USB technology could be exploited by hackers to load malicious software on computers without triggering security alerts, new research has shown.
According to Karsten Nohl, chief scientist with Berlin's SR Labs, tiny low-cost computer chips used to control functions of USB devices such as mice, keyboards and thumb-drives could be used to store malware which automatically infects a computer when the infected USB is connected.
What is worse the malware could then trigger a chain reaction, infecting every other USB connected to the infected computer.
"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl, explaining that the chips used in USBs have no built-in shields against tampering with their code.
To prove their point, Nohl and his colleagues at SR Labs have carried out a series of test attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, Nohl said.
Computers do not detect the infections when tainted devices are inserted into a PC because anti-virus programmes are only designed to scan for software written onto memory and do not scan the "firmware" that controls the functioning of those devices, he said.
Nohl and his research partner Jakob Lell will present the findings and describe the hacking method at next week's Black Hat hacking conference in Las Vegas.
Nohl said he would not be surprised if intelligence agencies like the National Security Agency have already figured out how to launch attacks using this technique.
Last year he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden revealed that the US spy agency was using a similar technique for surveillance, which it called "Monkey Calendar."
An NSA spokeswoman declined to comment.
In his tests, Nohl said he was also able to gain remote access to a computer by having the USB instruct the computer to download a malicious programme with instructions that the PC believed were coming from a keyboard. He said he was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route Internet traffic through malicious servers.
Christof Paar, a professor of electrical engineering at Germany's University of Bochum who reviewed the findings, said he believes the new research will prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He called on manufacturers to move to better protect their chips to thwart any attacks.
"The manufacturer should make it much harder to change the software that runs on a USB stick," Paar said.