Skip to main content

Security researchers say USB security ‘broken,’ can take over Macs or PCs

The USB standard has a fundamental security flaw that allows an attacker to take over any device it is connected to, whether PC or Mac, say security researchers in a frightening piece by Wired.

Describing the proof-of-concept Karsten Nohl and Jakob Lell plan to present at the Black Hat conference next week, they say the weakness is fundamental to the way in which USB works. Rather than storing malicious files on a USB device, the researchers managed to hack the USB controller chip that enables a USB device to communicate with a computer, changing its firmware. That means it can allow absolutely any USB device, from a USB key to a keyboard, to be compromised.

“These problems can’t be patched,” says Nohl, who will join Lell in presenting the research at the Black Hat security conference in Las Vegas. “We’re exploiting the very way that USB is designed.”

“You can give it to your IT security people, they scan it, delete some files, and give it back to you telling you it’s clean, [but] the cleaning process doesn’t even touch the files we’re talking about.”

Unlike most malware, which targets Windows, this exploit allows any USB device to emulate a keyboard or mouse, taking complete control of both PCs and Macs.

As it’s undetectable, the exploit could be silently added to a USB key when it is inserted into a PC, and then infect the next device it’s connected to. There is, say the researchers, no protection at all against the method of attack short of never sharing USB devices – treating them as you’d treat a hypodermic needle: only ever using one you know to be brand new, and not dreaming of allowing anyone else to share it.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. figshta - 10 years ago

    Speaking of hypodermic needles… I guess that will give wireless peripherals a real shot in the arm, so to speak.

  2. Taste_of_Apple - 10 years ago

    Reblogged this on Taste of Apple and commented:
    This is quite troublesome…

  3. Simon Crabb - 10 years ago

    The end of the world is nigh. I guess USB X will fix all this, in about a decade. It might even be able to be inserted either way too.

  4. maxleopold - 10 years ago

    Well,

    Apple will then maybe introduce Thunderbolt Sticks for Data,

    and switch the Cabling on its wired Keyboard to Lightning or Thunderbolt as well.

    And the rest of the Market will copy them & USB will be the next Blackberry! *snicker*

    • ziongpham - 10 years ago

      I hope so too, but does Thunderbolt have other flaw the other day (year) too.

  5. Bruno Fernandes (@Linkb8) - 10 years ago

    This is going to be disproved as chicken-little (sky is falling) horse shit very quickly. I can already spot a number of flawed assumptions and I don’t make my living from security.

  6. b9bot - 10 years ago

    Well first of all physical access is required to your computer. Since I don’t give physical access to my computer there concept is already broken. Again you would need an administrator password to copy anything off from a Mac. If a Mac is turned off and you try and boot from it with a firmware password installed you would fail again as it will only boot from the main drive. So they can beat there drum all they want but this is really a low security threat because again physical access is required.

    • ziongpham - 10 years ago

      No you don’t have to. Your device just have to share an USB, which means connecting it to two different devices in it’s life time.

  7. chuygb - 10 years ago

    iOS devices ask permission to use DATA on USB, so before USB is granted access to my Device it needs my permission, this was added on an iOS update, so probably OSX can do this too

  8. Joshua Hale - 10 years ago

    Really really old news… Almost a year old… Why did you post this?

  9. eldernorm - 10 years ago

    I have to wonder if this can pass from pc to mac as the software to control would be vastly different. The article does not address this issue so I have to wonder how much else is inflated??

    While I can see software on a stick controlling a Mac, I think it would be much easier on a PC.

    Just wondering.

  10. Sarah Leigh Butler - 10 years ago

    So, linux is fine? w00t.

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear