Researchers have crafted software that can effectively change the functionality of a USB driver to enable attackers to infiltrate computers or smartphones with a seemingly innocent USB cable.
Assistant professor Angelos Stavrou and student Zhaohui Wang of George Mason University designed code which makes it possible to pilfer data when a smartphone is connected by USB cable with a computer.
The code adds a mouse or keyboard function to the USB driver that allows the attacker to take control of the units and download files or upload malware.
According to an article in Cnet:
"The exploit software they wrote identifies what operating sysetm is running on the device the USB cable is connected to. On Macintosh and Windows machines, a message pops up saying the system has detected a new human interface device, but there is no easily recognizable way to halt the process, Stavrou said. The Mac pop-up can be quickly removed by an attacker with a command sent via the smartphone so the laptop owner may not even see it, while the Windows pop-up lasts only one or two seconds in the lower left corner, making that an ineffective warning too, he said."
"Linux machines offer no warning, so users will have no idea that something out of the ordinary is happening, particularly since the regular keyboard and mouse continue to function normally during an attack, Stavrou said."
The exploit has only been adapted for Android phones so far, but the researchers are confident they can replicate the vulnerability for the iPhone as well.
The researchers warn that the vulnerability can be passed from device to device, such as from home PC to a smartphone, then from that smart phone to a laptop or computer at work.
The initial infection is likely to come from downloading or running a tainted application, and it is unlikely that antivirus software will recognize the malware because it can not distinguish it from normal keyboard or mouse function commands.