The USB malware vector

Summary:You're having a coffee and surfing when an apologetic stranger asks if she can charge her Android phone on your USB port. But she's installing malware on your PC. Here's how to stop it.

Ease of use trumped security in the USB design. Devices don't need a unique serial number. There's no way a host can detect malicious firmware. Devices can have multiple identities - and change them at will.

Nightmare on USB street

But it doesn't have to be that way. Let power be power and data be data: they're on separate pins!

Hence the USB condom: a device that passes power but not data. Voila! Safe coffee-shop sharing. 

Of course USB's security issues don't stop with phones. Malware could be installed on virtually any USB device with a microcontroller: thumb drives; webcams; music players.

But the attractive stranger with a dying phone seems like the most likely vector. A stranger who probably doesn't know they're spreading malware.

The Storage Bits take

There's a couple of ways USB condoms could be rendered obsolete. One is power-only USB ports on PCs - not likely - or switchable power/data ports - only slightly more likely.

Another is to remove the ability to update the firmware in USB controllers. That seems like less of a stretch, especially for highly engineered products like phones and tablets where USB functionality is well-defined. But also not likely.

Should the average user worry about USB-spread malware? Not yet.

But if you keep commercially important documents - ones competitors want - on your notebook, it's an extra bit of protection. You can chat up that attractive stranger and protect your data.

Comments welcome, as always. What other USB vectors can you think of?

Topics: Storage, Hardware

About

Harris has been working with computers for over 35 years and selling and marketing data storage for over 30 in companies large and small. He introduced a couple of multi-billion dollar storage products (DLT, the first Fibre Channel array) to market, as well as a many smaller ones. Earlier he spent 10 years marketing servers and networks.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.