Malware-laden USB devices pose security threat for unmanaged environments

The USB interface may have become standard for powering all kinds of devices, but anecdotal warnings are emerging about devices that arrive prepackaged with embedded malware that infects target systems as soon as they are plugged into the computer.

The latest warnings come from Adelaide software development house GFI Software, which has relayed reports of low-cost USB e-cigarette chargers that arrived from China complete with loaded malware.

While based on anecdotal reports from Reddit, GFI Software web content specialist Christina Goggi warned in a blog post that the approach is entirely plausible and is likely to become an increasingly common attack vector as malware authors explore new ways of distributing their code.

“There is enough room inside a standard USB plug to embed a chip that will look like a removable storage device,” Goggi writes, “and many systems by default will execute autorun.inf.”

“The chargers for many e-cigarettes are larger, and certainly have enough room to store a hacked USB controller to launch more complicated firmware based attacks.”

Warnings about USB devices shipping with embedded malware come on the heels of separate reports that low-price, Chinese-made Android smartphones have been discovered to be shipping with malware pre-configured to activate after the phone is used for a certain period.

Other reports suggest a Trojan called Mouabad has used a similar method to install itself on brand-new handsets. And yet another report found that a fake, Russian-made version of Netflix was coming pre-installed on some Android devices.

While those threats have targeted Android smartphones, the extension of the technique to USB devices represents a different and significant sort of threat for businesses and consumers alike.

Goggi, for one, recommends the deployment of endpoint security tools that control the use of USB devices connected to business computers – preventing them from executing any potential latent code.

“Whether you plug a malicious device into your computer, or you connect your phone/tablet to a malicious charging station, you can expect to see both more complex and more frequent security threats coming from untrusted and unmanaged devices,” she warns.

“Securing your corporate assets with endpoint security is your best defence.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt @simplenomad Register today

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Enex TestLabtrojanredditGFI SoftwareCSO AustraliaUSB devicesUSB e-cigaretteMalware-ladenMouabadembedded malwareAdelaide software development

More about CSOEnex TestLabGFIGFI SoftwareNetflix

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by David Braue

Latest Videos

More videos

Blog Posts