The USB interface may have become standard for powering all kinds of devices, but anecdotal warnings are emerging about devices that arrive prepackaged with embedded malware that infects target systems as soon as they are plugged into the computer.
The latest warnings come from Adelaide software development house GFI Software, which has relayed reports of low-cost USB e-cigarette chargers that arrived from China complete with loaded malware.
While based on anecdotal reports from Reddit, GFI Software web content specialist Christina Goggi warned in a blog post that the approach is entirely plausible and is likely to become an increasingly common attack vector as malware authors explore new ways of distributing their code.
“There is enough room inside a standard USB plug to embed a chip that will look like a removable storage device,” Goggi writes, “and many systems by default will execute autorun.inf.”
“The chargers for many e-cigarettes are larger, and certainly have enough room to store a hacked USB controller to launch more complicated firmware based attacks.”
Warnings about USB devices shipping with embedded malware come on the heels of separate reports that low-price, Chinese-made Android smartphones have been discovered to be shipping with malware pre-configured to activate after the phone is used for a certain period.
Other reports suggest a Trojan called Mouabad has used a similar method to install itself on brand-new handsets. And yet another report found that a fake, Russian-made version of Netflix was coming pre-installed on some Android devices.
While those threats have targeted Android smartphones, the extension of the technique to USB devices represents a different and significant sort of threat for businesses and consumers alike.
Goggi, for one, recommends the deployment of endpoint security tools that control the use of USB devices connected to business computers – preventing them from executing any potential latent code.
“Whether you plug a malicious device into your computer, or you connect your phone/tablet to a malicious charging station, you can expect to see both more complex and more frequent security threats coming from untrusted and unmanaged devices,” she warns.
“Securing your corporate assets with endpoint security is your best defence.”
This article is brought to you by Enex TestLab, content directors for CSO Australia.