USB flash drive sharing and USB peripherals might carry malware without any evidence in their flash memory. According to CNN, "German security researchers have discovered that USB-connected devices have a fatal flaw. Anything that connects via USB can be reprogrammed to pose as another device." Reportedly, the research that will be presented at the Black Hat security conference stated that it is possible to hide malware deep within USB technology at the firmware level.
According to SRLabs, USB ports can be inserted with different device classes, one type of device can turn into a more capable or malicious type without the user noticing it.
CNN expounded on it saying that a stranger's "USB stick could deceive your computer into thinking it's a keyboard, then type in certain commands and quietly take control of your laptop. Or it could pose as a network card, rerouting your Internet traffic so everything you do can be spied on. Identity theft, bank fraud, extortion -- you name it. Anything follows. And any talented computer engineer can tamper with a device's firmware to dupe a computer."
SRLabs stated that USB controller chips in peripherals need to be reprogrammed to turn one device type to another. Sadly, USB controller chips have no protection from such at the moment. Once reprogrammed, benign devices can turn malicious in many ways, including:
- A device can emulate a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
- The device can also spoof a network card and change the computer's DNS setting to redirect traffic.
- A modified thumb drive or external hard disk can - when it detects that the computer is starting up - boot a small virus, which infects the computer's operating system prior to boot.
Reportedly, no effective defenses from USB attacks are known yet.