Remember the major USB flaw demonstrated by Karsten Nohl about 2 months ago? Although Nohl never released the code he used in the demonstration, two other researchers have managed to perform the same tricks, and they’ve made their code publicly available on Github. Now anybody can use this code to perform attacks. The researchers say they released the code in an attempt to start the process whereby the security architecture of USB devices is fundamentally redesigned.
At the time Nohl first made his presentation, he gave a simple piece of advice that I quoted in my previous post and that I will repeat here: “Don’t connect untrusted USB drives to your computer, and don’t connect your USB drives into untrusted computers.”
The Security Response Team at Symantec has given these 3 similar tips:
1. Only insert trusted USB devices into computers
2. Do not use or purchase pre-owned USB devices (they could potentially contain malicious software).
3. Never leave your computer or mobile devices unlocked or unattended.
All 3 tips boil down to the same thing Nohl has already said; if you purchase a pre-owned USB device, it’s potentially untrusted, and if you leave a computer unprotected, an untrusted person could connect an untrusted USB drive to your computer.