The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.

Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”

Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.

As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

15 Responses to “Security researchers say USB security ‘broken,’ can take over Macs or PCs”

  1. figshta says:

    Speaking of hypodermic needles… I guess that will give wireless peripherals a real shot in the arm, so to speak.


  2. Reblogged this on Taste of Apple and commented:
    This is quite troublesome…


  3. Simon Crabb says:

    The end of the world is nigh. I guess USB X will fix all this, in about a decade. It might even be able to be inserted either way too.


  4. maxleopold says:


    Apple will then maybe introduce Thunderbolt Sticks for Data,

    and switch the Cabling on its wired Keyboard to Lightning or Thunderbolt as well.

    And the rest of the Market will copy them & USB will be the next Blackberry! *snicker*


  5. This is going to be disproved as chicken-little (sky is falling) horse shit very quickly. I can already spot a number of flawed assumptions and I don’t make my living from security.


  6. b9bot says:

    Well first of all physical access is required to your computer. Since I don’t give physical access to my computer there concept is already broken. Again you would need an administrator password to copy anything off from a Mac. If a Mac is turned off and you try and boot from it with a firmware password installed you would fail again as it will only boot from the main drive. So they can beat there drum all they want but this is really a low security threat because again physical access is required.


  7. chuygb says:

    iOS devices ask permission to use DATA on USB, so before USB is granted access to my Device it needs my permission, this was added on an iOS update, so probably OSX can do this too


  8. Joshua Hale says:

    Really really old news… Almost a year old… Why did you post this?


  9. eldernorm says:

    I have to wonder if this can pass from pc to mac as the software to control would be vastly different. The article does not address this issue so I have to wonder how much else is inflated??

    While I can see software on a stick controlling a Mac, I think it would be much easier on a PC.

    Just wondering.


  10. So, linux is fine? w00t.