The USB malware vector

The USB malware vector

Summary: You're having a coffee and surfing when an apologetic stranger asks if she can charge her Android phone on your USB port. But she's installing malware on your PC. Here's how to stop it.

TOPICS: Storage, Hardware

Ease of use trumped security in the USB design. Devices don't need a unique serial number. There's no way a host can detect malicious firmware. Devices can have multiple identities - and change them at will.

Nightmare on USB street

But it doesn't have to be that way. Let power be power and data be data: they're on separate pins!

Hence the USB condom: a device that passes power but not data. Voila! Safe coffee-shop sharing. 

Of course USB's security issues don't stop with phones. Malware could be installed on virtually any USB device with a microcontroller: thumb drives; webcams; music players.

But the attractive stranger with a dying phone seems like the most likely vector. A stranger who probably doesn't know they're spreading malware.

The Storage Bits take

There's a couple of ways USB condoms could be rendered obsolete. One is power-only USB ports on PCs - not likely - or switchable power/data ports - only slightly more likely.

Another is to remove the ability to update the firmware in USB controllers. That seems like less of a stretch, especially for highly engineered products like phones and tablets where USB functionality is well-defined. But also not likely.

Should the average user worry about USB-spread malware? Not yet.

But if you keep commercially important documents - ones competitors want - on your notebook, it's an extra bit of protection. You can chat up that attractive stranger and protect your data.

Comments welcome, as always. What other USB vectors can you think of?

Topics: Storage, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oh no, ease of use!

    I'm sure we'll soon see "USB condoms" for sale on late night television.
    • Followed by ...

      are you having trouble keeping your USB port up and running? Call now at 800-... and when the time to upload data is right, your computer can always be ready!
  • Then again, you could always say 'no.'

    It's 100% effective at preventing USB malware and doesn't require any changes to computers, USB ports, or USB controllers.
  • Keep outlet converters

    I don't think I'd ever agree to let a total stranger put anything into a computer of mine, but that's not the only scenario you want to avoid; house guests could inadvertently bring a payload. I keep several outlet converters for their benefit, so no one ever thinks to ask.
    • USB Plugs..

      are the best, I have one that's Surge protected, has three sockets and two usb ports, I'll never be caught out. :)
  • USB Condoms available now...

    ...and have been for quite awhile. I've had one for almost a year.
  • USB port on charger

    They can use the port on the power brick. If I don't use a power brick, no way I'm sacrificing my laptop battery to charge a stranger's phone battery.
  • Beware of chargers, too

    The data lines are required to negotiate a higher charging current. If you disconnect the data lines, the phone may charge either too slowly or not at all. Here is a relevant discussion

    Those convenient USB chargers at airports and other places... They can be dangerous, too.

    Fancy chargers can bring even more problems. This is not exclusive to chargers though. Every time you trust a hardware manufacturer's to install system-level software on your device, it's a tradeoff between convenience and security.
  • Strange!

    Would love to thanks for the awareness BUT in my opinion, is there is a USB vector to get the recharge access, we would not offer the first instance YES :) Good post though! Thanks
  • Crazy

    So now we're going to see stuff like always use usb condoms when practicing safe hex with computing devices.

    So is the morning after pill equivalent after a device is raped a reformat or can such code hide within the firmware of a computer or phone that is untouched by a reformat?
  • Actually, it could work in either direction.

    What's to stop a laptop or even a desktop that is infected from infecting the device being charged?

    Not likely that someone will deliberately wait around hoping someone will ask to charge a phone, but it could infect the laptop user's phone. Or a user might know that someone will regularly connect to his computer, e.g., to transfer large files faster, use an external backup, etc.
  • Better way

    USB condom to protect when access multiple unknown ports ? A little tacky post.
    To really avoid the scam :

    Say no
    Lend her an usb wall charger.
    If you must, only use your pc if I can put tape over the two inner usb 2.0 pins, this give access to power but not the data. I do this all the time at work .
  • WHAT part of "NO" do you not understand???

    Besides most notebook ports are not strong enough to charge a cell phone... This is really reaching pretty far into the hypothetical world just to try and make a point.... bad click bait.
    • Really?

      I charge my phone and tablet from my notebook all the time. Never noticed a problem.

      R Harris
  • The problem with firmware today

    is that it's no longer "firm" as it was in the past. ROM chips programmed at the factory by either (1) depositing the final layer of connections by a mask, (2) burning out connections in the final layer by laser, or (3) connecting to a one-time "burner" to burn out connections with overvoltage and overcurrent. And of course, no way to change it without replacing the chip.

    Maybe modems and routers need the flexibility of flash reprogramming because they are quite expensive devices and standards change, but USB ports and controllers? The logic is very static, so why provide a means to update it? It's not worth the risk.
  • Nightmare on USB street.....

    I keep an inexpensive ($2.99 at any Wmart checkout) charge only usb cord for use in any suspect charging connection. It does not have the data pins, just the power. No risk, and that attractive stranger may thank you.......
  • Why an attractive stranger's? Why not your own phone?

    While I've thought the USB firmware notion is bollocks, since there's no obvious accidental way to reinstall thumb drive firmware, I commented when this first came out that a smartphone, tablet or any other device that routinely connects to the internet could be an effective vector for infecting PCs.

    While I run only mainstream apps and am running BitDefender on my Android phone, I have no idea if either Google Play or BitDefender (or Apple's store for that matter) are scanning apps for PC vulnerabilities (as opposed to vulnerabilities of the phone's OS) - I suspect not.
  • Yes, not such an air-head!

    Hi :)
    Yes the attractive strranger might not be such an empty airhead and might appreciate people taking extra precautions to protect his phone from getting infected!

    However, other comments here suggest that even just usb-chargers that don't seem to be any use for useful data-transfers still do carry some data so it might only mitigate against problems rather than be a complete protection.
    Regards from
    Tom :)
  • A USB Condom?

    So, will the tech community lords and masters wait a couple decades before acknowledging the herpes version of the electronic viral invasion like the AMA and CDC did with the STD version? You know, the 'puter flair-up that keeps coming back. One moment of indiscretion for a lifetime of misery that keeps on giving.
    Hmm, is there a Burroughs-type CEO in the AV world who'd brag to the shareholders they stand to profit $10Billion yearly for their patented solution like the bio-firm did for Acyclovir at the granting of their patent in the '80's?