USB devices such as keyboards can be used to hack into PCs, German crypto specialist and and chief scientist with Berlin's SR Labs Karsten Nohl revealed on Thursday. Nohl said that that hackers could load malicious software onto the chipsets that control functions of USB devices. Such small are everywhere and have no built-in shields against tampering with their code.
"You cannot tell where the virus came from. It is almost like a magic trick," said Nohl.
Nohl performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.
In his tests, Nohl said he was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. He was also able to change the DNS network settings on a computer.
Most seriously, anti-virus software cannot detect such infections as they are only designed to scan for software written onto memory and do not scan the low-level code of the USB devices (firmware.)
However, it is generally hard to rewrite a firmware for a device without having access to confidential information related to that "inner" code.
Nohl will describe their attack method at next week's Black Hat hacking conference in Las Vegas.