USB devices are small, they're everywhere and most people rarely give a second thought about their safety.
Security researcher Andy Davis does, however, and he demonstrated just how dangerous an ordinary USB device could be during his presentation, "USB: Undermining Security Barriers," at the Black Hat Security Conference here.
Davis, a researcher at NGS Secure, opened his session by telling the audience that "Any potential vulnerabilities in the way USB processes data could have a huge impact across many technologies" — from computers to cars to USB-powered toasters. (They exist, he assured the crowd.)
To prove his point, Davis used a $1,200 device made by Packet-Master called the USB400AG, which is designed to capture all traffic between a USB device and its host to test where the USB device is failing.
Davis was able to take the captured traffic, create a malicious script from it and insert the new rogue code back into a USB device.
Davis' proof-of-concept exploit, which he called "Frisbee," was able to identify and attack flaws in Windows 7, Windows XP, Xbox 360 and Apple OS X.
Hackers using Davis' Frisbee exploit could also jailbreak embedded devices, unlock locked workstations, install malware and steal sensitive data, he said.
"If you've got a working exploit, it's literally just a case of inserting (the rigged USB). You can do a huge amount (of damage) in a few seconds."
Some of the Frisbee attacks even circumvented commonly used security software.
"There's a lot of technology out there, but people who developed it haven't really thought about using it in a secure environment," Davis said.
Davis said he's reached out to major security vendors, who he said have essentially told him that providing USB security is out of their reach. It's a frustrating realization that led Davis to joke that the only truly foolproof way to protect computers from the threats posed by compromised USBs is to "fill the USB sockets with epoxy resin."