.
"In this new way of thinking, you can't trust a USB just because its storage doesn't contain a virus. Trust must come from the fact that no one malicious has ever touched it," said Nohl. "You have to consider a USB infected and throw it away as soon as it touches a non-trusted computer. And that's incompatible with how we use USB devices right now."
According to Wired, this USB security flaw might call for certain companies to change their policies regarding USB handling by adding code protections on USB devices and other gadgets. Another option is to avoid sharing USB devices to untrusted users, even if it already defeats the purpose.
"You can't trust your computer anymore. This is a threat on a layer that's invisible. It's a terrible kind of paranoia," said Nohl.
Nohl and Lell will present the details of this new security flaw titled "Bad USB - On Accessories that Turn Evil" during the upcoming Black Hat conference in Las Vegas.
