Did you know that connecting a device via USB could be a serious security risk?
“Can I charge my phone on your computer?”
That seemingly harmless favour that you might grant a colleague or even stranger, could be the reason your PC gets infected with dangerous viruses or malware, or could be compromise your most closely guarded online passwords – such as your internet banking credentials.
In this video on BBC News, Berlin based researcher Karsten Nohl, demonstrates how an ordinary Android phone, can be used as a keylogger, secretly recording keystrokes when connected to a PC. In the demonstration, he manages to easily steal a user’s Paypal login details (fake details were used for the purposes of the demonstration).
The take home message from this demonstration is that you are trusting implicitly any unknown device when you connect it to your computer via USB. Of course, you know that your own devices are safe if you have never lent them to anybody else.
However, if you do not know and trust the device you are connecting to your computer via USB, you could be allowing that device to make any change to your computer that you could make, or carry out any action that you could make.
In the demonstration by Karsten Nohl, the Android phone was programmed to trick the computer into treating it as a network card. The phone was then able to redirect internet traffic to false websites designed to capture users’ information. In the demonstration, the user was not actually connected to PayPal – instead they were connected to a malicious server running a copy of the PayPal site. This kind of attack is far more sophisticated than the usual phishing attacks, as there was no way to distinguish the fake PayPal website from the authentic one.
Even USB devices that aren’t connected to the internet (as the phone was) can change settings on your computer and carry out actions that you would not wish them to. In another example, a USB flash drive was set up to fool computers into thinking it was a USB keyboard. When plugged in via USB, the computer would install the device as it would a keyboard. The ‘keyboard’ could then “type” commands which the computer carries out as normal. Using keystrokes alone, a computer can be directed to a malicious website which deploys malware onto the computer, or the device could make changes to your network and security settings.
“When you connect an unknown device via USB, you are potentially trusting it as the new user of your computer.”
Keep this in mind when connecting devices via the USB ports on your computer!
When you join Netstar, you’ll be educated in all of our security best practices during our onboarding, and we are always on hand to provide expert advice.